asp.net form authentication with active directory and access control

Question

I have been able to create a working ASP.NET web form authentication with Active Directory following this tutorial.

I have two questions (one of them might be specific to my need):

1. I put in my own username and password in the membership element in web.config for ConnectionUsername and ConnectionPassword. It seems strange to me that while I am authenticating all users in the domain I need to put my own username and password in the web.config. I would imagine that the username and password from the login form should be used for this, unless I understand this incorrectly. Whose username and password do we usually put in the web.config in membership element?

2. Out of hundreds of users in the domain, I need to give access to several users (let's say 20 of them) to several pages. I read about Active Directory access control but I don't want to go down that path. Is it common and sensible to have a table in the database with a list of usernames that has access to those special pages and do a match whether a logged-in user is in that table and authorize if so?

Thank you for your input.

Answer 1

Regarding # 1:

Typically you would create a user for the database that is recognized as the "application" and specify those credentials. The "application" is acting on behalf of the users.

Or to restrict access at the database level, you would not specify credentials in the connection string and use the "impersonate=true;" option in the connection string instead.

Regarding # 2:

You can restrict access to specific users in the web.config via the allow and deny nodes, for instance:

<system.web>
<authorization>
  <allow users="MyCompanyDomain\John.Deere,MyCompanyDomain\Jane.Doore"/>
  <deny users="*"/>
</authorization>
</system.web>

This only allows two users in and denys all others. You can also specify Active Directory Groups as well.

Read more here: http://msdn.microsoft.com/en-us/library/acsd09b0(v=vs.85).aspx