If your entire web site requires Windows authentication, you should make sure that Anonymous Authentication is disabled. To do so:
- Open the Internet Information Services (IIS) Manager.
- Select your web application and open the Authentication feature.
- Make sure "Anonymous Authentication" is disabled and "Windows Authentication" is enabled.
Once anonymous authentication is disabled, your code for id2
or id3
will have the Windows logon information. Your id1
code will report the identity of the application pool.
If only part of your web site requires authentication and other parts do not, then your web.config should define authorization rules (and Anonymous Authentication should remain enabled). For example, you can deny access by anonymous users to all pages by default but specifically allow anonymous access to Default.aspx.
<configuration>
<system.web>
...
<authorization>
<deny users="?"/>
</authorization>
...
</system.web>
<location path="Default.aspx">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
</configuration>
Windows authentication does not require your application to implement a login process. It will issue the authentication challenge to the browser. Some browsers like IE will supply the Windows credentials automatically and others like Firefox will present a login prompt.