Narrowing Integrated Windows Authentication to a subset of users for an intranet ASP.Net application

Scenario: An intranet ASP.Net application using Integrated Windows Authentication and a SqlRoleProvider for authorization. The application is used by a small subset of users within the domain.

If there are only a few users within the domain that should be able to access the application, can IWA be narrowed to allow authentication for that subset of users only, say via a domain group? Is this possible or even logical? This would certainly be the case if you predefined us开发者_JAVA技巧er accounts and used forms authentication. I understand that you can manage authorization within the application but wonder if the above is possible to add some security in depth. Appreciate your thoughts.

With anonymous access disabled, you can set the NTFS permissions on the web application directory to let only specific users in.

IWA will authenticate all valid users. But you can do the following,

• allocate the subset of users into a group, and use role rrovider for them. Then you can allow only this group to use the application.

• Or use forms authentication instead and write your own membership provider to authenticate users. Then you have all the controls and can block unwanted users.

You can also try some of the more traditional authorization techniques I outlined here:

Is it possible to restrict windows authenticated users in an ASPNet app to specific domains?