Authentication is a process of identifying a user, while authorization is the process of determining if an authenticated user has access to the resource(s) they requested. Typically, authentication is achieved by the user sharing credentials that somehow verify the user's identity.
Whenever a user logs on to an application, the user is first authenticated and then authorized. With ASP.NET Web applications, the users requesting a page are, by default, anonymous. There are different techniques available for determining the identity of an anonymous user. Realize, however, that, by default, Web applications allow for anonymous access.
Understanding how ASP.NET and IIS Handle Authentication and Authorization
ASP.NET is not a stand-alone product - rather, it is utilized from IIS. When a request comes in for an ASP.NET Web page, the request is sent to the Web server software (IIS), which performs authentication and authorization. Depending on the settings in IIS and the user accessing the site, these checks might pass or they might not. If the user is not authenticated, or does not have access, there request will be stopped and an appropriate message will be returned. If, however, the request passes IIS's authentication and authorization, the request will be handed off to the ASP.NET engine, which can impose its own authentication and authorization schemes.
The following shows the sequence of authentication and authorization actions performed by IIS and ASP.NET on an incoming request.
1. The incoming request is first checked by IIS. If the IP address from where the request is sought is not allowed access to the domain, IIS denies the request.
2. IIS allows anonymous access by default and hence requests are automatically authenticated. However, this can be overridden for each application within IIS. Next in the sequence IIS performs this authentication, if it has been configured to do so.
3. The authenticated user request is passed to ASP.NET.
4. ASP.NET checks whether Impersonation is enabled or not. By default impersonation is not enabled in ASP .NET. Generally, some applications require impersonation for ASP compatibility and Windows server authentication. (By default, the ASP.NET engine operates under the ASPNET user account. Impersonation is a means by which you can have the ASP.NET engine operates under the authenticated user's user account. For more information refer to INFO: Implementing Impersonation in an ASP.NET Application.)
○ If impersonation is enabled, ASP.NET executes with the identity of the entity on behalf of which it is performing executing the task.
○ If impersonation is not enabled, the application runs with the privileges of the ASPNET user account.
5. Finally, the identity that has been authenticated and checked for in the previous steps is used to request resources from the OS. ASP.NET uses two forms of authorization:
○ FileAuthorization - relies on NTFS file permissions for granting access.
○ UrlAuthorization - in the Web.config file you can specify the authorization rules for various directories or files using the
6. If access is granted (successful authorization), ASP .NET returns the user's request through IIS.
ASP.NET provides three ways to authenticate a user:
● Windows authentication,
● Forms authentication, and
● Passport authentication
It is the job of the authentication provider to verify the credentials of the user and decide whether a particular request should be considered authenticated or not. The authentication scheme an ASP.NET Web application uses can be configured in its Web.config file.
4. Where is �Windows Authentication� applicable?
Since �Windows Authentication� uses the credentials of Windows users, it can be used only for an intranet application. In an intra-net application, the administrator has full control over the network users. The application can be designed in such a way that, it can display all the �Active Directory� users, so that the administrator of the application can configure the users authentication for the application. Integrated Windows authentication is best suited for an intranet environment, where both user and Web server computers are in the same domain, and where administrators can ensure that every user has Microsoft Internet Explorer, version 2.0 or later
Windows authentication and IIS
If you select windows authentication for your ASP.NET application, you also have to configure authentication within IIS. This is because IIS provides Windows authentication. IIS gives you a choice for four different authentication methods:
Anonymous, basic, digest, and windows integrated
If you select anonymous authentication, IIS doesn't perform any authentication, Any one is allowed to access the ASP.NET application.
If you select basic authentication, users must provide a windows username and password to connect. How ever this information is sent over the network in clear text, which makes basic authentication very much insecure over the internet.
If you select digest authentication, users must still provide a windows user name and password to connect. However the password is hashed before it is sent across the network. Digest authentication requires that all users be running Internet Explorer 5 or later and that windows accounts to stored in active directory.
If you select windows integrated authentication, passwords never cross the network. Users must still have a username and password, but the application uses either the Kerberos or challenge/response protocols authenticate the user. Windows-integrated authentication requires that all users be running internet explorer 3.01 or later Kerberos is a network authentication protocol. It is designed to provide strong authentication for client/server applications by using secret-key cryptography. Kerberos is a solution to network security problems. It provides the tools of authentication and strong cryptography over the network to help to secure information in systems across entire enterprise