(Page 1 of 4 )
Authentication and Authorization are two interrelated concepts, which form the core of security for .NET applications. The authentication and authorization processes in ASP.NET are very flexible, simple and can be implemented in the code. ASP.NET is not a standalone product; it is linked with IIS and is, in fact, a layer on top of IIS. So, any request that comes into the ASP.NET process is first authenticated and authorized by IIS. In short, the ASP.NET process is completely unaware if any user has been denied access to any page by IIS. Several security authorities interact when the user raises a request for an ASP.NET page. You must get to know how these processes work in order to fully understand the ASP.NET system. |Authentication |Authorization | |Authentication is a process in which the user’s credentials are used to verify|Authorization is a process in which the | |the user’s identity. In short, this is the process of determining the identity|authenticated user is allowed (authorized) access | |of the request entity. |to resources. | |In short, whenever a user logs on to an application, the authentication process is first carried followed by the authorization | |user. Certain applications do not have any restriction/validation on the logged in user. Even such applications authenticate the | |user as anonymous. |
ASP.NET and IIS
Below, is the sequence of events involved in the authentication process (jointly done by IIS and ASP.NET): 1. The incoming request is first checked by IIS. If the IP address from where the request is sought is not allowed access to the domain, IIS denies the request. 2. By default, IIS allows anonymous access and hence requests are automatically authenticated. However, this can be overridden for each application within IIS. Next in the sequence, IIS performs this authentication, if it has been configured to do so. 3. As a next step, the authenticated user request is passed to ASP.NET. 4. ASP.NET now checks whether Impersonation is enabled or not. By default impersonation is not enabled in ASP.NET. Generally, some applications require impersonation for ASP compatibility and Windows server authentication. 5. If impersonation is enabled, ASP.NET executes with the identity of the entity on behalf of which it is performing the executing task. 6. If impersonation is disabled, the application runs with the privileges of ASP.NET. 7. Finally, the identity that has been authenticated and checked for in the previous steps is used to request resources from the OS. ASP.NET relies on NTFS file permissions for granting access. 8. If access is granted (successful authorization), ASP.NET returns the user’s request through IIS.
The above sequence of steps is pictorially depicted in Illustration 1. [pic]
Authentication and Authorization - Authentication Providers
(Page 2 of 4 )
ASP.NET provides three types of authentication, namely windows authentication, forms authentication and passport authentication. It is the job of the authentication provider to verify the credentials of the user and decide whether a particular request should be considered authenticated or not. • Windows Authentication Provider
Windows authentication provider is the default provider for ASP.NET. It lets us/application authenticate users based on the users’ Windows accounts. IIS performs authentication for this provider and the authenticated identity is then passed on to the code.
• Passport Authentication Provider
This provider uses the passport services provided by...