When you think ASP, think...
Recent Articles xml
All Articles
ASP.NET Articles
Related Web Technologies
User Tips!
Coding Tips
spgif spgif

Book Reviews
Sample Chapters
JavaScript Tutorials
MSDN Communities Hub
Official Docs
Stump the SQL Guru!
Web Hosts
Author an Article
spgif spgif

ASP ASP.NET ASP FAQs Feedback topnav-right
Print this Page!
Published: Friday, March 12, 2004

An Overview of Authentication and Authorization Options in ASP.NET

By Nandini Venugopalan

Security 101: Authentication and Authorization

Authentication and Authorization are two interrelated security concepts. In short, authentication is a process of identifying a user, while authorization is the process of determining if an authenticated user has access to the resource(s) they requested. Typically, authentication is achieved by the user sharing credentials that somehow verify the user's identity.

- continued -

Whenever a user logs on to an application, the user is first authenticated and then authorized. With ASP.NET Web applications, the users requesting a page are, by default, anonymous. There are different techniques available for determining the identity of an anonymous user, which we'll examine in this article. Realize, however, that, by default, Web applications allow for anonymous access.

This article provides a high-level overview of the authentication and authorization models available in an ASP.NET Web application.

Understanding how ASP.NET and IIS Handle Authentication and Authorization

Both IIS - Microsoft's Web server software - and ASP.NET provide means for authentication and authorization. It is important to understand that ASP.NET is not a stand-alone product - rather, it is utilized from IIS. When a request comes in for an ASP.NET Web page, the request is sent to the Web server software (IIS), which performs authentication and authorization. Depending on the settings in IIS and the user accessing the site, these checks might pass or they might not. If the user is not authenticated, or does not have access, they're request will be stopped and an appropriate message will be returned. If, however, the request passes IIS's authentication and authorization, the request will be handed off to the ASP.NET engine, which can impose its own authentication and authorization schemes.

The following shows the sequence of authentication and authorization actions performed by IIS and ASP.NET on an incoming request.

  1. The incoming request is first checked by IIS. If the IP address from where the request is sought is not allowed access to the domain, IIS denies the request.
  2. IIS allows anonymous access by default and hence requests are automatically authenticated. However, this can be overridden for each application within IIS. Next in the sequence IIS performs this authentication, if it has been configured to do so.
  3. The authenticated user request is passed to ASP.NET.
  4. ASP.NET checks whether Impersonation is enabled or not. By default impersonation is not enabled in ASP .NET. Generally, some applications require impersonation for ASP compatibility and Windows server authentication. (By default, the ASP.NET engine operates under the ASPNET user account. Impersonation is a means by which you can have the ASP.NET engine operates under the authenticated user's user account. For more information refer to INFO: Implementing Impersonation in an ASP.NET Application.)
    • If impersonation is enabled, ASP.NET executes with the identity of the entity on behalf of which it is performing executing the task.
    • If impersonation is not enabled, the application runs with the privileges of the ASPNET user account.
  5. Finally, the identity that has been authenticated and checked for in the previous steps is used to request resources from the OS. ASP.NET uses two forms of authorization:
    • FileAuthorization - relies on NTFS file permissions for granting access.
    • UrlAuthorization - in the Web.config file you can specify the authorization rules for various directories or files using the <authorization> element.
  6. If access is granted (successful authorization), ASP .NET returns the user's request through IIS.

The above sequence of steps is pictorially depicted in the diagram below:

Authentication and Authorization in ASP.NET and IIS.

Authentication Providers

ASP.NET provides three ways to authenticate a user:

  • Windows authentication,
  • Forms authentication, and
  • Passport authentication

It is the job of the authentication provider to verify the credentials of the user and decide whether a particular request should be considered authenticated or not. The authentication scheme an ASP.NET Web application uses can be configured in its Web.config file. For more information refer to ASP.NET Authentication.

Windows Authentication Provider

The Windows authentication provider is the default provider for ASP .NET. It authenticates users based on the users' Windows accounts. Windows authentication in ASP.NET actually relies on IIS to do the authentication. IIS can be configured so that only users on a Windows domain can log in. If a user attempts to access a page and is not authenticated, they'll be shown a dialog box asking them to enter their username and password. This information is then passed to the Web server and checked against the list of users in the domain. If the user has supplied valid credentials, access is granted. The identity of the user is then passed to the ASP.NET engine. More information about the Windows authentication provider can be found here.

There are four different kinds of Windows authentication options available that can be configured in IIS:

  • Anonymous Authentication: IIS doesn't perform any authentication check. IIS allows any user to access the ASP .NET application.
  • Basic Authentication: For this kind of authentication, a Windows user name and password have to be provided to connect. However, this information is sent over the network in plain text and hence this is an insecure kind of authentication. Basic Authentication is the only mode of authentication older, non-Internet Explorer browsers support.
  • Digest Authentication: It is same as Basic Authentication but for the fact that the password is hashed before it is sent across the network. However, to be using Digest Authentication, we must use IE 5.0 or above.
  • Integrated Windows Authentication: In this kind of authentication technique, passwords are not sent across the network. The application here uses either the kerberos or challenge/response protocols to authenticate users. Kerberos, a network authentication protocol, is designed to provide strong authentication for client-server applications. It provides the tools of authentication and strong cryptography over the network to help to secure information in systems across entire enterprise.

For more information on these four different types of IIS authentication consult IIS Authentication Methods Available for Windows 2000

Passport Authentication Provider

Passport authentication is a centralized authentication service. This uses Microsoft's Passport Service to authenticate the users of an application. If the authentication mode of the application is configured as Passport and if the users have signed up with Microsoft's Passport Service, then the authentication formalities are pushed over to Passport servers.

Passport uses an encrypted cookie mechanism to identify and indicate authenticated users. If the users have already been signed into passport when they visit the application page, ASP.NET will consider them as authenticated. Otherwise, the users will be redirected to Passport servers to login. Upon successful login, the user is redirected back to the ASP.NET Web page that they initially tried to access. If you use Hotmail you already have a Passport account and are familiar with the sign-in process from an end-user's perspective.

Forms Authentication Provider

The forms authentication provider uses custom HTML forms to collect authentication information. As an ASP.NET developer using forms authentication, you must write your own logic/code to check the user's supplied credentials against a database or some other data store. When a user is successfully identified via forms authentication, the user's credentials are stored in a cookie for use during the session. For more information on implementing forms authentication be sure to read Using Forms Authentication in ASP.NET and Getting Started With Forms Authentication.
The method of authentication to use is specified in the Web application's Web.config file:

<!-- For Windows Authentication... -->
<authentication mode="windows">

<!-- For Passport Authentication... -->
<authentication mode="passport">

<!-- For Forms Authentication... -->
<authentication mode="forms">

ASP .NET also supports custom authentication providers. Setting the authentication mode for the application to "none" and then writing our own code to perform authentication can achieve this. For example, we might install an ISAPI filter in IIS that compares incoming requests' IP address with a list of source IP addresses and considers the request to be authenticated only if the IP address is found in the source list. In this example, we can set the authentication mode to "none" in Web.config file. This will prevent any of the default authentication providers from being triggered.

Configuring Authorization

There are two forms of authorization available in ASP.NET:

  • FileAuthorization - relies on NTFS file permissions for granting access.
  • UrlAuthorization - in the Web.config file you can specify the authorization rules for various directories or files using the <authorization> element.

FileAuthorization works by checking the access rights of the user account that the ASP.NET engine is operating under against the NTFS file permissions. That is, if a user is requesting the file C:\Inetpub\wwwroot\SomeFile.aspx, a check is made to ensure that the user account the ASP.NET engine is operating under has read permissions to that file. Recall that by default the ASP.NET engine operates under the ASPNET user account; however, this can be changed through impersonation.

Impersonation is a technique that allows the ASP.NET process to act as the authenticated user, or as an arbitrary specified user. ASP.NET impersonation is controlled by entries in the applications Web.config file. By default impersonation is not enabled.

By default ASP .NET runs as an unprivileged account - ASPNET. You can, however, configure the account that ASP.NET uses by changing the userName attribute of the processModel section in the machine.config file. That is, you could modify this setting so that the ASP.NET engine always operated under, say, the Administrator account (NOT A GOOD IDEA!!!!, but it can be done).

Using impersonation, the ASP.NET engine will operate under the identity IIS passes to it. If anonymous access is allowed in IIS, ASP.NET will run under the IUSR_ComputerName account that IIS uses. If anonymous access is not allowed, ASP.NET will take on the identity of the authenticated user. Impersonation can also be configured so that a single, static user account is used for all requests. For more information on using impersonation, including how to configure the Web.config file for impersonation, refer to ASP.NET Impersonation.

For information on UrlAuthorization, consult ASP.NET Authorization.

Happy Programming!

  • By Nandini Venugopalan

  • ASP.NET [1.x] [2.0] | ASPMessageboard.com | ASPFAQs.com | Advertise | Feedback | Author an Article