Authentication and Authorization in ASP.NET
Impersonation
When client sends a request to server, it will provide identity for the client based on this identity the client processing can access resources on the sever network. The default identity is iusr_systemname.
<identity impersonate = “true”
username = “user1”
Authentication and Authorization
Authentication is the process of getting credentials of the client, the credentials includes username, password, security token and etc.
- Windows Authentication.
- Forms Authentication.
- Passport Authentication.
- None (Custom Authentication)
1.Windows Authentication
When the client is authenticated based on network level login parameters it is called windows authentication, this is applicable to private website(s) of an organization.
To implement windows authentication add the following keys in web.cofig file.
<authentication mode = “windows”>
</authentication>
<authorization>
<allow users = “user1, user3 (or) roles = “role1,..” />
<deny users = “*” />
</authorization>
2. Forms Authentication
When the client is authenticated based on login page designed by the developer, verifying the credentials with database it is called forms based authentication.
This authentication is applicable to private websites and public websites (i.e. Internet based implementation)
The security token will be given to client browser as an identity of authenticated client.
To implement forms authentication add the following keys in web.cofig file.
<authentication mode = “forms”>
<forms name =”f1″ loginUrl=”login.aspx”>
</forms>
</authentication>
Note: The name attribute will specify cookie name for security token, the default name will be aspxauth.
<authorization>
<deny users = “?” />
</authorization>
Note: Question mark(?) will specify unauthenticated users( the user without security token).
3. Passport Authentication
When the client is authenticated based on passport security token provided by passport.com, this is called passport authentication. In this case client will sign-in only single time to access all the websites configured with passport authentication, it is also called single sign-out service.
The problem with passport authentication is user’s information will be maintained by Microsoft.
To implement passport authentication do the following steps
1. Add the following keys in web.cofig file.
Provide authentication mode as passport
<authentication mode = “passport”>
</authentication>
2. Install passport sdk. It is provided as a free download from Microsoft website.
4. Custom Authentication
When your requirement cannot be implemented using authentication modes provided by Microsoft, the solution will be custom authentication. In this case developer should perform total manual coding.