Authentication and Authorization in ASP.NET

by · Published · Updated

Authentication and Authorization plays important role in ASP.NET. In this article I will explain about Authentication and Authorization and about Authentication types.

Impersonation

When client sends a request to server, it will provide identity for the client based on this identity the client processing can access resources on the sever network. The default identity is iusr_systemname.

Impersonation is the process of changing default identity for the user, this can be implemented through web.config file.
Add the below key in web.config file.
<identity impersonate = “true”
username = “user1”
  password = “user2” />

Authentication and Authorization

Authentication is the process of getting credentials of the client, the credentials includes username, password, security token and etc.

Authorization is the process of verifying credentials to provide access to required resource(webpage).
ASP.Net supports different types authentications.
  1. Windows Authentication.
  2. Forms Authentication.
  3. Passport Authentication.
  4. None (Custom Authentication)

1.Windows Authentication

When the client is authenticated based on network level login parameters it is called windows authentication, this is applicable to private website(s) of an organization.

To implement windows authentication add the following keys in web.cofig file.
<authentication mode = “windows”>
</authentication>
<authorization>
<allow users = “user1, user3 (or) roles = “role1,..” />
<deny users = “*” />
</authorization>

2. Forms Authentication

When the client is authenticated based on login page designed by the developer, verifying the credentials with database it is called forms based authentication.

This authentication is applicable to private websites and public websites (i.e. Internet based implementation)

The security token will be given to client browser as an identity of authenticated client.

To implement forms authentication add the following keys in web.cofig file.
<authentication mode = “forms”>
<forms name =”f1″ loginUrl=”login.aspx”>
</forms>
</authentication>

Note: The name attribute will specify cookie name for security token, the default name will be aspxauth.

<authorization>
<deny users = “?” />
</authorization>
Note: Question mark(?) will specify unauthenticated users( the user without security token).

3. Passport Authentication

When the client is authenticated based on passport security token provided by passport.com, this is called passport authentication. In this case client will sign-in only single time to access all the websites configured with passport authentication, it is also called single sign-out service.

The problem with passport authentication is user’s information will be maintained by Microsoft.

To implement passport authentication do the following steps
1. Add the following keys in web.cofig file.
Provide authentication mode as passport
<authentication mode = “passport”>
</authentication>
2. Install passport sdk. It is provided as a free download from Microsoft    website.

4. Custom Authentication

When your requirement cannot be implemented using authentication modes provided by Microsoft, the solution will be custom authentication. In this case developer should perform total manual coding.

You may also like...

Leave a Reply

Your email address will not be published. Required fields are marked *