Vous êtes sur la page 1sur 5

Authentication and Authorization

Code security is the main aspect in .NET development. Helping protect Web sites
against unauthorized access is a complex issue for Web developers. ASP.NET provides
web application protection with the help of the .NET framework and IIS (Internet
Information Services). In this article, we take a short tour of Authentication and
Authorization concepts. I think it will be helpful for beginners.

I would like to thank Abhijit Jana for his nice article on IIS 8.0 for beginners. His article
encouraged me to write some text on Authorization and Authentication. This article will
give you basic idea about authentication and authorization and its working in

What is Authentication?
Basically authentication and authorization are two interrelated things. First
authentication is done and then authorization. Authentication means checking Is valid
User? In depth authentication is the process of getting identification credential such as
name and password from a user and validating those credentials against some
authority. If the credentials are valid, it means once an identity has been authenticated,
the authorization process starts.
.NET uses the following authentication providers for authentication:

Windows Authentication
Forms Authentication
.NET Passport Authentication
Before getting deeper in the authentication, let us have a look at authorization.

What is Authorization
Authorization is the process of determining what rights the authenticated user has?
By using authorization, we can limit access rights by granting or denying specific
permissions to an authenticated identity. The purpose of authorization is to determine
whether an identity should be granted the requested type of access to a given
There are two fundamental ways to authorize access to a given resource:

URL authorization
File authorization
Let's start with the authentication providers.

Windows Authentication
This is the default authentication provider of .NET. ASP.NET uses windows authentication
with the help of IIS.
Authentication is performed by IIS in the following ways:

Integrated Authentication
Basic Authentication
Digest Authentication
Anonymous Authentication
When IIS authentication is complete, ASP.NET uses the authenticated identity to
authorize access. IIS can be configured so that only Windows domain users can log in.

Integrated Authentication
This authentication is also known as Windows NT Challenge/Response authentication.
Integrated Windows authentication is enabled by default for Windows Server 2003
operating systems. The application here uses challenge/response protocols or kerberose
to authenticate users.
Although Integrated Windows authentication is secure, it does have two limitations:

Only Microsoft Internet Explorer versions 2.0 and later support this authentication
It does not work over HTTP proxy connections.
Integrated Windows authentication is best suited for an intranet environment.

Basic Authentication
This Authentication needs a user name and password to connect over network, but the
given password is sent in plain text. Hence it is a non secure authentication.
The following steps show how basic authentication works:

The Web browser displays a dialog box for a user to enter user name and
Then, it attempts to establish a connection with server using user's credential.
If the user credentials are rejected, the browser displays authentication dialog
box to validate again.
If the user credentials are accepted, then it establishes connection with server.
It has some advantages and disadvantages as follows:

Advantage: It is part of the HTTP specification and is supported by most

Disadvantage: Browsers transmit user password in plain text format over the

Digest Authentication

In this type of authentication, password is hashed before it is sent across the network.
Digest Authentication transmits credential across the network as an MD5 HASH or
message digest However, to be using Digest Authentication, we must use Internet
Explorer 5.0 or above. The username and IIS running IIS must be of the same domain.

Anonymous Authentication
It is very open and public authentication. When user attempts to open a site, IIS will not
check for any authentication.

Forms Authentication
The user provides credentials and submits the form. If the user authenticates
successfully, the system issues a cookie that contains a credential or key for getting
Forms authentication is a good choice if your application needs to collect its own user
credential at logon time through HTML forms. In this authentication, we can customize
content for known user. Basically in this case, the system accepts credential from user
(mostly username and password). The application code checks the credential to confirm
authenticity. If the credentials are authenticated, application code attaches a cookie
containing username not password. If the credentials fail, then request return with
access denied message.
Let the following picture clear the idea:

.NET Passport Authentication

Microsoft .NET Passport is a user-authentication service and a component of the
Microsoft .NET framework. Passport authentication is a centralized authentication
service and .NET Passport uses standard Web technologies and techniques, such as
Secure Sockets Layer (SSL), HTTP redirects, cookies, Microsoft JScript, and strong
symmetric key. Sign in sign out and registration pages are centrally hosted rather than
being specific to an individual site.
There is no real time or server to server communication between participating Web sites
and the central .NET Passport servers.
To enable an authentication provider for an ASP.NET application, create an entry
in Web.config file as follows:
//Web.config file
<authentication mode="[Windows|Forms|Passport|None]" />

The default authentication mode is Windows. If we set the authentication mode

as None, then ASP.NET will not apply any authenticate checks on client request.
None authentication can be useful when you want to introduce custom authentication
scheme or don't want to check any authentication for getting highest level of

URL Authorization
URL authorization maps users and roles to pieces of the URL namespace. By using this
authentication, we can selectively allow or deny access to certain sets, users, or roles.
You just need to place a list of users and roles in the <allow> or <deny> elements
of <authorization> section.
There are two special identities that we can allow or deny:

Refers to all identities

Refers to anonymous identity

Consider the following example which will emphasis the subject:

<allow users="ABC"/>
<allow roles="XXX"/>
<deny users="XYZ"/>
<deny users="?"/>

The above example grants access to ABC user and users of XXX roles. Whereas it denies
access to XYZ user and anonymous users.

We can give multiple users in a single element:

<allow users="ABC, XYZ"/>

If you want to deny access to all users, then the setting is as follows:
<deny users="*"/>

File Authorization
File authorization is active when you use Windows authentication. It will check the
access of file. For that, it does an access control list (ACL) check of
the .aspx or .asmx handler file to check if user has a access of that file. Applications can
further use impersonation technique to check the resources that they are accessing.
The file access is checked against the NTFS file permission. The checking ensures that
the user has the READ access of the requested file. The default user account is ASPNET
Impersonation is the technique in which the logged in user acts like an authenticated
entity. By default, the Impersonation is not enabled. We can set the impersonation
in web.config file:

<identity impersonate="true"/>

or we can provide a username and password to the impersonation. Username suggests

on which behalf user is working on a site.
<identity impersonate="true" userName="administrator" password="pass"/>

We can enable these settings from IIS also.

Finally, that is all about the basic idea of authentication and authorization.