Click here to Skip to main content
65,938 articles
CodeProject is changing. Read more.
Articles / web / ASP.NET

Authentication and Authorization in ASP.NET

4.38/5 (9 votes)
6 Jun 2010CPOL4 min read 44.4K  
Designing an authentication and authorization strategy for distributed Web applications is a challenging task. The good news is that proper authentication and authorization design during the early phases of your application development helps to avoid many top security risks.

Table of Contents



    • Introduction

    • Authentication in ASP.NET

    • Authorization in ASP.NET

    • ASP.NET Impersonation



Introduction



This article provides guidance to help you develop an appropriate authentication and authorization strategy for your particular application scenario. It will help you choose the most appropriate authentication and authorization technique and apply them at the correct places in your application.

Authentication in ASP.NET

Authentication is the process of obtaining some sort of credentials from the users and using those credentials to verify the user's identity. In short, this is the process of determining the identity of the request entity.

Authentication Providers

ASP.NET provides three ways to authenticate a user:

Forms authentication
Passport authentication
Windows authentication

Authentication modes can be specified in the application’s Web.config file as shown below:

<configuration>
  <system.web>     
    <authentication mode="[Windows/Forms/Passport/None]">
    </authentication>
  </system.web>
</configuration> 


Forms Authentication

Forms authentication uses cookies to allow applications to track users throughout their visit. When a user logs in via forms authentication, a cookie is created and used to track the user throughout the site. If the user requests a page that is secure and has not logged in, then the user will be redirected to the login page. Once the user has been successfully authenticated, he/she will be redirected to their originally requested page.

Passport Authentication

Passport authentication is a centralized authentication service provided by Microsoft that offers a single logon and core profile services for member sites; it uses Microsoft's Passport Service to authenticate the users of an application. If the authentication mode of the application is configured as Passport and if the users have signed up with Microsoft's Passport Service, then the authentication formalities are pushed over to Passport servers.

Windows Authentication

The Windows authentication provider is the default provider for ASP .NET. It authenticates users based on the users' Windows accounts.

Windows Authentication treats the user identity supplied by Microsoft Internet Information Services (IIS) as the authenticated user in an ASP.NET application. IIS provides a number of authentication mechanisms to verify user identity, including anonymous authentication, Windows integrated (NTLM) authentication, Windows integrated (Kerberos) authentication, Basic (base64 encoded) authentication, Digest authentication, and authentication based on client certificates.

Advantages of Forms authentication

• Supports authentication against a custom data store; typically a SQL Server database or Active Directory.
• Supports role-based authorization with role lookup from a data store.
• Smooth integration with Web user interface.
• ASP.NET provides much of the infrastructure.

Advantages of Passport authentication

• Passport is a centralized solution.
• It removes credential management issues from the application.
• It can be used with role-based authorization schemes.
• It is very secure as it is built on cryptography technologies.

Authorization in ASP.NET



Authorization is the process of determining the accessibility to a resource for a previously authenticated user. Note that authorization can only work with authenticated users, hence ensuring that no un-authenticated user can access the application. The default authentication mode is anonymous authentication. There can be three types of authorization in ASP.NET. They are

1. URL Authorization
2. File Authorization
3. Authorization based on ACLs

Authorization like authentication is specified in the web.config file of the application. The following specification in the web.config file allows or grants access to the user userA but denies the same to userB and all anonymous users. Note that the <allow> and <deny> element ordering is important, since the first one that matches the request will be used. Hence, if you were to add a <deny users="*"> to the top of the list, it would always deny everyone, regardless of any <allow> elements that followed it.

<authorization>
  <allow users="userA"/>
  <deny users="userB"/>
  <deny users="?"/> 
</authorization>

ASP.NET Impersonation



Impersonation is the process of executing code in the context of another user identity. For example, if a web page has no access controls, then any user can access that web page. HTML pages, ASP pages can be accessed through two accounts: IUSR_machinename and IWAM_machinename. Both accounts are set up during IIS installation, and are automatically added to all the folders in every web site on the server.

Configure Impersonation

It is in the Web.config file, which is found under the root directory of the web application, where you can enable/disable impersonation for an ASP.Net web application.

Impersonation Disabled

By default the impersonation is disabled.
If impersonation is disabled in an ASP.NET application then:

If anonymous access is enabled in IIS, the request is made using the system-level process account.
If anonymous access is disabled in IIS, the request is made using the account of the authenticated user.

You can disable the impersonation by using the following syntax:

<identity impersonate="false" /> 


Impersonation Enabled

If impersonation is enabled in an ASP.NET application then:

If anonymous access is enabled in IIS, the request is made using the IUSR_machinename account.
If anonymous access is disabled in IIS, the request is made using the account of the authenticated user.

You can enable the impersonation by using the following syntax:

<identity impersonate="true" />


Impersonation enabled for a specific identity

If you want to enable impersonation for a particular user account then you have to use the following syntax.

<identity impersonate="true"  userName="UserName"  password="UserPassword" />

License

This article, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)