Click here to Skip to main content
Click here to Skip to main content

Tagged as

Authentication and Authorization in ASP.NET

, 6 Jun 2010
Rate this:
Please Sign up or sign in to vote.
Designing an authentication and authorization strategy for distributed Web applications is a challenging task. The good news is that proper authentication and authorization design during the early phases of your application development helps to avoid many top security risks.

Table of Contents

    • Introduction
    • Authentication in ASP.NET
    • Authorization in ASP.NET
    • ASP.NET Impersonation

Introduction


 
This article provides guidance to help you develop an appropriate authentication and authorization strategy for your particular application scenario. It will help you choose the most appropriate authentication and authorization technique and apply them at the correct places in your application.
 
Authentication in ASP.NET
 
Authentication is the process of obtaining some sort of credentials from the users and using those credentials to verify the user's identity. In short, this is the process of determining the identity of the request entity.
 
Authentication Providers
 
ASP.NET provides three ways to authenticate a user:
 
Forms authentication
Passport authentication
Windows authentication
 
Authentication modes can be specified in the application’s Web.config file as shown below:
 
<configuration>
  <system.web>     
    <authentication mode="[Windows/Forms/Passport/None]">
    </authentication>
  </system.web>
</configuration> 
 
Forms Authentication
 
Forms authentication uses cookies to allow applications to track users throughout their visit. When a user logs in via forms authentication, a cookie is created and used to track the user throughout the site. If the user requests a page that is secure and has not logged in, then the user will be redirected to the login page. Once the user has been successfully authenticated, he/she will be redirected to their originally requested page.
 
Passport Authentication
 
Passport authentication is a centralized authentication service provided by Microsoft that offers a single logon and core profile services for member sites; it uses Microsoft's Passport Service to authenticate the users of an application. If the authentication mode of the application is configured as Passport and if the users have signed up with Microsoft's Passport Service, then the authentication formalities are pushed over to Passport servers.
 
Windows Authentication
 
The Windows authentication provider is the default provider for ASP .NET. It authenticates users based on the users' Windows accounts.
 
Windows Authentication treats the user identity supplied by Microsoft Internet Information Services (IIS) as the authenticated user in an ASP.NET application. IIS provides a number of authentication mechanisms to verify user identity, including anonymous authentication, Windows integrated (NTLM) authentication, Windows integrated (Kerberos) authentication, Basic (base64 encoded) authentication, Digest authentication, and authentication based on client certificates.
 
Advantages of Forms authentication
 
• Supports authentication against a custom data store; typically a SQL Server database or Active Directory.
• Supports role-based authorization with role lookup from a data store.
• Smooth integration with Web user interface.
• ASP.NET provides much of the infrastructure.
 
Advantages of Passport authentication
 
• Passport is a centralized solution.
• It removes credential management issues from the application.
• It can be used with role-based authorization schemes.
• It is very secure as it is built on cryptography technologies.
 

Authorization in ASP.NET

 
Authorization is the process of determining the accessibility to a resource for a previously authenticated user. Note that authorization can only work with authenticated users, hence ensuring that no un-authenticated user can access the application. The default authentication mode is anonymous authentication. There can be three types of authorization in ASP.NET. They are
 
1. URL Authorization
2. File Authorization
3. Authorization based on ACLs
 
Authorization like authentication is specified in the web.config file of the application. The following specification in the web.config file allows or grants access to the user userA but denies the same to userB and all anonymous users. Note that the and element ordering is important, since the first one that matches the request will be used. Hence, if you were to add a to the top of the list, it would always deny everyone, regardless of any elements that followed it.
 
<authorization>
  <allow users="userA"/>
  <deny users="userB"/>
  <deny users="?"/> 
</authorization>

ASP.NET Impersonation

 
Impersonation is the process of executing code in the context of another user identity. For example, if a web page has no access controls, then any user can access that web page. HTML pages, ASP pages can be accessed through two accounts: IUSR_machinename and IWAM_machinename. Both accounts are set up during IIS installation, and are automatically added to all the folders in every web site on the server.
 
Configure Impersonation
 
It is in the Web.config file, which is found under the root directory of the web application, where you can enable/disable impersonation for an ASP.Net web application.
 
Impersonation Disabled
 
By default the impersonation is disabled.
If impersonation is disabled in an ASP.NET application then:
 
If anonymous access is enabled in IIS, the request is made using the system-level process account.
If anonymous access is disabled in IIS, the request is made using the account of the authenticated user.
 
You can disable the impersonation by using the following syntax:
 
<identity impersonate="false" /> 
 
Impersonation Enabled
 
If impersonation is enabled in an ASP.NET application then:
 
If anonymous access is enabled in IIS, the request is made using the IUSR_machinename account.
If anonymous access is disabled in IIS, the request is made using the account of the authenticated user.
 
You can enable the impersonation by using the following syntax:
 
<identity impersonate="true" />
 
Impersonation enabled for a specific identity
 
If you want to enable impersonation for a particular user account then you have to use the following syntax.
 
<identity impersonate="true"  userName="UserName"  password="UserPassword" />

License

This article, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

Share

About the Author

Jamil Hallal
Technical Lead -
Lebanon Lebanon
I have 7+ years of experience working with Microsoft technologies. I have earned my Microsoft Certified Professional Developer. I'm a highly motivated self-starter with an aptitude for learning new skills quickly.

Comments and Discussions

 
-- There are no messages in this forum --
| Advertise | Privacy | Mobile
Web04 | 2.8.140814.1 | Last Updated 7 Jun 2010
Article Copyright 2010 by Jamil Hallal
Everything else Copyright © CodeProject, 1999-2014
Terms of Service
Layout: fixed | fluid