Click here to Skip to main content
12,698,012 members (26,050 online)
Click here to Skip to main content
Add your own
alternative version


4 bookmarked

Authentication and Authorization

, 11 Oct 2013 CPOL
Rate this:
Please Sign up or sign in to vote.
Authentication means figuring out who you are and Authorization means figuring out what you can do. Both are fundamental parts of the ASP.NET

Editorial Note

This articles was originally at but has now been given a new home on CodeProject. Editing rights for this article has been set at Bronze or above, so please go in and edit and update this article to keep it fresh and relevant.

Authentication means figuring out who you are and Authorization means figuring out what you can do. Both are fundamental parts of the ASP.NET Security Model.

One thing to notice in ASP.NET authentication mechanism is that ASP.NET authenticates requests for resources such as .aspx, .asmx, .ashx, .axd, .ascx and others that are mapped to the ASP.NET ISAPI DLL (aspnet_isapi.dll). ASP.NET does not authenticate requests for images (GIF, JPEG, etc), CSS or JavaScript files. If you want these resources also to be secured by ASP.NET (Forms Authentication, Windows Authentication or Passport), add them to the list of ASP.NET ISAPI mappings. This can be done from the Internet Information Services Manager (IIS Manager) by following these steps:

  1. Open IIS Manager (Start/Run, type inetmgr and Enter)
  2. From the left-side tree view, select the web application you want to change the mappings for
  3. Right-click on the web application and select Properties
  4. Swirch to Home Directory Tab and click Configuration
  5. On the Mappings tab, click Add and enter the extension (one of .js, .css, .jpeg) and ASP.NET ISAPI DLL path for Executable. You can copy/paste the complete path to the ISAPI DLL from any other mapping, .aspx, for example.
  6. Repeat the above step for other file extensios too, if required
  7. Click OK thrice
Once done, requests to non-ASP.NET resources will also be subjected to ASP.NET authentication. The downside of this approach however is that it negatively impacts the performance of the web application because ASP.NET has to authenticate additional resource requests.

Be sure to visit the subpages for more information on specific kinds of authorization like Forms, Windows, Passport, Basic, and custom. This is just the start!


This article, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)


About the Author

ASP.NET Community
United States United States
The ASP.NET Wiki was started by Scott Hanselman in February of 2008. The idea is that folks spend a lot of time trolling the blogs, googlinglive-searching for answers to common "How To" questions. There's piles of fantastic community-created and MSFT-created content out there, but if it's not found by a search engine and the right combination of keywords, it's often lost.

The ASP.NET Wiki articles moved to CodeProject in October 2013 and will live on, loved, protected and updated by the community.
Group type: Collaborative Group

769 members

You may also be interested in...

Comments and Discussions

-- There are no messages in this forum --
| Advertise | Privacy | Terms of Use | Mobile
Web01 | 2.8.170118.1 | Last Updated 11 Oct 2013
Article Copyright 2013 by ASP.NET Community
Everything else Copyright © CodeProject, 1999-2017
Layout: fixed | fluid