Authentication

 Authentication is a process of determining the identity of the user while Authorization is the
process of determining whether the user is eligible to access all pages or some pages only.
 ASP.Net supports following authentication providers
1. Windows(default)
2. Forms
3. Passport
4. None

 To enable use authentication element in machine.config or web.config file as follows-

<system.web>
<!-- mode=[Windows|Forms|Passport|None] -->
<authentication mode="Windows" />
</system.web>

 Each authentication provider supports OnAuthenticate event, during the authentication process
and can be used for custom authorization scheme.

 Primary purpose of this event to attach a custom object that implements IPrincipal Interface to
the context.

 ASP.NET auth. provider we use depends upon IIS authentication scheme. If IIS auth. schemes
other than Anonymous, then Windows. Otherwise, Forms, Passport, or None.

 Windows- relies upon the IIS to perform required authentication of client. After IIS auth. it
passes a security token to ASP.NET; ASP.NET construct & attaches object of the
WindowsPrinciple class to application context based on token received by IIS.
o Pros
 Uses windows account, so need not to write custom auth. code.
o Cons
 May require the use & management of individual windows user account.
 IIS auth. has it own pros and cons.

 Forms (Cookie) - Application collect credentials using HTML form directly from client. Client
submits credentials directly to application code for authentication. If application authenticates
client, it issues cookie to client & it presents on subsequent requests.
Application can store credentials in many ways, as configuration file or SQL DB.
o Pros
 Makes it possible for custom auth. schemes using arbitrary criteria.
 Can be used for authentication or personalization.
 Does not require corresponding Windows accounts.
o Cons
 Is subject to replay attacks for the lifetime of the cookie, unless using SSL/TLS.
 Is only applicable for resources mapped to Aspnet_isapi.dll.

o To implement forms auth. must create own logon page & redirect URL for
unauthenticated clients.
<!-- Web.config file -->
<system.web>
<authentication mode="Forms">
<forms forms="401kApp" loginUrl="/login.aspx" />
</authentication>
</system.web>
o As using own authentication, typically configure IIS for Anonymous auth.

 Passport - Is a forms-based centralized auth. service provided by Microsoft, offers a single logon
& core profile services for member sites. When member sites register, Passport service grants a
 site-specific key. Passport logon server uses this key to encrypt & decrypt query strings passed
between member site & Passport logon server.
o Pros
 Supports single sign-in across multiple domains.
 Compatible with all browsers.
o Cons
 Places an external dependency for the authentication process.
o To implement Passport, must register site with Passport service, accept license
agreement, & install Passport SDK prior to use. Must configure Web.config file as
<!-- Web.config file -->
<system.web>
<authentication mode="Passport" />
</system.web>

 None (Custom Authentication)-

o Specify "None" as authentication provider when users are not authenticated at all or if
you plan to develop custom authentication code. For example may want to develop own
authentication scheme using an ISAPI filter that authenticates users and manually
creates an object of the GenericPrincipal Class.
o Pros
 Offers total control of auth. process providing the greatest flexibility.
 Provides highest performance if not implement an authentication method.
o Cons
 Custom-built auth. schemes are seldom as secure as those provided by OS.
 Requires extra work to custom-build an authentication scheme.

o To implement configure Web.config file as

<!-- Web.config file -->
<system.web>
<authentication mode="None" />
</system.web>