What about Authentication in ASP.NET?

Authentication in ASP.NET

Authentication: it is the process of obtaining some sort of credentials from the users and using those credentials to verify the user's identity. The user's (or potentially an application's or computer's) identity is referred to as a security principal. The client must provide credentials to allow the server to verify the identity of the principal. After the identity is known, the application can authorize the principal to access resources on the system. Various criteria, which help you choose the appropriate authentication mechanism. Authentication is always precedes to Authorization; even if your application lets anonymous users connect and use the application, it still authenticates them as being anonymous.

Authentication Methods: ASP.net provides flexible set of alternatives for authentication and you have a variety of options for authentication within your .NET Web applications. For example, you may choose to utilize one of the supported IIS authentication mechanisms, or you may instead decide to perform authentication within your application code. You can perform authentication yourself in code or delegate authentication to other authorities (such as Microsoft Passport). In fact sometimes it seems ASP.net authentication is a bit too flexible; it can be difficult for a new developer to know just where to start. we will review the settings in ASP.net and Internet Information Services (IIS) that control authentication and authorization in ASP.net applications.

You should consider some or all of the following factors when choosing an authentication method:

1) Server and client operating systems
2) The client browser type
3) The number of users, and the location and type of the user name and password database
4) Deployment considerations, such as whether your application is Internet or intranet based and whether it is located behind a firewall
5) The application type; for example, is it an interactive Web site or a non-interactive Web service
6) Sensitivity of the data you are protecting
7) Performance and scalability factors
8) Application authorization requirements; for example, you may want your application to be available to all users, or you may need to restrict certain areas to registered users, and other areas to "administrators only."

Authentication providers in ASP .NET: ASP.NET implements authentication using authentication providers, which are code modules that verify credentials and implement other security functionality such as cookie generation. The ASP.net architecture includes the concept of and authentication provider a piece of code whose job is to verify credentials and decide whether a particular request should be considered authenticated. Out of the box ASP.net gives you a choice of three different authentication providers. ASP.NET supports the following three authentication providers:

1. WINDOWS AUTHENTICATION
2. FORMS AUTHENTICATION
3. PASSPORT AUTHENTICATION
4. NONE/CUSTOM AUTHENTICATION



               Illustrates the authorization mechanisms provided by ASP.NET and IIS

Windows Authentication: The windows Authentication provider lets you authenticates users based on their windows accounts. This provider uses IIS to perform the authentication and then passes the authenticated identity to your code. This is the default provided for ASP.net. This provider utilizes the authentication capabilities of IIS. After IIS completes its authentication, ASP.NET uses the authenticated identity's token to authorize access.

To enable a specified authentication provider for an ASP.NET application, you must create an entry in the application's configuration file as follows:

// web.config file
< authentication mode = "[Windows/Forms/Passport/None]" >
< /authentication >



                        Windows authentication and IIS

If you select windows authentication for your ASP.NET application, you also have to configure authentication within IIS. This is because IIS provides Windows authentication.

IIS gives you a choice for four different authentication methods: Anonymous, basic digest, and windows integrated

If you select anonymous authentication, IIS doesn't perform any authentication, Any one is allowed to access the ASP.NET application.

If you select basic authentication

If you select basic authentication, users must provide a windows username and password to connect. How ever this information is sent over the network in clear text, which makes basic authentication very much insecure over the internet.If you select digest authentication, users must still provide a windows user name and password to connect. However the password is hashed before it is sent across the network. Digest authentication requires that all users be running Internet Explorer 5 or later and that windows accounts to stored in active directory.

If you select windows integrated authentication, passwords never cross the network. Users must still have a username and password, but the application uses either the Kerberos or challenge/response protocols authenticate the user. Windows-integrated authentication requires that all users be running internet explorer 3.01 or later Kerberos is a network authentication protocol. It is designed to provide strong authentication for client/server applications by using secret-key cryptography. Kerberos is a solution to network security problems. It provides the tools of authentication and strong cryptography over the network to help to secure information in systems across entire enterprise

Authentication using non-Windows accounts: If you are planning to authenticate users at the application level, and the users do not have Windows accounts, you will typically configure IIS to use Anonymous authentication. In this configuration, consider the following .NET authentication modules:

Forms: Use when you want to provide users with a logon page.

Passport: Use when you are using Passport services.

None: Use when you are not authenticating users at all, or developing custom authentication code.

Forms Authentication: Forms authentication provides you with a way to handle authentication using your own custom logic with in an ASP.NET application. Using this provider causes unauthenticated requests to be redirected to a specified HTML form using client side redirection. The user can then supply logon credentials, and post the form back to the server. If the application authenticates the request (using application-specific logic), ASP.NET issues a cookie that contains the credentials or a key for reacquiring the client identity. Subsequent requests are issued with the cookie in the request headers, which means that subsequent authentications are necessary.The user's credentials are stored in a cookie for use during the session. The forms authentication provider uses custom HTML forms to collect authentication information and lets you use your own logic to authenticate users.

The following appies if you choose forms authentication:

1) When a user requests a page for the application, ASP.NET checks for the presence of a special session cookie. If the cookie is present, ASP.NET assumes the user is authenticated and processes the request.

2) If the cookie isn't present, ASP.NET redirects the user to a web form you provide

3) You can carry out whatever authentication, checks you like in your form. When the user is authenticated, you indicate this to ASP.NET by setting a property, which creates the special cookie to handle subsequent requests.

Passport Authentication: Passport authentication is a centralized authentication service provided by Microsoft that offers a single logon facility and membership services for participating sites. When you use Passport, you do not need to implement your own authentication code, logon page, and user table in some cases. Passport works using a cookie mechanism. If clients have previously authenticated to Passport, they are allowed access to your site. If not, they are automatically re-directed to the Passport site for authentication.

Passport is a good choice if you require single sign-on capability across multiple domains that also support Passport. Passport provides additional services beyond its role as an authentication service, including profile management and purchasing services. This provider utilizes the authentication capabilities of IIS. After IIS completes its authentication, ASP.NET uses the authenticated identity's token to authorize access. The .NET Framework does check for Passport cookies, if you maintain your own user database, you must implement your own code to map the Passport user to your own user, as well as implement your own authorization mechanism.

None/Custom Authentication: ASP.net also supports custom authentication providers. This simply means that you set the authentication mode for the application to one, then write your own custom code to perform authentication. For example, you might install an ISAPI filter in IIS that compares incoming requests to list of source IP addresses, and considers requests to be authenticated if they come from an acceptable address. In that case,

Authentication and authorisation is very important for security point of view, authentication is the process to identify the user we can write code to authenticate user on diffrent level, where authorisation is the process to provide previlage to authenticate user.