ASP.NET 2.0 Quickstart Tutorials

Securing Your Application

Authentication and Authorization

Windows-based Authentication

Forms-based Authentication

Authorizing Users and Roles

User Account Impersonation

Using the Login Controls

Creating and Logging In a User

Displaying Content for Logged-in Users

Changing a Password

Membership and Role Manager

Creating a New User

User Login and Properties

Updating User Properties

Account Lockouts

Deleting a User

Managing Roles

Adding and Deleting Roles

Adding a User to a Role

Deleting a User from a Role

Authorizing Access to a Page

Programmatic Authorization

Back to ASP.NET Home

Authentication and Authorization

ASP.NET works in conjunction with IIS to support authentication, using Basic, Digest, and Windows authentication. ASP.NET supports the Microsoft Passport authentication service, which provides single sign-on services and support for user profile services. ASP.NET also provides a robust service for applications that want to use forms-based authentication. Forms-based authentication uses cookies to authenticate users and allows the application to do its own credential verification.

It is important to realize that ASP.NET authentication services are subject to the authentication services provided by IIS. For example, in order to use Basic authentication in an IIS application, you must configure the use of Basic authentication for the application using the Internet Service Manager tool.

ASP.NET provides two types of authorization services:

Checks against ACLs or permissions on a resource to determine whether the authenticated user account can access the resources
URL authorization, which authorizes an identity for pieces of the Web space

To illustrate the difference, consider a scenario in which an application is configured to allow anonymous access using the IUSR_MYMACHINE account. When a request for an ASP.NET page (such as "/default.aspx") is authorized, a check is done against the ACLs on that file (for example, "c:\inetpub\wwwroot\default.aspx") to see whether the IUSR_MYMACHINE account has permission to read the file. If it does, then access is authorized. If the web content resides on an NTFS volume, and Windows Authentication is configured for the virtual directory, file authorization is performed automatically.

For URL authorization, the anonymous user is checked against the configuration data computed for the ASP.NET application. If access is allowed for the requested URL, the request is authorized. In this case, ASP.NET checks to see whether the anonymous user has access to /Default.aspx (that is, the check is done against the URL itself, not against the file that the URL ultimately resolves to).

This might seem a subtle distinction, but it enables applications to use authentication schemes likes forms-based authentication or Passport authentication, in which the users do not correspond to a machine or domain account. It also enables authorization against virtual resources, for which there is no physical file underlying the resource. For example, an application could choose to map all requests for files ending in .stk to a handler that serves stock quotes based on variables present in the query string. In such a case, there is no physical .stk against which to do ACL checks, so URL authorization is used to control access to the virtual resource.

File authorization is always performed against the authenticated account provided by IIS. If anonymous access is allowed, this is the configured anonymous account. Otherwise, it uses an NT account. This works in exactly the same way as ASP.

File ACLs are set for a given file or directory using the Security tab in the Explorer property page. URL authorization is configured as part of an ASP.NET Framework application and is described fully in Authorizing Users and Roles.

To activate an ASP.NET authentication service, you must configure the <authentication> element in the application's configuration file. This element can have any of the values listed in the following table.

Value	Description
None	No ASP.NET authentication services are active. Note that IIS authentication services can still be present.
Windows	ASP.NET authentication services attach a WindowsPrincipal (System.Security.Principal.WindowsPrincipal) to the current request to enable authorization against NT users or groups.
Forms	ASP.NET authentication services manage cookies and redirect unathenticated users to a logon page. This is often used in conjunction with the IIS option to allow anonymous access to an application.
Passport	ASP.NET authentication services provide a convenient wrapper around the services provided by the Passport SDK, which must be installed on the machine.

For example, the following configuration file enables forms-based (cookie) authentication for an application:

<configuration>
  <system.web>
    <authentication mode="Forms"/>
  </system.web>
</configuration>