Types of Authentication

ASP.NET enables three different authentication schemes: Windows , Passport , and Cookie authentication.

Windows Authentication

Windows authentication works in tandem with IIS authentication. The authentication is performed by IIS in one of three ways, called Basic, Digest, and Integrated Windows Authentication. The authenticated identity is then passed to the .NET Framework and used by ASP.NET. Windows authentication is the default authentication scheme used by ASP.NET. Listing 15.2 shows the security section of the web.config file to enable Windows authentication.

Listing 15.2 Using Windows Authentication

 01: <authentication mode="Windows" /> 02: 03: <authorization> 04:  <deny  users="?" /> 05: </authorization> 06: 07:  <identity impersonate ="true"/> 

With Windows authentication, NTFS file permissions dictate which resources the user can access. For instance, if a subdirectory of your ASP.NET Web application is restricted to users in the Administrators role, using Windows authentication only users in that role will be granted access to files in that directory.

Windows authentication is ideal for intranets and extranets in which a network administrator controls the user base permissions. Windows authentication enables access for valid users of a network, but not any others. This is not an ideal authentication scheme for public Web sites, since not every visitor to your Web site is a valid network user. For public Web sites, you should use either Passport or Forms authentication.

Passport Authentication

Passport authentication uses the Microsoft Passport technology to authenticate users. Only users with valid Microsoft Passports will be granted access to restricted resources. The Microsoft Passport service maintains a centralized user database, including user profiles, that is available to member sites. End users are not required to have usernames and passwords for every site they visit. Instead, they can use their Microsoft Passport to gain access to any Web site that enables Passport authentication.

Passport authentication is ideal for public Web sites where you will restrict part or all of the Web site to authenticated users, but you do not want to maintain your own user data. Microsoft maintains the user data and exposes a limited amount of information to the Passport member Web sites. Each user can choose how much of his personal data you can access. There is an annual membership fee for using Passport services, and you must apply to be a Passport services member site.

Forms Authentication

Forms authentication is the de facto standard for Web site authentication for a public user base. Forms authentication uses a text file, called a cookie, stored in memory or persisted to disk on the client machine. The identity of the user is stored in the cookie upon authentication. The cookie information is sent to the Web server with each page request. If the user information is compatible with the security requirements for the requested resource, access is granted. Forms authentication uses HTML-based forms as the interface for a user to provide his credentials. The credentials are compared to the stored credentials in the Web application (either in the web.config file, an XML file, or a database), and if valid, an AuthenticationTicket is created. The AuthenticationTicket can be encoded either as a cookie on the client or as a query string value. The following section of this chapter describes forms authentication in detail.