Summary

Summary

• Authentication is the process of identifying users. Authorization is the process of granting access to those users.

• The default method of access to a Web application is anonymous access. Anonymous users are granted access through the Windows IUSER_machinename user account, and the Web application s code runs using the ASPNET user account.

• Use the <identity> element in the Web.config file to run code using the permissions of a specific user.

• ASP.NET provides three authentication modes through the System.Web.Security namespace: Windows, Forms, and Passport.

• HTML pages aren t automatically included under ASP.NET authentication. To ensure that users are authenticated before they can view those types of files, use IIS to map the .htm and .html file extensions to the ASP.NET executable.

• To require authentication, add a <deny users= ? > element in the authorization section of Web.config. This applies to all three authentication types.

• Use the <authorization> element to allow or deny access to users under Windows authentication.

• To restrict access to a subfolder, add a Web.config file containing an <authorization> element specifying the users allowed to access the folder.

• Use the <credentials> element or an external user database to allow users under Forms authentication.

• Changing the Web.config file restarts the Web application, so it s not a good idea to add users to the Web.config <credentials> element at run time. Instead, use an external file or database to store user names and passwords.

• Install the Passport SDK to enable the Passport classes in the System.Web.Security namespace.

• To enable secure, encrypted communication over the Internet, install a server certificate and use HTTPS.