That's Not ASP!
Basic methods of authentication were available in classic ASP as well. For example, IIS could be used to authenticate users with basic, digest, or integrated Windows methods. Developers could even use the Passport SDK to build custom authentication methods, although it was often a time-consuming task. Many sites also used some type of Forms authentication, although each mechanism had to be built from scratch.
The real change is in ASP.NET's ease of implementation. Forms authentication is built into ASP.NET, and it requires very little work by the developer. The groundwork is already laid, and all you need to do is decide where user credentials should be validated against.
Authorization is also easier to implement. File authorization was used in classic ASP, but URL authorization is a big step forward in access control. And the web.config file provides an easy, powerful method for controlling URL authorization.
Impersonation should be a familiar concept if you're comfortable with classic ASP security. For compatibility, ASP.NET supports the same type of impersonation as classic ASP did. The only change is in the way it's enabled.
Implementing security in classic ASP often required an administrator to be present at the server to configure IIS and the operating system. With ASP.NET and its web.config file, this is no longer necessary. A developer can modify settings and apply them to remote applications without leaving her desk.
ASP.NET security was designed to make developer's lives easier while maintaining tight security measures. All the classic methods are still available, and new methods provide easy-to-use security.