Getting Started
  Introduction
  What is ASP.NET?
  Language Support

ASP.NET Web Forms
  Introducing Web Forms
  Working with Server Controls
  Applying Styles to Controls
  Server Control Form Validation
  Web Forms User Controls
  Data Binding Server Controls
  Server-Side Data Access
  Data Access and Customization
  Working with Business Objects
  Authoring Custom Controls
  Web Forms Controls Reference
  Web Forms Syntax Reference

XML Web services
   created using ASP.NET
  Introducing XML Web services
  Writing a Simple XML Web service
  XML Web service Type Marshalling
  Using Data in XML Web services
  Using Objects and Intrinsics
  The XML Web service Behavior
  HTML Pattern Matching

ASP.NET Web Applications
  Application Overview
  Using the Global.asax File
  Managing Application State
  HttpHandlers and Factories

Cache Services
  Caching Overview
  Page Output Caching
  Page Fragment Caching
  Page Data Caching

Configuration
  Configuration Overview
  Configuration File Format
  Retrieving Configuration

Deployment
  Deploying Applications
  Using the Process Model
  Handling Errors

Security
  Security Overview
  Authentication & Authorization
  Windows-based Authentication
  Forms-based Authentication
  Authorizing Users and Roles
  User Account Impersonation
  Security and WebServices

Localization
  Internationalization Overview
  Setting Culture and Encoding
  Localizing ASP.NET Applications
  Working with Resource Files

Tracing
  Tracing Overview
  Trace Logging to Page Output
  Application-level Trace Logging

Debugging
  The SDK Debugger

Performance
  Performance Overview
  Performance Tuning Tips
  Measuring Performance

ASP to ASP.NET Migration
  Migration Overview
  Syntax and Semantics
  Language Compatibility
  COM Interoperability
  MTS Transactions

Sample Applications
  A Personalized Portal
  An E-Commerce Storefront
  A Class Browser Application
  IBuySpy.com

  Get URL for this page

Authentication and Authorization

ASP.NET works in conjunction with IIS to support authentication, using Basic, Digest, and Windows authentication. ASP.NET supports the Microsoft Passport authentication service, which provides single sign-on services and support for user profile services. ASP.NET also provides a robust service for applications that want to use forms-based authentication. Forms-based authentication uses cookies to authenticate users and allows the application to do its own credential verification.

It is important to realize that ASP.NET authentication services are subject to the authentication services provided by IIS. For example, in order to use Basic authentication in an IIS application, you must configure the use of Basic authentication for the application using the Internet Service Manager tool.

ASP.NET provides two types of authorization services:

  • Checks against ACLs or permissions on a resource to determine whether the authenticated user account can access the resources
  • URL authorization, which authorizes an identity for pieces of the Web space
To illustrate the difference, consider a scenario in which an application is configured to allow anonymous access using the IUSR_MYMACHINE account. When a request for an ASP.NET page (such as "/default.aspx") is authorized, a check is done against the ACLs on that file (for example, "c:\inetpub\wwwroot\default.aspx") to see whether the IUSR_MYMACHINE account has permission to read the file. If it does, then access is authorized. If the web content resides on an NTFS volume, and Windows Authentication is configured for the virtual directory, file authorization is performed automatically.

For URL authorization, the anonymous user is checked against the configuration data computed for the ASP.NET application. If access is allowed for the requested URL, the request is authorized. In this case, ASP.NET checks to see whether the anonymous user has access to /Default.aspx (that is, the check is done against the URL itself, not against the file that the URL ultimately resolves to).

This might seem a subtle distinction, but it enables applications to use authentication schemes likes forms-based authentication or Passport authentication, in which the users do not correspond to a machine or domain account. It also enables authorization against virtual resources, for which there is no physical file underlying the resource. For example, an application could choose to map all requests for files ending in .stk to a handler that serves stock quotes based on variables present in the query string. In such a case, there is no physical .stk against which to do ACL checks, so URL authorization is used to control access to the virtual resource.

File authorization is always performed against the authenticated account provided by IIS. If anonymous access is allowed, this is the configured anonymous account. Otherwise, it uses an NT account. This works in exactly the same way as ASP.

File ACLs are set for a given file or directory using the Security tab in the Explorer property page. URL authorization is configured as part of an ASP.NET Framework application and is described fully in Authorizing Users and Roles.

To activate an ASP.NET authentication service, you must configure the <authentication> element in the application's configuration file. This element can have any of the values listed in the following table.

ValueDescription
NoneNo ASP.NET authentication services are active. Note that IIS authentication services can still be present.
WindowsASP.NET authentication services attach a WindowsPrincipal (System.Security.Principal.WindowsPrincipal) to the current request to enable authorization against NT users or groups.
FormsASP.NET authentication services manage cookies and redirect unathenticated users to a logon page. This is often used in conjunction with the IIS option to allow anonymous access to an application.
PassportASP.NET authentication services provide a convenient wrapper around the services provided by the Passport SDK, which must be installed on the machine.

For example, the following configuration file enables forms-based (cookie) authentication for an application:

<configuration>
  <system.web>
    <authentication mode="Forms"/>
  </system.web>
</configuration>

Copyright 2001-2002 Microsoft Corporation. All rights reserved.