Different types of authentication in asp.net

This asp.net we will discuss asp.net authentication types, We will discuss Windows based authentication, Form based Authentication and Passport Based Authentication.

When a client makes a request to the webserver, the web server will attach a user account to the client request under which processing of the web page will be taken. By submitting this user account web page will access other resources on the network.

The default user account will be IUSR_SYSTEMNAME. But the user account can be changed according to the requirement. This process is called impersonation.

The impersonation process can be implemented through web.config using Identity tag like below:

<Identity impersonate="true" username="user1" password="password" />

Authentication:
Authentication is the process of getting the credentials of the client. The credentials can be user name, password security token so on.

Authorization:
Authorization is the process of verifying credentials to provide access to requested resources (web pages).

Asp.Net supports 3 types of Authentication:

  • Windows based authentication
  • Form based Authentication
  • Passport Based Authentication

Windows based authentication in asp.net

In this post, we will discuss Windows based authentication in asp.net.

When the authentication is implemented based on network-level login then it is called as Windows based authentication.

Windows based authentication is applicable at the intranet-based implementation that is the private website of the organization.

asp.net authentication types

You can change at the web.config level to implement Windows based authentication:

<authentication mode="Windows"/>
    <authorization>
      <allow users="user1,user2,user3"/>
      <deny users="*"/>
    </authorization>

Here apart from user1, user2 and user3 everyone else will get an error.

Forms based authentication in asp.net

Now, we will see forms-based authentication in asp.net.

When the client is authenticated based on a custom page by verifying credentials with database server then it is called as forms-based authentication.

The security token will be given to the client as an identity of the authenticated client.

Change in web.config for modification:

<authentication mode="Forms">
      <forms name="f1" loginUrl="login.aspx">
      </forms>
    </authentication>
    <authorization>
      <deny users="?"/>
    </authorization>

Here the name attribute will specify cookie name for maintaining security token.

By default, it will be.ASPXAUTH

Here while writing code in the Login button we have to use RedirectFromTheLoginPage.

RedirectFromTheLoginPage does two things:

  • It will provide the requested page to the client.
  • It will produce a security token in the form of cookies.

Passport authentication in Asp.Net

Now, we will discuss on passport authentication in Asp.Net.

When the client is authenticated based on passport website managed by Microsoft then it is called as passport authentication.

In this case, the client will be authenticated only a single time for the collection of websites, as it is called a single sign-on service. In this case, the database will be under the control of Microsoft.

The website can be implemented with passport authentication by performing 2 things:

  • Provide authentication mode as a passport.
  • Install the Passport SDK provided by Microsoft.

Forms Authentication in Asp.Net

The below configuration elements show how you enable Forms authentication in Web.config.

<authentication mode="Forms">
<forms loginUrl="login.aspx" name="MyCookie" timeout="60″ path="/">
</forms>
</authentication>

When you use Forms authentication, the following authorization options are avail- able to you:

Client Requested Resources:

Requested resources require ACLs that allow read access to the anonymous Internet user account. (IIS should be configured to allow anonymous access when you use Forms authentication).

URL Authorization:

Configure URL Authorization in Web.config. With Forms authentication, the format of user names is determined by your custom data store; a SQL Server database, or Active Directory.

If you are using a SQL Server data store:

<authorization>
<deny users="?" />
<allow users="Raju,Biju,Tamanna" roles="Manager,Sales" />
</authorization>

Explicit Role Checks:

You can perform role checking using the IPrincipal interface.

IPrincipal.IsInRole("Director");

When to Use:

Forms authentication is most ideally suited to Internet applications. Use Forms authentication when: Your application’s users do not have Windows accounts.

You want users to log on to your application by entering credentials using an HTML form.

Implement SQL Server authentication in asp.net

To implement SQL Server authentication in asp.net, you have to change in web.config as well as in SQL server.

First go to C:\Windows\Microsoft.NET\Framework64\v4.0.30319 folder and execute InstallPersistSqlState.sql in the SQL Server.

Just to let you know that it will create the ASPState database and the required stored procedures. Please check if you have .net 2.0 then check the corresponding folder.

Also if you do not want to create the default ASPState database then you can modify the script InstallPersistSqlState.sql and run that.

In the next step we have to modify the we.config for this. The main work is to change the session state mode, and the connection string.

If you are using windows authentication mode in SQL Server then you have to change web.config as below:

<sessionState mode="SQLServer" sqlConnectionString="Data Source=BSAHOO3SQLEXPRESS;Integrated Security=SSPI;" cookieless="false" timeout="60″ />

If you are using SQL Server authentication mode then you have to change the web.config as below:

<sessionState mode="SQLServer" sqlConnectionString="Data Source=BSAHOO3SQLEXPRESS; User ID=your user id;Password=your password;" cookieless="false" timeout="120″ />

If you are not using the default authentication and you are using in a custom database then you have to change the web.config as below:

<sessionState mode="SQLServer" allowCustomSqlDatabase="true" sqlConnectionString="Data Source=BSAHOO3SQLEXPRESS;database=customdbname;User ID=youruserid;Password=yourpassword;" cookieless="false" timeout="120″ />

This is how we will implement SQL Server authentication in asp.net.

Windows Authentication with Impersonation and without Impersonation

The below configuration elements show you how to enable Windows (IIS) authentication and impersonation in Web.config or Machine.config.

<authentication mode="Windows" />
<identity impersonate="true" />

When you use Windows authentication together with impersonation, the following authorization options are available to you:

Client Requested Resources:
The ASP.NET FileAuthorizationModule performs access checks for requested file types that are mapped to the ASP.NET ISAPI.

Resources Accessed by Your Application
You can configure Windows ACLs on resources accessed by your application.

URL Authorization:
Configure URL authorization in Web.config. With Windows authentication, user names take the form DomainName\UserName and roles map one-to-one with Windows groups.

<authorization>
<deny user="DomainName\UserName" />
<allow roles="DomainName\WindowsGroup" />
</authorization>

Explicit Role Checks
You can perform role checking using the IPrincipal interface.

IPrincipal.IsInRole(@"DomainName\WindowsGroup");

Enterprise Services (COM+) Roles
You can perform role checking program- matically using the ContextUtil class.

ContextUtil.IsCallerInRole(“Director")

Use Windows authentication and impersonation when Your application’s users have Windows accounts that can be authenticated by the server.

You need to flow the original caller ’s security context to the middle tier and/or data tier of your Web application to support fine-grained (per-user) authoriza- tion.

The disadvantages of impersonation include:
Reduced application scalability due to the inability to effectively pool database connections.

Delegation requires Kerberos authentication and a suitably configured environ- ment.

Windows Authentication without Impersonation
The below configuration elements show how you enable Windows (IIS) authen- tication with no impersonation declaratively in Web.config.

When you use Windows authentication without impersonation, the following authorization options are available to you:

Client Requested Resources
The ASP.NET FileAuthorizationModule performs access checks for requested file types that are mapped to the ASP.NET ISAPI.

URL Authorization
Configure URL Authorization in Web.config. With Windows authentication, user names take the form DomainName\UserName and roles map one-to-one with Windows groups.

<authorization>
<deny user="DomainName\UserName" />
<allow roles="DomainName\WindowsGroup" />
</authorization>

Explicit Role Checks
You can perform role checking using the IPrincipal interface.

IPrincipal.IsInRole(@"DomainName\WindowsGroup");

Use Windows authentication without impersonation when your application’s users have Windows accounts that can be authenticated by the server.

You want to use a fixed identity to access downstream resources in order to support connection pooling.

Important points to remember in ASP.Net (Security Model)

  • ASP.NET applications can use the existing security features provided by Windows, and IIS.
  • .NET represents users who have been identified with Windows authentication using a combination of the WindowsPrincipal and WindowsIdentity classes.
  • To represent users who have been identified with non-Windows authentication schemes, such as Forms authentication, The GenericPrincipal, and GenericIdentity or FormsIdentity classes are used.
  • You can create your own principal and identity implementations by creating classes that implement IPrincipal and IIdentity.
  • The IPrincipal object that represents the authenticated user is associated with the current HTTP Web request using the HttpContext.User property Within ASP.NET Web applications.
  • Gates are access control points within your application through which autho- rized users can access resources or services.
  • Gatekeepers are responsible for controlling access to gates.
  • Use multiple gatekeepers to provide a defense-in-depth strategy.

You may like following asp.net tutorials:

This tutorial, we learned asp.net authentication types and also we learned about Windows based authentication, Form based Authentication and Passport Based Authentication.

Donwload Hub site pdf

Download SharePoint Online Tutorial PDF FREE!

Get update on Webinars, video tutorials, training courses etc.

Bijay Kumar

I am Bijay from Odisha, India. Currently working in my own venture TSInfo Technologies in Bangalore, India. I am Microsoft Office Servers and Services (SharePoint) MVP (5 times). I works in SharePoint 2016/2013/2010, SharePoint Online Office 365 etc. Check out My MVP Profile.. I also run popular SharePoint web site SPGuides.com

>