Saturday, July 25, 2009

An Overview of Authentication and Authorization Options in ASP.NET

Security 101: Authentication and Authorization
Authentication and Authorization are two interrelated security concepts. In short, authentication is a process of identifying a user, while authorization is the process of determining if an authenticated user has access to the resource(s) they requested. Typically, authentication is achieved by the user sharing
credentials that somehow verify the user's identity.

Whenever a user logs on to an application, the user is first authenticated and then authorized. With ASP.NET Web applications, the users requesting a page are, by default, anonymous. There are different techniques available for determining the identity of an anonymous user, which we'll examine in this article. Realize, however, that, by default, Web applications allow for anonymous access.

This article provides a high-level overview of the authentication and authorization models available in an ASP.NET Web application.

Understanding how ASP.NET and IIS Handle Authentication and Authorization
Both IIS - Microsoft's Web server software - and ASP.NET provide means for authentication and authorization. It is important to understand that ASP.NET is not a stand-alone product - rather, it is utilized from IIS. When a request comes in for an ASP.NET Web page, the request is sent to the Web server software (IIS), which performs authentication and authorization. Depending on the settings in IIS and the user accessing the site, these checks might pass or they might not. If the user is not authenticated, or does not have access, they're request will be stopped and an appropriate message will be returned. If, however, the request passes IIS's authentication and authorization, the request will be handed off to the ASP.NET engine, which can impose its own authentication and authorization schemes.

The following shows the sequence of authentication and authorization actions performed by IIS and ASP.NET on an incoming request.

  1. The incoming request is first checked by IIS. If the IP address from where the request is sought is not allowed access to the domain, IIS denies the request.
  2. IIS allows anonymous access by default and hence requests are automatically authenticated. However, this can be overridden for each application within IIS. Next in the sequence IIS performs this authentication, if it has been configured to do so.
  3. The authenticated user request is passed to ASP.NET.
  4. ASP.NET checks whether Impersonation is enabled or not. By default impersonation is not enabled in ASP .NET. Generally, some applications require impersonation for ASP compatibility and Windows server authentication. (By default, the ASP.NET engine operates under the ASPNET user account. Impersonation is a means by which you can have the ASP.NET engine operates under the authenticated user's user account. For more information refer to INFO: Implementing Impersonation in an ASP.NET Application.)
    • If impersonation is enabled, ASP.NET executes with the identity of the entity on behalf of which it is performing executing the task.
    • If impersonation is not enabled, the application runs with the privileges of the ASPNET user account.
  5. Finally, the identity that has been authenticated and checked for in the previous steps is used to request resources from the OS. ASP.NET uses two forms of authorization:
    • FileAuthorization - relies on NTFS file permissions for granting access.
    • UrlAuthorization - in the Web.config file you can specify the authorization rules for various directories or files using the element.
  6. If access is granted (successful authorization), ASP .NET returns the user's request through IIS.

The above sequence of steps is pictorially depicted in the diagram below:

Authentication and Authorization in ASP.NET and IIS.

Authentication Providers
ASP.NET provides three ways to authenticate a user:

  • Windows authentication,
  • Forms authentication, and
  • Passport authentication

It is the job of the authentication provider to verify the credentials of the user and decide whether a particular request should be considered authenticated or not. The authentication scheme an ASP.NET Web application uses can be configured in its Web.config file. For more information refer to ASP.NET Authentication.

Windows Authentication Provider
The Windows authentication provider is the default provider for ASP .NET. It authenticates users based on the users' Windows accounts. Windows authentication in ASP.NET actually relies on IIS to do the authentication. IIS can be configured so that only users on a Windows domain can log in. If a user attempts to access a page and is not authenticated, they'll be shown a dialog box asking them to enter their username and password. This information is then passed to the Web server and checked against the list of users in the domain. If the user has supplied valid credentials, access is granted. The identity of the user is then passed to the ASP.NET engine. More information about the Windows authentication provider can be found

There are four different kinds of Windows authentication options available that can be configured in IIS:

  • Anonymous Authentication: IIS doesn't perform any authentication check. IIS allows any user to access the ASP .NET application.
  • Basic Authentication: For this kind of authentication, a Windows user name and password have to be provided to connect. However, this information is sent over the network in plain text and hence this is an insecure kind of authentication. Basic Authentication is the only mode of authentication older, non-Internet Explorer browsers support.
  • Digest Authentication: It is same as Basic Authentication but for the fact that the password is hashed before it is sent across the network. However, to be using Digest Authentication, we must use IE 5.0 or above.
  • Integrated Windows Authentication: In this kind of authentication technique, passwords are not sent across the network. The application here uses either the kerberos or challenge/response protocols to authenticate users. Kerberos, a network authentication protocol, is designed to provide strong authentication for client-server applications. It provides the tools of authentication and strong cryptography over the network to help to secure information in systems across entire enterprise.

For more information on these four different types of IIS authentication consult IIS Authentication Methods Available for Windows 2000

Passport Authentication Provider
Passport authentication is a centralized authentication service. This uses Microsoft's
Passport Service to authenticate the users of an application. If the authentication mode of the application is configured as Passport and if the users have signed up with Microsoft's Passport Service, then the authentication formalities are pushed over to Passport servers.

Passport uses an encrypted cookie mechanism to identify and indicate authenticated users. If the users have already been signed into passport when they visit the application page, ASP.NET will consider them as authenticated. Otherwise, the users will be redirected to Passport servers to login. Upon successful login, the user is redirected back to the ASP.NET Web page that they initially tried to access. If you use Hotmail you already have a Passport account and are familiar with the sign-in process from an end-user's perspective.

Forms Authentication Provider
The forms authentication provider uses custom HTML forms to collect authentication information. As an ASP.NET developer using forms authentication, you must write your own logic/code to check the user's supplied credentials against a database or some other data store. When a user is successfully identified via forms authentication, the user's credentials are stored in a cookie for use during the session. For more information on implementing forms authentication be sure to read
Using Forms Authentication in ASP.NET and Getting Started With Forms Authentication.

The method of authentication to use is specified in the Web application's Web.config file:

See full detail: