Friday, June 17, 2011

Authentication in DOT NET

What is Authentication? What are the different types of Authentication?

In a client-server environment, there are plenty of cases where the server has to interact and identify the client that sends a request to the server. Authentication is the process of determining and confirming the identity of the client.

If a client is not successfully identified, it is said to be anonymous.

Types of Authentication
Windows Authentication
Forms Authentication
Passport Authentication

Essentially the Windows Authentication and Forms Authentication are the famous ones, as Passport Authentication is related to a few websites (like,, etc. only).

Windows Authentication is implemented mostly in Intranet scenarios. When a browser (client) sends a Request to a server where in windows authentication has been implemented, the initial request is anonymous in nature. The server sends back a Response with a message in HTTP Header. This Prompts a Window to display a Modal Dialog Box on the browser, where the end user may enter the "User name" and "Password".

The end user enters the credentials, which are then validated against the User Store on the Windows server. Note that each user who access the Web Application in a Windows Authentication environment needs to have a Windows Account in the company network.

How to avoid or disable the modal dialog box in a Windows Authentication environment?
By enabling the Windows Integrated Authentication checkbox for the web application through settings in IIS.

Forms Authentication is used in Internet based scenarios, where its not practical to provide a Windows based account to each and every user to the Web Server. In a Forms Authentication environment, the user enters credentials, usually a User Name and a corresponding Password, which is validated against a User Information Store, ideally a database table.

Forms Authentication Ticket is the cookie stored on the user's computer, when a user is authenticated. This helps in automatically logging in a user when he/she re-visits the website. When a Forms Authentication ticket is created, when a user re-visits a website, the Forms Authentication Ticket information is sent to the Web Server along with the HTTP Request.

Describe the security authentication flow and process in ASP.NET?

When a user requests a web page, there exists a process of security too, so that every anonymous user is checked for authentication before gaining access to the webpage. The following points are followed in the sequence for authentication when a client attempts a page request:

* A .aspx web page residing on an IIS web server is requested by an end user
* IIS checks for the user's credentials
* Authentication is done by IIS. If authenticated, a token is passed to the ASP.NET worker process along with the request
* Based on the authentication token from IIS, and on the web.config settings for the requested resource, ASP.NET impersonates the end user to the request thread. For impersonation, the web.config impersonate attribute's value is checked.

Authentication in DOT NET

1. What is the difference between Windows and Forms authentication user lists in Web.config?

User lists for Windows authentication are included in the element of Web.config.

User lists for Forms authentications are included in the element of Web.config or as part of an external users database or file.

2. How do you require authentication using the Web.config file? (The answer is the same for all ASP.NET authentication modes.)

Include the following element to require authentication:

3. How do you run a Web application using the permission set of an authenticated user?

Use the identity element in Web.config to execute code using the authenticated user's account. For example:

What are the types of authentication in .net?
We have three types of authentication:
1. Form authentication
2. Windows authentication
3. Passport
This has to be declared in web.config file

No comments:

Post a Comment