authentication

 

Windows Authentication in ASP.NET

Click here to download 

Introduction

Security is an important consideration in your web applications. Securing a web application consists of two steps :

•     Authenticating the user accessing the page
  
•     Authorizing the user to access the page
  

Authentication is a process of determining whether a user is the one who he claims to be. Typically this will be determined with the help of user id and password.

Authorization is a process in which you decide whether an authenticated user is allowed to access certain page or resource. For example, operators may not be allowed to view certain confidential financial information that managers can view.

ASP.NET offers various ways to authenticate and authorize users of your web site. They are :

• Windows authentication
  
• Forms authentication (cookie authentication)
  
• Passport authentication
  

In this code sample (which is Part - I of the three part series) we will see how to implement windows authentication.

Windows Authentication

    Windows authentication scheme uses traditional mechanisms of Basic, NTLM/Kerberose and Digest authentication. Here IIS uses the credentials of logged in user are used to authenticate web requests. In case integrated windows authentication is turned off a typical gray colored dialog pops up asking for user id and password.

Steps involved in implementing windows authentication and authorization

Create a ASP.NET web application

Modify web.config to set authentication mode to windows

Modify web.config to deny access to anonymous users

Authorize users based on their NT user groups (roles)

The sample application available for download shows you how to implement this scheme in ASP.NET web applications.

Forms authentication in ASP.NET

Introduction

    Many times we use some kind of custom authentication mechanism for our web sites. The most common way to authenticate visitors of your site is by accepting user id and password from then which are then validated against a database table. ASP.NET provides a very easy way to implement such mechanism via forms authentication. Forms based authentication is also referred to as cookie authentication because a cookie is used with each request that tells whether a user is authenticated or not. In case of windows authentication we automatically get windows role of the logged in user. You can also implement custom role based security in the Form based authentication. 

Steps involved in implementing forms authentication

Configure your web application to deny anonymous access

Modify web.config file to specify authentication mode as Forms

Create a aspx page that accepts user id and password and sets authentication cookie

Modify web.config to specify a page that will be acting as login page

Implement role based security (optional)

Sample application

    The sample application provided for download shows you how to implement forms authentication. It also shows you how to implement role based security for forms authentication.

Passport Authentication

    Passport is a core component of the Microsoft.NET building block services. It enables businesses to develop and offer distributed Web services across a wide range of applications and Passport members to use one sign-in name and password at all participating Web sites

Initial Request

    When a client requests a resource on a server that requires Passport authentication, the server checks the request for the presence of tickets. If a valid ticket is sent with the request, the server responds with the requested resource. If the ticket does not exist on the client, the server responds with a 302 status code. The response includes the challenge header, "WWW-Authenticate: Passport1.4". Clients that are not Passport-enabled can follow the redirection to the Passport login server. More advanced clients typically contact the Passport nexus to determine the location of the Passport login server.

The following image illustrates the initial request to a Passport affiliate.

Passport Login Server

    A Passport login server handles all requests for tickets for any resource in a Passport Domain Authority. Before a request can be authenticated using Passport, the client application must contact the login server to obtain the appropriate tickets.

When a client requests tickets from a Passport login server, the login server typically responds with a 401 status code to indicate that user credentials must be provided. Upon the provision of these credentials, the login server responds with the tickets required to access the server containing the originally requested resource. The login server can also redirect the client to another server that can provide the requested resource.

Authenticated Request

    When the client has the tickets corresponding to a given server, those tickets are included with all requests to that server. If the tickets have not been modified since they were retrieved from the Passport login server, and the tickets are valid for the resource server, the resource server sends a response that includes both the requested resource and cookies indicating that the user is authenticated for future requests.

The additional cookies in the response are intended to speed the authentication process. Additional requests—in the same session—for resources on servers in the same Passport Domain Authority, all include these additional cookies. Credentials do not need to be sent to the login server again until the cookies expire.