Authentication and Authorization
(Page 1 of 4 )
Authentication and Authorization are two interrelated concepts, which form the core of security for .NET applications. The authentication and authorization processes in ASP.NET are very flexible, simple and can be implemented in the code. ASP.NET is not a standalone product; it is linked with IIS and is, in fact, a layer on top of IIS. So, any request that comes into the ASP.NET process is first authenticated and authorized by IIS. In short, the ASP.NET process is completely unaware if any user has been denied access to any page by IIS. Several security authorities interact when the user raises a request for an ASP.NET page. You must get to know how these processes work in order to fully understand the ASP.NET system.
Authentication | Authorization |
| Authentication is a process in which the user’s credentials are used to verify the user’s identity. In short, this is the process of determining the identity of the request entity. | Authorization is a process in which the authenticated user is allowed (authorized) access to resources. |
In short, whenever a user logs on to an application, the authentication process is first carried followed by the authorization user. Certain applications do not have any restriction/validation on the logged in user. Even such applications authenticate the user as anonymous. |
ASP.NET and IIS
Below, is the sequence of events involved in the authentication process (jointly done by IIS and ASP.NET):
- The incoming request is first checked by IIS. If the IP address from where the request is sought is not allowed access to the domain, IIS denies the request.
- By default, IIS allows anonymous access and hence requests are automatically authenticated. However, this can be overridden for each application within IIS. Next in the sequence, IIS performs this authentication, if it has been configured to do so.
- As a next step, the authenticated user request is passed to ASP.NET.
- ASP.NET now checks whether Impersonation is enabled or not. By default impersonation is not enabled in ASP.NET. Generally, some applications require impersonation for ASP compatibility and Windows server authentication.
- If impersonation is enabled, ASP.NET executes with the identity of the entity on behalf of which it is performing the executing task.
- If impersonation is disabled, the application runs with the privileges of ASP.NET.
- Finally, the identity that has been authenticated and checked for in the previous steps is used to request resources from the OS. ASP.NET relies on NTFS file permissions for granting access.
- If access is granted (successful authorization), ASP.NET returns the user’s request through IIS.
The above sequence of steps is pictorially depicted in Illustration 1.
Illustration 1
Next: Authentication Providers >>
More IIS Articles
More By Nandini Venugopalan
