Authentication and Authorization - Authentication Providers
(Page 2 of 4 )
Authentication Providers
ASP.NET provides three types of authentication, namely windows authentication, forms authentication and passport authentication. It is the job of the authentication provider to verify the credentials of the user and decide whether a particular request should be considered authenticated or not.
- Windows Authentication Provider
Windows authentication provider is the default provider for ASP.NET. It lets us/application authenticate users based on the users’ Windows accounts. IIS performs authentication for this provider and the authenticated identity is then passed on to the code.
- Passport Authentication Provider
This provider uses the passport services provided by Microsoft.
- Forms Authentication Provider
The forms authentication provider uses custom HTML forms to collect authentication information and lets us use our logic to authenticate users. The user’s credentials are stored in a cookie for use during the session. If the application authenticates the request, the system issues a form that contains the credentials or a key for reacquiring the identity. Subsequent requests are issued with the form in the request headers; they are authenticated and authorized by an ASP.NET handler using whatever validation method we have specified in our code.
To select an authentication provider, an entry indicating the same has to be made in the web.config file.
<authentication mode=”windows”> //For Windows authentication
<authentication mode=”passport”> //For Passport authentication
<authentication mode=”forms”> //For Forms authentication
ASP.NET also supports custom authentication providers. Setting the authentication mode for the application to “none” and then writing our own code to perform authentication can achieve this.
<authentication mode=”none”> //For Custom authentication
ASAPI Filters
For example, we might install an ISAPI* filter** in IIS that compares incoming requests’ IP address with a list of source IP addresses and considers the request to be authenticated only if the IP address is found in the source list. In this example, we can set the authentication mode to “none” in the web.config file. This will prevent any of the default authentication providers from being triggered.
We just had a brief look at the authentication providers of ASP.NET. Let us now go into detail and explore the authentication modes in detail.
Next: Windows Authentication and IIS >>
More IIS Articles
More By Nandini Venugopalan
