Authentication and Authorization - Windows Authentication and IIS (Page 3 of 4 ) IIS provides Windows Authentication and hence, this should be configured within IIS. There are four different kinds of Windows authentication available: Anonymous, Basic, Digest and Integrated Windows Authentication. - Anonymous Authentication: IIS doesn’t perform any authentication checks. IIS allows any user to access the ASP.NET application.
- Basic Authentication: For this kind of authentication, the Windows user name and password have to be provided to connect. However, this information is sent over the network in plain text, and, hence, this is an insecure method of authentication.
- Digest Authentication: It is the same as basic authentication except for the fact that the password is hashed before it is sent across the network. However, to be using Digest Authentication, we must use Internet Explorer 5.0 or above.
- Integrated Windows Authentication: In this kind of authentication technique, passwords are not sent across the network. The application here uses either the kerberos or challenge/response protocols to authenticate users. Kerberos, a network authentication protocol, is designed to provide strong authentication for client-server applications. It provides the tools of authentication and strong cryptography over the network to help secure information in systems across an entire enterprise.
- Passport Authentication: Passport authentication is a centralized authentication service. This uses Microsoft’s Passport service to authenticate the users of an application. If the authentication mode of an application is configured as “Passport”, and if the users have signed up with Passport, then the authentication formalities are pushed over to Passport servers.
Passport uses an encrypted cookie mechanism to identify and indicate authenticated users. If the users have already been signed into Passport when they visit the application page, ASP.NET will consider them as authenticated; otherwise, the users will be redirected to Passport servers to login. Upon successful login, they’ll be redirected back to the application page.
- Forms Authentication: With forms authentication, custom logic can be built into an ASP.NET application. The following happens when forms authentication is used in an ASP.NET application:
- When a user requests a page for the application, ASP.NET checks for the presence of a special session cookie.
- If the cookie is present, ASP.NET assumes the user is authenticated and processes the request.
- If the cookie isn’t present, ASP.NET redirects the user to a web form where the custom logic has been built into the code. The authentication checks can be incorporated into the web form, and when the user is authenticated ASP.NET needs to be informed of the same by setting a property. Once this is done, ASP.NET creates the special cookie to handle any subsequent requests.
Next: Configuring Authorization >>
More IIS Articles
More By Nandini Venugopalan |
