Scribd Logo
Upload

Welcome to Scribd!

  • 67 views

    Authentication

    Uploaded by

    Srikanth Pathaneni
    Authentication verifies a user's identity, while authorization determines their access privileges. ASP.NET supports Windows, forms, Passport, and no authentication. Windows relies on IIS and uses Windows accounts, while forms issues cookies after collecting credentials via HTML forms. Passport provides single sign-on across sites using Microsoft's centralized service. Specifying "none" allows custom authentication without a default provider.

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as DOC, PDF, TXT or read online from Scribd

    Authentication

    Uploaded by

    Srikanth Pathaneni
    67 views2 pages
    Authentication verifies a user's identity, while authorization determines their access privileges. ASP.NET supports Windows, forms, Passport, and no authentication. Windows relies on IIS and uses Windows accounts, while forms issues cookies after collecting credentials via HTML forms. Passport provides single sign-on across sites using Microsoft's centralized service. Specifying "none" allows custom authentication without a default provider.

    Original Title

    ASP.net Authentication

    Copyright

    © Attribution Non-Commercial (BY-NC)

    Available Formats

    DOC, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Authentication verifies a user's identity, while authorization determines their access privileges. ASP.NET supports Windows, forms, Passport, and no authentication. Windows relies on IIS and uses Windows accounts, while forms issues cookies after collecting credentials via HTML forms. Passport provides single sign-on across sites using Microsoft's centralized service. Specifying "none" allows custom authentication without a default provider.

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as DOC, PDF, TXT or read online from Scribd
    Download as doc, pdf, or txt
    67 views2 pages

    Authentication

    Uploaded by

    Srikanth Pathaneni
    Authentication verifies a user's identity, while authorization determines their access privileges. ASP.NET supports Windows, forms, Passport, and no authentication. Windows relies on IIS and uses Windows accounts, while forms issues cookies after collecting credentials via HTML forms. Passport provides single sign-on across sites using Microsoft's centralized service. Specifying "none" allows custom authentication without a default provider.

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as DOC, PDF, TXT or read online from Scribd
    Download as doc, pdf, or txt
    of 2

    Authentication

     Authentication is a process of determining the identity of the user while Authorization is the
    process of determining whether the user is eligible to access all pages or some pages only.
     ASP.Net supports following authentication providers
    1. Windows(default)
    2. Forms
    3. Passport
    4. None

     To enable use authentication element in machine.config or web.config file as follows-


    <system.web>
    <!-- mode=[Windows|Forms|Passport|None] -->
    <authentication mode="Windows" />
    </system.web>

     Each authentication provider supports OnAuthenticate event, during the authentication process
    and can be used for custom authorization scheme.

     Primary purpose of this event to attach a custom object that implements IPrincipal Interface to
    the context.

     ASP.NET auth. provider we use depends upon IIS authentication scheme. If IIS auth. schemes
    other than Anonymous, then Windows. Otherwise, Forms, Passport, or None.

     Windows- relies upon the IIS to perform required authentication of client. After IIS auth. it
    passes a security token to ASP.NET; ASP.NET construct & attaches object of the
    WindowsPrinciple class to application context based on token received by IIS.
    o Pros
     Uses windows account, so need not to write custom auth. code.
    o Cons
     May require the use & management of individual windows user account.
     IIS auth. has it own pros and cons.

     Forms (Cookie) - Application collect credentials using HTML form directly from client. Client
    submits credentials directly to application code for authentication. If application authenticates
    client, it issues cookie to client & it presents on subsequent requests.
    Application can store credentials in many ways, as configuration file or SQL DB.
    o Pros
     Makes it possible for custom auth. schemes using arbitrary criteria.
     Can be used for authentication or personalization.
     Does not require corresponding Windows accounts.
    o Cons
     Is subject to replay attacks for the lifetime of the cookie, unless using SSL/TLS.
     Is only applicable for resources mapped to Aspnet_isapi.dll.

    o To implement forms auth. must create own logon page & redirect URL for
    unauthenticated clients.
    <!-- Web.config file -->
    <system.web>
    <authentication mode="Forms">
    <forms forms="401kApp" loginUrl="/login.aspx" />
    </authentication>
    </system.web>
    o As using own authentication, typically configure IIS for Anonymous auth.

     Passport - Is a forms-based centralized auth. service provided by Microsoft, offers a single logon
    & core profile services for member sites. When member sites register, Passport service grants a
    site-specific key. Passport logon server uses this key to encrypt & decrypt query strings passed
    between member site & Passport logon server.
    o Pros
     Supports single sign-in across multiple domains.
     Compatible with all browsers.
    o Cons
     Places an external dependency for the authentication process.
    o To implement Passport, must register site with Passport service, accept license
    agreement, & install Passport SDK prior to use. Must configure Web.config file as
    <!-- Web.config file -->
    <system.web>
    <authentication mode="Passport" />
    </system.web>

     None (Custom Authentication)-


    o Specify "None" as authentication provider when users are not authenticated at all or if
    you plan to develop custom authentication code. For example may want to develop own
    authentication scheme using an ISAPI filter that authenticates users and manually
    creates an object of the GenericPrincipal Class.
    o Pros
     Offers total control of auth. process providing the greatest flexibility.
     Provides highest performance if not implement an authentication method.
    o Cons
     Custom-built auth. schemes are seldom as secure as those provided by OS.
     Requires extra work to custom-build an authentication scheme.

    o To implement configure Web.config file as


    <!-- Web.config file -->
    <system.web>
    <authentication mode="None" />
    </system.web>

    You might also like