Home › ASP.NET Wiki (Beta) › Security › Authentication and Authorization

Authentication and Authorization

Rate It (3) Thank you for your feedback!

Authentication means figuring out who you are and Authorization means figuring out what you can do. Both are fundamental parts of the ASP.NET Security Model.

An Overview of Authentication and Authorization - This is a good place to start.
Samples and Quickstarts at GotDotNet - These are the original Quickstarts for ASP.NET, and the authentication and authorization section is particularly well written.
Nice IIS6 Diagram on Auth/Auth in ASP.NET - There's a good flowchart on this page explaining how auth/auth works in IIS 6.
Code-Free Authentication and Authorization in ASP.NET 2.0 - Video on how to add full-featured authentication and authorization in ASP.NET 2.0, including a login page, with no lines of code in less than 10 minutes.

One thing to notice in ASP.NET authentication mechanism is that ASP.NET authenticates requests for resources such as .aspx, .asmx, .ashx, .axd, .ascx and others that are mapped to the ASP.NET ISAPI DLL (aspnet_isapi.dll). ASP.NET does not authenticate requests for images (GIF, JPEG, etc), CSS or JavaScript files. If you want these resources also to be secured by ASP.NET (Forms Authentication, Windows Authentication or Passport), add them to the list of ASP.NET ISAPI mappings. This can be done from the Internet Information Services Manager (IIS Manager) by following these steps:

Open IIS Manager (Start/Run, type inetmgr and Enter)
From the left-side tree view, select the web application you want to change the mappings for
Right-click on the web application and select Properties
Swirch to Home Directory Tab and click Configuration
On the Mappings tab, click Add and enter the extension (one of .js, .css, .jpeg) and ASP.NET ISAPI DLL path for Executable. You can copy/paste the complete path to the ISAPI DLL from any other mapping, .aspx, for example.
Repeat the above step for other file extensios too, if required
Click OK thrice

Once done, requests to non-ASP.NET resources will also be subjected to ASP.NET authentication. The downside of this approach however is that it negatively impacts the performance of the web application because ASP.NET has to authenticate additional resource requests.

Be sure to visit the subpages for more information on specific kinds of authorization like Forms, Windows, Passport, Basic, and custom. This is just the start!

Revision number 2, Monday, February 04, 2008 8:00:00 AM by siva_sm

Revision History
Article Updates
Comments

Comments

You must Login to comment.

Thu, Feb 14, 2008 2:04 AM by vik20000in	Dont you think Forms Authentication, Windows Authentication, passport Authentication etcc should be a sub section to this one?

In This Section

Revision #2 Mon, Feb 4, 2008 8:00 AM by mbanavige	Forms Authentication MSDN How To's How To: Create GenericPrincipal Objects with Forms Authentication - This How To shows you how to create and handle GenericPrincipal and FormsIdentity objects when using Forms authentication. How To: Protect Forms Authentication in ASP.NET
Revision #3 Mon, Feb 4, 2008 8:00 AM by mbanavige	Windows Authentication From MSDN: "The WindowsAuthenticationModule provider relies on Microsoft Internet Information Services (IIS) to provide authenticated users, using any of the mechanisms that IIS supports." For most of us, Windows Authentication means of authenticating
Revision #7 Fri, Jul 4, 2008 10:49 AM by bmains	Membership and Roles "ASP.NET Membership builds on the success of the Forms authentication model from ASP.NET 1.x. ASP.NET Forms authentication provides a convenient way to incorporate a login form into your ASP.NET application and validate users against a database or other
Revision #4 Mon, Feb 4, 2008 8:00 AM by pkellner	Role Providers Here are a few good tutorial articles that provide a good conceptual overview of how the new membership and role management system works.Check out ScottGu's post on ASP.NET 2.0 Membership, Roles, Forms Authentication, and Security Resources Blogs Scott