Authentication and Authorization in ASP.NET
Authentication is a process of identifying users on basis of
their identity. Users provide their credential to prove their identity. Users
apply many features to provide their credential. They use some login form type to
provide their credentials. There is mainly three types of authentication
process in windows operating system.
Windows authentication is called NTLM and also known as
Windows NT Challenge/Response authentication. Integrated windows authentication
uses security feature provided by windows clients and server. Windows
authentication is the process of a user proving that they have the right to
access the system. Windows authentication can be done using Kerberos, SPNEGO,
and NTLM. SPNEGO stands for “Security Negotiation”. Kerberos authentication is
named for the three-headed dog that guarded the entrance to the Greek
underworld. SPNEGO can also stand for Simple and Protected Generic Security
Services Application Program Interface Negotiation Mechanism. NTLM stands for NT
LAN Manager. Windows authentication basically uses by only windows operating
systems. It does not support by Linux, Solaris etc operating systems.
There are three types of windows authentication.
Basic Authentication: If used as authentication
type then the user credentials will be passed across the n/w in clear text
Digest Authentication: It is a special
authentication type used to authenticate the domain server users.
NTLM authentication: It is default
authentication type used by the windows authentication where NTLM stands for
Integrated Windows Authentication.
We can use form authentication to accept user credentials. Normally
for using forms authentication we make a form which is like login form where
users provide their credentials and on basis of credentials he gets access
rights. Basically forms authentication is supported by all operating systems
and browsers. Developers have a responsibility to provide better security and
.NET Passport allows users to create a single sign-in name
and password to access any site that has implemented the Passport single
sign-in (SSI) service. By implementing the Passport SSI, you won't have to
implement your own user-authentication mechanism. Users authenticate with the
SSI, which passes their identities to your site securely. Although Passport
authenticates users, it doesn't grant or deny access to individual sites i.e.
.NET Passport does only authentication not authorization. Passport simply tells
a participating site who the user is. Each site must implement its own
access-control mechanisms based on the user's Passport User ID (PUID).
Passport is a forms-based authentication service. A sample
conversation using Passport authentication might look similar to the following:
1) A client issues an HTTP GET request for a protected resource,
such as http://www.contoso.com/default.aspx.
2) The request does not
contain a valid Passport ticket (form), so the server returns 302 and redirects
the client to the Passport Logon Service, passing encrypted parameters about
the original request on the query string.
3) The client follows
the redirect and issues an HTTP GET
request to the logon server with the supplied query string.
The Passport logon server presents the
client with a logon form.
5) The client fills out
the form and does a POST back to the
logon server, using Secure Sockets Layer (SSL).
6) The logon server
authenticates the user and redirects back to the original URI (http://www.contoso.com/default.aspx)
with the authentication ticket encrypted in the query string.
The client follows the redirect and
requests the original protected resource again with the ticket encrypted on the
8) Back on the
originating server, the PassportAuthenticationModule detects the absence of the
form and the presence of the ticket on the query string and issues the
authentication form. The request is then authenticated.
Subsequent requests for protected resources at the site are
authenticated at the originating server using the supplied ticket. Passport
also makes provisions for ticket expiration and reusing tickets on other member
Authorization is process of granting or
denying permissions on basis of authentication. We will use certain keywords
and symbols to provide their authority.
We can also define Authorization
as a function of the policy definition phase which precedes the policy
enforcement phase where access requests are approved or disapproved based on
the previously defined authorizations.