Authentication is a process of identifying users on basis of their identity. Users provide their credential to prove their identity. Users apply many features to provide their credential. They use some login form type to provide their credentials. There is mainly three types of authentication process in windows operating system.
1) Windows Authentication
2) Forms Authentication
3) Passport Authentication.
Windows authentication is called NTLM and also known as Windows NT Challenge/Response authentication. Integrated windows authentication uses security feature provided by windows clients and server. Windows authentication is the process of a user proving that they have the right to access the system. Windows authentication can be done using Kerberos, SPNEGO, and NTLM. SPNEGO stands for “Security Negotiation”. Kerberos authentication is named for the three-headed dog that guarded the entrance to the Greek underworld. SPNEGO can also stand for Simple and Protected Generic Security Services Application Program Interface Negotiation Mechanism. NTLM stands for NT LAN Manager. Windows authentication basically uses by only windows operating systems. It does not support by Linux, Solaris etc operating systems.
There are three types of windows authentication.
1) Basic Authentication: If used as authentication type then the user credentials will be passed across the n/w in clear text format.
2) Digest Authentication: It is a special authentication type used to authenticate the domain server users.
3) NTLM authentication: It is default authentication type used by the windows authentication where NTLM stands for Integrated Windows Authentication.
We can use form authentication to accept user credentials. Normally for using forms authentication we make a form which is like login form where users provide their credentials and on basis of credentials he gets access rights. Basically forms authentication is supported by all operating systems and browsers. Developers have a responsibility to provide better security and encryption mechanism.
.NET Passport allows users to create a single sign-in name and password to access any site that has implemented the Passport single sign-in (SSI) service. By implementing the Passport SSI, you won't have to implement your own user-authentication mechanism. Users authenticate with the SSI, which passes their identities to your site securely. Although Passport authenticates users, it doesn't grant or deny access to individual sites i.e. .NET Passport does only authentication not authorization. Passport simply tells a participating site who the user is. Each site must implement its own access-control mechanisms based on the user's Passport User ID (PUID).
Passport is a forms-based authentication service. A sample conversation using Passport authentication might look similar to the following:
1) A client issues an HTTP GET request for a protected resource, such as http://www.contoso.com/default.aspx.
2) The request does not contain a valid Passport ticket (form), so the server returns 302 and redirects the client to the Passport Login Service, passing encrypted parameters about the original request on the query string.
3) The client follows the redirect and issues an HTTP GET request to the login server with the supplied query string.
4) The Passport logon server presents the client with a login form.
5) The client fills out the form and does a POST back to the logon server, using Secure Sockets Layer (SSL).
6) The logon server authenticates the user and redirects back to the original URI (http://www.contoso.com/default.aspx) with the authentication ticket encrypted in the query string.
7) The client follows the redirect and requests the original protected resource again with the ticket encrypted on the query string.
8) Back on the originating server, the PassportAuthenticationModule detects the absence of the form and the presence of the ticket on the query string and issues the authentication form. The request is then authenticated.
Subsequent requests for protected resources at the site are authenticated at the originating server using the supplied ticket. Passport also makes provisions for ticket expiration and reusing tickets on other member sites.
Authorization is process of granting or denying permissions on basis of authentication. We will use certain keywords and symbols to provide their authority.
We can also define Authorization as a function of the policy definition phase which precedes the policy enforcement phase where access requests are approved or disapproved based on the previously defined authorizations.