How Authentication and Authorization Work in ASP.NET?

Categories : Article, Dot Net Development

With increasing cases of data or information hacking happening around, it’s really very important for everyone to see that they do not fall prey to these sort of tactics and so holds the same for the businesses as well. The businesses today should more be concerned for the security of their websites or web applications in order to protect them from being molested by the hackers. As such they can opt to implement security measures like input validation, data encryption, using strong passwords and last but not the least authentication and authorization to ensure that their websites or applications remain safe from intruders. Authentication and authorization are the two important interlinked concepts that are widely used for development of distributed ASP.NET applications. Hence, ASP.NET application development with security integration calls for implementation of these two concepts.

How Authentication and Authorization Work in ASP.NET

  • Authentication in ASP.NET:

Authentication is the process of obtaining credentials from the user and thereafter determining the user’s identity with them. ASP.NET offers variety of alternatives for authentication implementation. Using these, one can either delegate themselves or delegate authentication to others. An ASP.NET application is built on top of IIS (Internet Information Services) and hence, all the requests made to ASP.NET application have to flow through IIS initially.

  • Authentication as a Joint Process between IIS and ASP.NET:

Let’s have a look at the joint IIS and ASP.NET authentication process, how it happens.

First of all, as the incoming request comes to the IIS, it checks for the IP address from where it is generated. If from a valid address, it allows access to domain or else denies the request. Then IIS performs its own user authentication if from a valid address. Actually by default, requests are automatically authenticated by IIS. However, one can change this default on a per – application basis with in IIS according to their needs. Then as request is passed to the ASP.NET, it checks for impersonation. If there is impersonation enabled then it behaves as though it were the authenticated user and if not enabled then it goes on with the identity of the IIS local machine and privileges of the ASP.NET user account. Finally, the identity from this step is used to request resources from the OS. Once the authentication is completed, ASP.NET performs an authorization to check whether the user is authorized to access the requested resources.

  • Authentication Providers and Types:

As the user tries to log on to the application, he/she is initially authenticated followed by the authorization process. It’s the responsibility of the authentication provider to validate user’s identity based on the credentials entered by him/her. Authentication provider checks whether the credentials entered by the user or valid or not and decides whether a particular request should be considered authenticated or not. During ASP.NET development, one can go for implementing in any of the below three ways in order to authenticate the users for access to the required application. For this three different authentication providers are used – forms authentication provider which uses HTML forms to gather information or credentials from the users for authentication, the Windows authentication provider which uses the user’s windows account and passport authentication provider that uses Microsoft’s passport service to authenticate users. Apart from these, ASP.NET also supports custom authentication providers.

To selecting an authentication provider, one needs to make an entry in the web.config file for the application.

Authorization: Authorization is the process of determining the accessibility to a resource for an authenticated user. Only authenticated users can undergo the authorization for access of application. Default authorization mode in ASP.NET is anonymous authorization, while other forms are URL authorization, file and ACL based authorizations. Just like authentication, authorization can also be specified in the web.config file of the application.

This way authentication and authorization ensure the security of information in applications and hence, are used during ASP.NET application development process especially when distributed application development is the requirement.

[Total: 1    Average: 4/5]

Client Saying

Daniel Coburn, the president of gives the honest opinion regarding his experience working with Brainvire for developing his social...
Mr. Daniel Coburn
If you're starting a new business or want to upgrade an existing site, I strongly recommend Brainvire. The employees are...
Mr. Manjesh Singh
BIG THANK YOU to Brainvire team for all their smart work and fantastic services. We are very pleased with the...
Mr. Greg Pietsch
When the world was moving at a very speedy pace, Brainvire helped us stay connected. Thanks to their unique services...
Travis French
We have dealt with a lot of web development firms and other tech support companies, none come close to Brainvire....
Mr. Matthew

Latest Happenings

  • 04 Oct 2016
    Brainvire Making great Strides with Symfony Development Services [ + ]
  • 29 Sep 2016
    Brainvire augments its List of Offerings with Magento Sears Integration Services [ + ]