08-09-2017, 11:59 AM
There are two closely interrelated concepts at the core of the security of distributed applications: authentication and authorization. Authentication is the process of obtaining some kind of credentials from users and using those credentials to verify the identity of the user. Authorization is the process of allowing an authenticated user to access resources. Authentication always precedes authorization; even if your application allows anonymous users to connect and use the application, it still authenticates them as anonymous.
ASP.net provides a flexible set of alternatives for authentication. You can perform code authentication or delegate authentication to other authorities (such as Microsoft Passport). In fact it sometimes seems ASP.net authentication is a little too flexible; it can be difficult for a new developer to know where to start. In this article, we review the settings in ASP.net and Internet Information Services (IIS) that control authentication and authorization in ASP.net applications.
An ASP.NET application has two distinct authentication layers. That's because ASP.net is not a standalone product. Rather it is a layer above IIS. All requests flow through IIS before submitting them to ASP.net. As a result, IIS may decide to deny access without the ASP.net process even knowing that someone requested a particular page. The following is an overview of the steps in the IIS and ASP.net joint authentication process.
1. IIS checks first to make sure the incoming request comes from an IP address that has allowed access to the domain. If not, deny the request.
2. Next IIS performs its own user authentication if it is configured to do so. By default, IIS allows anonymous access, so requests are automatically authenticated, but you can change this by default in IIS.
3. If the request is passed to ASP.net with an authenticated user, ASP.net checks to see if the impersonation is enabled. If impersonation is enabled, ASP.net acts as if it were the authenticated user. If ASP.net does not act with its own configured account.
4. Finally, the identity of step 3 is used to request resources from the operating system. If ASP.NET authentication can get all the necessary resources grants users the request otherwise it is denied. Resources can include much more than the same ASP.net page. You can also use the .Net code access security features to extend this authorization step to disk files, registry keys, and other resources.
ASP.net provides a flexible set of alternatives for authentication. You can perform code authentication or delegate authentication to other authorities (such as Microsoft Passport). In fact it sometimes seems ASP.net authentication is a little too flexible; it can be difficult for a new developer to know where to start. In this article, we review the settings in ASP.net and Internet Information Services (IIS) that control authentication and authorization in ASP.net applications.
An ASP.NET application has two distinct authentication layers. That's because ASP.net is not a standalone product. Rather it is a layer above IIS. All requests flow through IIS before submitting them to ASP.net. As a result, IIS may decide to deny access without the ASP.net process even knowing that someone requested a particular page. The following is an overview of the steps in the IIS and ASP.net joint authentication process.
1. IIS checks first to make sure the incoming request comes from an IP address that has allowed access to the domain. If not, deny the request.
2. Next IIS performs its own user authentication if it is configured to do so. By default, IIS allows anonymous access, so requests are automatically authenticated, but you can change this by default in IIS.
3. If the request is passed to ASP.net with an authenticated user, ASP.net checks to see if the impersonation is enabled. If impersonation is enabled, ASP.net acts as if it were the authenticated user. If ASP.net does not act with its own configured account.
4. Finally, the identity of step 3 is used to request resources from the operating system. If ASP.NET authentication can get all the necessary resources grants users the request otherwise it is denied. Resources can include much more than the same ASP.net page. You can also use the .Net code access security features to extend this authorization step to disk files, registry keys, and other resources.