Wednesday, June 27, 2007

Authentication and Authorization

Authentication and Authorization

ASP.NET works in conjunction with IIS to support authentication, using Basic, Digest, and Windows authentication. ASP.NET supports the Microsoft Passport authentication service, which provides single sign-on services and support for user profile services. ASP.NET also provides a robust service for applications that want to use forms-based authentication. Forms-based authentication uses cookies to authenticate users and allows the application to do its own credential verification.

It is important to realize that ASP.NET authentication services are subject to the authentication services provided by IIS. For example, in order to use Basic authentication in an IIS application, you must configure the use of Basic authentication for the application using the Internet Service Manager tool.

ASP.NET provides two types of authorization services:

  • Checks against ACLs or permissions on a resource to determine whether the authenticated user account can access the resources
  • URL authorization, which authorizes an identity for pieces of the Web space
To illustrate the difference, consider a scenario in which an application is configured to allow anonymous access using the IUSR_MYMACHINE account. When a request for an ASP.NET page (such as "/default.aspx") is authorized, a check is done against the ACLs on that file (for example, "c:\inetpub\wwwroot\default.aspx") to see whether the IUSR_MYMACHINE account has permission to read the file. If it does, then access is authorized. File authorization is performed automatically.

For URL authorization, the anonymous user is checked against the configuration data computed for the ASP.NET application. If access is allowed for the requested URL, the request is authorized. In this case, ASP.NET checks to see whether the anonymous user has access to /Default.aspx (that is, the check is done against the URL itself, not against the file that the URL ultimately resolves to).

This might seem a subtle distinction, but it enables applications to use authentication schemes likes forms-based authentication or Passport authentication, in which the users do not correspond to a machine or domain account. It also enables authorization against virtual resources, for which there is no physical file underlying the resource. For example, an application could choose to map all requests for files ending in .stk to a handler that serves stock quotes based on variables present in the query string. In such a case, there is no physical .stk against which to do ACL checks, so URL authorization is used to control access to the virtual resource.

File authorization is always performed against the authenticated account provided by IIS. If anonymous access is allowed, this is the configured anonymous account. Otherwise, it uses an NT account. This works in exactly the same way as ASP.

File ACLs are set for a given file or directory using the Security tab in the Explorer property page. URL authorization is configured as part of an ASP.NET Framework application and is described fully in Authorizing Users and Roles.

To activate an ASP.NET authentication service, you must configure the <authentication> element in the application's configuration file. This element can have any of the values listed in the following table.

Value Description
None No ASP.NET authentication services are active. Note that IIS authentication services can still be present.
Windows ASP.NET authentication services attach a WindowsPrincipal (System.Security.Principal.WindowsPrincipal) to the current request to enable authorization against NT users or groups.
Forms ASP.NET authentication services manage cookies and redirect unathenticated users to a logon page. This is often used in conjunction with the IIS option to allow anonymous access to an application.
Passport ASP.NET authentication services provide a convenient wrapper around the services provided by the Passport SDK, which must be installed on the machine.

For example, the following configuration file enables forms-based (cookie) authentication for an application:

<authentication mode="Forms"/>

Copyright 2002 Microsoft Corporation. All rights reserved.