Internet Authentication


The System.Net classes support a variety of client authentication mechanisms, including the standard Internet authentication methods basic, digest, negotiate, NTLM, and Kerberos authentication, as well as custom methods that you can create.

Authentication credentials are stored in the NetworkCredential and CredentialCache classes, which implement the ICredentials interface. When one of these classes is queried for credentials, it returns an instance of the NetworkCredential class. The authentication process is managed by the AuthenticationManager class, and the actual authentication process is performed by an authentication module class that implements the IAuthenticationModule interface. You must register a custom authentication module with the AuthenticationManager before it can be used; modules for the basic, digest, negotiate, NTLM, and Kerberos authentication methods are registered by default.

NetworkCredential stores a set of credentials associated with a single Internet resource identified by a URI and returns them in response to any call to the GetCredential method. The NetworkCredential class is typically used by applications that access a limited number of Internet resources or by applications that use the same set of credentials in all cases.

The CredentialCache class stores a collection of credentials for various Web resources. When the GetCredential method is called, CredentialCache returns the proper set of credentials, as determined by the URI of the Web resource and the requested authentication scheme. Applications that use a variety of Internet resources with different authentication schemes benefit from using the CredentialCache class, since it stores all the credentials and provides them as requested.

When an Internet resource requests authentication, the WebRequest.GetResponse method sends the WebRequest to the AuthenticationManager along with the request for credentials. The request is then authenticated according to the following process:

  1. The AuthenticationManager calls the Authenticate method on each of the registered authentication modules in the order they were registered. The AuthenticationManager uses the first module that does not return null to carry out the authentication process. The details of the process vary depending on the type of authentication module involved.

  2. When the authentication process is complete, the authentication module returns an Authorization to the WebRequest that contains the information needed to access the Internet resource.

Some authentication schemes can authenticate a user without first making a request for a resource. An application can save time by preauthenticating the user with the resource, thus eliminating at least one round trip to the server. Or, it can perform authentication during program startup in order to be more responsive to the user later. Authentication schemes that can use preauthentication set the CanPreAuthenticate property to true.

Basic and Digest Authentication
NTLM and Kerberos Authentication
Security in Network Programming