ASP.NET implements additional authentication schemes using authentication providers, which are separate from and apply only after the IIS authentication schemes. ASP.NET supports the following authentication providers:
- Windows (default)
To enable an authentication provider for an ASP.NET application, use the authentication element in either machine.config or Web.config as follows:
<system.web> <!-- mode=[Windows|Forms|Passport|None] --> <authentication mode="Windows" /> </system.web>
Each ASP.NET authentication provider supports an OnAuthenticate event that occurs during the authentication process, which you can use to implement a custom authorization scheme. The primary purpose of this event is to attach a custom object that implements the IPrincipal Interface to the context.
Which ASP.NET authentication provider you use typically depends upon which IIS authentication scheme you choose. If you are using any of the IIS authentication schemes other than Anonymous, you will likely use the Windows authentication provider. Otherwise, you will use Forms, Passport, or None.
The Windows authentication provider relies upon IIS to perform the required authentication of a client. After IIS authenticates a client, it passes a security token to ASP.NET. ASP.NET constructs and attaches an object of the WindowsPrincipal Class to the application context based on the security token it receives from IIS. For more information, see Windows Authentication Provider and WindowsPrincipal Class.
- Authenticates using Windows accounts, so you do not need to write any custom authentication code.
- May require the use and management of individual Windows user accounts.
In addition, each IIS authentication scheme has its own associated pros and cons, which you should consider when choosing a security model. For more information, see IIS Authentication.
To implement Windows authentication, refer to the applicable IIS Authentication schemes. For more information, see IIS Authentication.
The Forms authentication provider is an authentication scheme that makes it possible for the application to collect credentials using an HTML form directly from the client. The client submits credentials directly to your application code for authentication. If your application authenticates the client, it issues a cookie to the client that the client presents on subsequent requests. If a request for a protected resource does not contain the cookie, the application redirects the client to the logon page. When authenticating credentials, the application can store credentials in a number of ways, such as a configuration file or a SQL Server database. For more information, see Forms Authentication Provider.
Note An ISAPI server extension only handles those resources for which it has an application mapping. For example, the ASP.NET ISAPI server extension only has application mappings for particular resources, such as .asax, .ascx, .aspx, .asmx, and .config files to name a few. By default, the ASP.NET ISAPI server extension, and subsequently the Forms authentication provider, does not process any requests for non-ASP.NET resources, such as .htm, .jpg or .gif files.
- Makes it possible for custom authentication schemes using arbitrary criteria.
- Can be used for authentication or personalization.
- Does not require corresponding Windows accounts.
- Is subject to replay attacks for the lifetime of the cookie, unless using SSL/TLS.
- Is only applicable for resources mapped to Aspnet_isapi.dll.
To implement forms authentication you must create your own logon page and redirect URL for unauthenticated clients. You must also create your own scheme for account authentication. The following is an example of a Web.config configuration using Forms authentication:
<!-- Web.config file --> <system.web> <authentication mode="Forms"> <forms forms="401kApp" loginUrl="/login.aspx" /> </authentication> </system.web>
Because you are implementing your own authentication, you will typically configure IIS for Anonymous authentication.
The Passport authentication provider is a centralized authentication service provided by Microsoft that offers a single logon and core profile services for member sites. Passport is a forms-based authentication service. When member sites register with Passport, the Passport service grants a site-specific key. The Passport logon server uses this key to encrypt and decrypt the query strings passed between the member site and the Passport logon server. For more information, see Passport Authentication Provider.
- Supports single sign-in across multiple domains.
- Compatible with all browsers.
- Places an external dependency for the authentication process.
To implement Passport, you must register your site with the Passport service, accept the license agreement, and install the Passport SDK prior to use. You must configure your application's Web.config file as follows:
<!-- Web.config file --> <system.web> <authentication mode="Passport" /> </system.web>
For more information, see the Microsoft Passport Web site (http://www.passport.com/).
None (Custom Authentication)
Specify "None" as the authentication provider when users are not authenticated at all or if you plan to develop custom authentication code. For example, you may want to develop your own authentication scheme using an ISAPI filter that authenticates users and manually creates an object of the GenericPrincipal Class. For more information, see GenericPrincipal Class.
Note An ISAPI server extension only handles those resources for which it has an application mapping. For example, the ASP.NET ISAPI server extension only has application mappings for particular resources, such as .asax, .ascx, .aspx, .asmx, and .config files to name a few. By default, the ASP.NET ISAPI server extension, and subsequently the None (custom) authentication provider, does not process any requests for non-ASP.NET resources, such as .htm, .jpg or .gif files.
- Offers total control of the authentication process providing the greatest flexibility.
- Provides the highest performance if you do not implement an authentication method.
- Custom-built authentication schemes are seldom as secure as those provided by the operating system.
- Requires extra work to custom-build an authentication scheme.
To implement no authentication or to develop your own custom authentication, create a custom ISAPI filter to bypass IIS authentication. Use the following Web.config configuration:
<!-- Web.config file --> <system.web> <authentication mode="None" /> </system.web>