CodeKicks.com
Focus on Microsoft Technologies - Tutorials, Articles, Code Samples.

Wednesday, August 30, 2006

Authentication & Authorization in ASP.NET

Authentication and Authorization are two interrelated security concepts. In short, authentication is a process of identifying a user, while authorization is the process of determining if an authenticated user has access to the resource(s) they requested.

 

Impersonation is the process of assigning a user account to an unknown user.

 

If a web page has no access controls, then any user can access that web page. HTML pages, ASP pages, and components in version 3.0 and earlier can be accessed through two accounts named IUSR_machinename and IWAM_machinename. Both the accounts are set up during IIS installation, and are automatically added to all the folders in every web site on the server.

 

When IIS receives a request for a web page or other resource that has permission for anonymous access, IIS treats the IUSR_machinename account as the user's account, to access the resources. If the resource requested by the user is an ASP page that uses a COM or COM+ component, that component is executed using the IWAM_machinename account.

 

In ASP.NET, when impersonation is turned off, the resources can be accessed using a "local system process" account. When impersonation is turned on, ASP.NET executes every resource using the account of a specified user who is authenticated when the user makes the request.

 

If impersonation is enabled in an ASP.NET application then:

• If anonymous access is enabled in IIS, the request is made using the IUSR_machinename account.

• If anonymous access is disabled in IIS, the request is made using the account of the authenticated user.

• In either case, permissions for the account are checked in the Windows Access Control List (ACL) for the resource(s) that a user requests, and a resource is only available if the account they are running under is valid for that resource.

 

If impersonation is disabled in an ASP.NET application then:          

• If anonymous access is enabled in IIS, the request is made using the system-level process account.

• If anonymous access is disabled in IIS, the request is made using the account of the authenticated user.

• In either case, permissions for the account are checked in the Windows ACL for the resource(s) that a user requests, and a resource is only available if the account they are running under is valid for that resource.

 

Understanding how ASP.NET and IIS Handle Authentication and Authorization

Both IIS - Microsoft's Web server software - and ASP.NET provide means for authentication and authorization.

 

The following shows the sequence of authentication and authorization actions performed by IIS and ASP.NET on an incoming request.

  • The incoming request is first checked by IIS. If the IP address from where the request is sought is not allowed access to the domain, IIS denies the request.
  • IIS allows anonymous access by default and hence requests are automatically authenticated. However, this can be overridden for each application within IIS. Next in the sequence IIS performs this authentication, if it has been configured to do so.
  • The authenticated user request is passed to ASP.NET.
  • ASP.NET checks whether Impersonation is enabled or not. By default impersonation is not enabled in ASP.NET. Generally, some applications require impersonation for ASP compatibility and Windows server authentication. (By default, the ASP.NET engine operates under the ASPNET user account. Impersonation is a means by which you can have the ASP.NET engine operates under the authenticated user's user account.)
  • If impersonation is enabled, ASP.NET executes with the identity of the entity on behalf of which it is performing executing the task.
  • If impersonation is not enabled, the application runs with the privileges of the ASPNET user account.
  • Finally, the identity that has been authenticated and checked for in the previous steps is used to request resources from the OS. ASP.NET uses two forms of authorization:
  • FileAuthorization - relies on NTFS file permissions for granting access.
  • UrlAuthorization - in the Web.config file you can specify the authorization rules for various directories or files using the <authorization> element.
  • If access is granted (successful authorization), ASP .NET returns the user's request through IIS.

Authentication Providers

ASP.NET provides three ways to authenticate a user:

  • Windows authentication,
  • Forms authentication, and
  • Passport authentication

Windows Authentication Provider

The Windows authentication provider is the default provider for ASP.NET. It authenticates users based on the users' Windows accounts. Windows authentication in ASP.NET actually relies on IIS to do the authentication. IIS can be configured so that only users on a Windows domain can log in. If a user attempts to access a page and is not authenticated, they'll be shown a dialog box asking them to enter their username and password. This information is then passed to the Web server and checked against the list of users in the domain. If the user has supplied valid credentials, access is granted. The identity of the user is then passed to the ASP.NET engine.

 

There are four different kinds of Windows authentication options available that can be configured in IIS:

 

  • Anonymous Authentication: IIS doesn't perform any authentication check. IIS allows any user to access the ASP .NET application.
  • Basic Authentication: For this kind of authentication, a Windows user name and password have to be provided to connect. However, this information is sent over the network in plain text and hence this is an insecure kind of authentication. Basic Authentication is the only mode of authentication older, non-Internet Explorer browsers support.
  • Digest Authentication: It is same as Basic Authentication but for the fact that the password is hashed before it is sent across the network. However, to be using Digest Authentication, we must use IE 5.0 or above.
  • Integrated Windows Authentication: In this kind of authentication technique, passwords are not sent across the network. The application here uses either the kerberos or challenge/response protocols to authenticate users. Kerberos, a network authentication protocol, is designed to provide strong authentication for client-server applications. It provides the tools of authentication and strong cryptography over the network to help to secure information in systems across entire enterprise.

Passport Authentication Provider

Passport authentication is a centralized authentication service. This uses Microsoft's Passport Service to authenticate the users of an application. If the authentication mode of the application is configured as Passport and if the users have signed up with Microsoft's Passport Service, then the authentication formalities are pushed over to Passport servers.

 

Passport uses an encrypted cookie mechanism to identify and indicate authenticated users. If the users have already been signed into passport when they visit the application page, ASP.NET will consider them as authenticated. Otherwise, the users will be redirected to Passport servers to login. Upon successful login, the user is redirected back to the ASP.NET Web page that they initially tried to access. If you use Hotmail you already have a Passport account and are familiar with the sign-in process from an end-user's perspective.

 

Forms Authentication Provider

The forms authentication provider uses custom HTML forms to collect authentication information. As an ASP.NET developer using forms authentication, you must write your own logic/code to check the user's supplied credentials against a database or some other data store. When a user is successfully identified via forms authentication, the user's credentials are stored in a cookie for use during the session. For more information on implementing forms authentication be sure to read Using Forms Authentication in ASP.NET and Getting Started With Forms Authentication.

 

Configuring Authorization

There are two forms of authorization available in ASP.NET:

FileAuthorization - relies on NTFS file permissions for granting access.

UrlAuthorization - in the Web.config file you can specify the authorization rules for various directories or files using the <authorization> element.

  

File authorization

File authorization is performed by the FileAuthorizationModule, and is active when you use Windows authentication. It does an access control list (ACL) check of the .aspx or .asmx handler file to determine if a user should have access. Applications can further use impersonation to get resource checks on resources that they are accessing. For more information about impersonation, see ASP.NET Impersonation.

 

URL authorization

URL authorization is performed by the URLAuthorizationModule, which maps users and roles to pieces of the URL namespace. This module implements both positive and negative authorization assertions. That is, the module can be used to selectively allow or deny access to arbitrary parts of the URL namespace for certain sets, users, or roles.

 

The URLAuthorizationModule is available for use at any time. You only need to place a list of users and/or roles in the <allow> or <deny> elements of the <authorization> section of a configuration file.

Post a Comment