1)windows authentication
-anonymous
-basic
-digest
-integrated windows
2)forms authentication
3)passport authentication
4)none
authorization
file authorization depends on NTFS permissions
url authorization depends on
forms authentication uses HTML forms to collect authentication information and check in databases. In forms tag
name="frmauth" loginURL="login.aspx" protection="all"
authorization
allow users="*/?"
deny users="*/?"
authorization
authentication mode="Forms"
forms loginUrl="Login.aspx" protection="All"
credentials passwordFormat="Clear"
user name="Admin" password="Admin"
user name="Super" password="Super"
user name="User" password="User"
credentials
forms
authentication
impersonation : by default not enabled
by default asp.net application runs under "aspnet" account. to run under specific user credentials require impersonation.
Anonymous Authentication: IIS doesn't perform any authentication check. IIS allows any user to access the ASP .NET application.
Basic Authentication: For this kind of authentication, a Windows user name and password have to be provided to connect. However, this information is sent over the network in plain text and hence this is an insecure kind of authentication. Basic Authentication is the only mode of authentication older, non-Internet Explorer browsers support.
Digest Authentication: It is same as Basic Authentication but for the fact that the password is hashed before it is sent across the network. However, to be using Digest Authentication, we must use IE 5.0 or above.
Integrated Windows Authentication: In this kind of authentication technique, passwords are not sent across the network. The application here uses either the kerberos or challenge/response protocols to authenticate users. Kerberos, a network authentication protocol, is designed to provide strong authentication for client-server applications. It provides the tools of authentication and strong cryptography over the network to help to secure information in systems across entire enterprise.
impersonation
ReplyDelete-------------
Suppose to access a resource on network drive with credentials otherthan "aspnet" like IUSR_Machinename, we can set impersonation to true in web.config
What is authentication ?
ReplyDeleteAuthentication is the process of checking user identity.
What is authorization ?
Authorization is the process of checking user access level to a resource.
What is impersonation ?
ASP.Net execution engine access a resource by using your credentials on behalf of you.
For windows authentication
System.Security
For Forms authentication
System.Web.Security
To get current user in windows authentication in windows application
User.Identity.Name
Principal.WindowsIdentity.CurrentUser.Name
To get current user in web application
request.servervariables("Logon_User")
Request.