Authentication and Authorization are two interrelated concepts, which form the core of security for .NET applications. The authentication and authorization processes in ASP.NET are very flexible, simple and can be implemented in the code. ASP.NET is not a standalone product; it is linked with IIS and is, in fact, a layer on top of IIS. So, any request that comes into the ASP.NET process is first authenticated and authorized by IIS. In short, the ASP.NET process is completely unaware if any user has been denied access to any page by IIS. Several security authorities interact when the user raises a request for an ASP.NET page. You must get to know how these processes work in order to fully understand the ASP.NET system.
ASP.NET and IIS
Below, is the sequence of events involved in the authentication process (jointly done by IIS and ASP.NET):
1. The incoming request is first checked by IIS. If the IP address from where the request is sought is not allowed access to the domain, IIS denies the request.
2. By default, IIS allows anonymous access and hence requests are automatically authenticated. However, this can be overridden for each application within IIS. Next in the sequence, IIS performs this authentication, if it has been configured to do so.
3. As a next step, the authenticated user request is passed to ASP.NET.
4. ASP.NET now checks whether Impersonation is enabled or not. By default impersonation is not enabled in ASP.NET. Generally, some applications require impersonation for ASP compatibility and Windows server authentication.
5. If impersonation is enabled, ASP.NET executes with the identity of the entity on behalf of which it is performing the executing task.
6. If impersonation is disabled, the application runs with the privileges of ASP.NET.
7. Finally, the identity that has been authenticated and checked for in the previous steps is used to request resources from the OS. ASP.NET relies on NTFS file permissions for granting access.
8. If access is granted (successful authorization), ASP.NET returns the user’s request through IIS.