Selecting an authentication provider is as simple as making an entry in the web.config file
for the application. You can use one of these entries to select the corresponding built in
1. <authentication mode="windows">
2. <authentication mode="passport">
3. <authentication mode="forms">
4. Custom authentication where you might install an ISAPI filter in IIS that
compares incoming requests to list of source IP addresses, and considers
requests to be authenticated if they come from an acceptable address. In that
case, you would set the authentication mode to none to prevent any of the
.net authentication providers from being triggered.
1. Windows authentication and IIS
If you select windows authentication for your ASP.NET application, you also have to
configure authentication within IIS. This is because IIS provides Windows authentication.
IIS gives you a choice for four different authentication methods:
Anonymous,basic,digest and windows integrated
If you select anonymous authentication, IIS doesn't perform any authentication, Any one
is allowed to access the ASP.NET application.
If you select basic authentication, users must provide a windows username and password
to connect. How ever this information is sent over the network in clear text, which makes
basic authentication very much insecure over the internet.
If you select digest authentication, users must still provide a windows user name and
password to connect. However the password is hashed before it is sent across the network.
Digest authentication requires that all users be running Internet Explorer 5 or later and
that windows accounts to stored in active directory.
If you select windows integrated authentication, passwords never cross the network.
Users must still have a username and password, but the application uses either the Kerberos
or challenge/response protocols authenticate the user. Windows-integrated authentication
requires that all users be running internet explorer 3.01 or later Kerberos is a network
authentication protocol. It is designed to provide strong authentication for client/server
applications by using secret-key cryptography. Kerberos is a solution to network security
problems. It provides the tools of authentication and strong cryptography over the network
to help to secure information in systems across entire enterprise
2. Passport authentication
Passport authentication lets you to use Microsoft's passport service to authenticate users
of your application. If your users have signed up with passport, and you configure the
authentication mode of the application to the passport authentication, all authentication
duties are off-loaded to the passport servers.
Passport uses an encrypted cookie mechanism to indicate authenticated users. If users
have already signed into passport when they visit your site, they'll be considered
authenticated by ASP.NET. Otherwise they'll be redirected to the passport servers to log
in. When they are successfully log in, they'll be redirected back to your site
To use passport authentication you have to download the Passport Software Development
Kit (SDK) and install it on your server. The SDK can be found at http://
msdn.microsoft.com/library/default.asp?url=/downloads/list/websrvpass.aps. It includes
full details of implementing passport authentication in your own applications.
3. Forms authentication
Forms authentication provides you with a way to handle authentication using your own
custom logic with in an ASP.NET application. The following applies if you choose forms
a. When a user requests a page for the application, ASP.NET checks for the
presence of a special session cookie. If the cookie is present, ASP.NET assumes
the user is authenticated and processes the request.
b. If the cookie isn't present, ASP.NET redirects the user to a web form you
You can carry out whatever authentication, it check's you like it checks your form. When
the user is authenticated, you indicate this to ASP.NET by setting a property, which
creates the special cookie to handle subsequent requests.