Monday, May 11, 2009

Authentication in ASP.Net

The article explains different types of Authentication available in ASP.Net framework and it's functionalities. This explains the various authentication options supported by .net and their features. Each has their own advantages as well as dis-advantages and decision of the Authentication depends on the application.

  • Forms authentication A system by which unauthenticated requests are redirected to an HTML form using HTTP client-side redirection. The user provides credentials and submits the form. If the application authenticates the request, the system issues a cookie that contains the credentials or a key for reacquiring the identity. Subsequent requests are issued with the cookie in the request headers; they are authenticated and authorized by an ASP.NET event handler using whatever validation method the application developer specifies.

  • Passport authentication Centralized authentication service provided by Microsoft that offers a single logon and core profile services for member sites.

  • Windows authentication ASP.NET uses Windows authentication in conjunction with Microsoft Internet Information Services (IIS) authentication. Authentication is performed by IIS in one of three ways: basic, digest, or Integrated Windows Authentication. When IIS authentication is complete, ASP.NET uses the authenticated identity to authorize access.

To enable an authentication provider for an ASP.NET application, you only need to create an entry for the application configuration file as follows.

authentication mode= "[WindowsFormsPassportNone]"/>

The different authentication Methods are

  • Anonymous Authentication: Used for public areas of Internet sites.Used for public areas of Internet sites. This is supported by all browsers and uses IUSR_computername account.

  • Basic Authentication: This requires a user name and password and Transmits password unencrypted.Assumption here is that the connection between the client and server computers is secure and can be trusted. Specifically, the credentials are passed as plaintext and could be intercepted easily.One advantage of the basic access authentication is that it is supported by all popular web browsers.

  • Digest authentication addresses many of the weaknesses of basic authentication.Usable across proxy servers and other firewalls.Digest Authentication offers single sign-on only to a single Web URL protection space. If users navigate to a different Web site, or even to a different server in the same site, they will usually be prompted to enter credentials again.

  • Integrated Windows Authentication: Used for private areas of intranets.Secure form of authentication because the user name and password are not sent across the network.

  • Certificates: Widely used for secure transactions over Internet.Obtain server certificates. Configure certificate trust lists (CTLs) (for first use only).

  • Forms authentication: used for personalization, where content is customized for a known user.This is achieved using SQL Server membership provider and active directory membership provider.Controls like ASP.Net login controls are used to implement forms authentication.

Differences between NTLM and Kerberos in Windows authentication

NTLM Authentication is the well-known and loved challenge-response authentication mechanism. That is the default authentication protocol of Windows NT 4.0 and earlier Windows versions. For backward compatibility reasons, Microsoft still supports NTLM in Windows Vista, Windows Server 2003.

Kerberos, on the other hand, is a more complex ticket-based authentication mechanism that authenticates the client to the server and authenticates the server to the client. While Kerberos is more secure, it can be a bit challenging to set up properly.

Kerberos has the following key advantages that make it worth consideration.

  • Performance - Kerberos caches information about the client after authentication. This means that it can perform better than NTLM particularly in large farm environments.
  • Delegation - Kerberos can delegate the client credentials from the SharePoint (For Example) front-end web server to other back-end servers like SQL Server. As an example, consider a web part that access a SQL Server database and uses a connection string that relies on the end-user credentials (i. e., “Integrated Security=SSPI”). If the targeted SQL Server is not on the same physical server as SharePoint, the database log in will fail under NTLM authentication. This is the dreaded “double-hop” scenario that affects not only SharePoint, but ASP.NET applications as well. Under Kerberos, however, the log in will succeed.
  • Kerberos supports for smart card logon where as NTLM is not.