Why Authentication and Authorization Needed Essay Example
Why Authentication and Authorization Needed Essay Example

Why Authentication and Authorization Needed Essay Example

Available Only on StudyHippo
  • Pages: 4 (910 words)
  • Published: August 30, 2018
  • Type: Instruction
View Entire Sample
Text preview

We Just had a brief look at the authentication providers of ASP. NET. Let us now go into detail and explore the authentication modes in detail.  Windows Authentication and hence, this should be configured within I'S. There are four different kinds of Windows authentication available: Anonymous, Basic, Digest and Integrated Windows Authentication. Anonymous Authentication: 11S doesn't perform any authentication checks. 11S allows any user to access the ASP. NET application. Basic Authentication: For this kind of authentication, the Windows user name and password have to be provided to connect. However, this information is sent over the network in plain text, and, hence, this is an insecure method of authentication. Digest Authentication: It is the same as basic authentication except for the fact that the password is hashed before it is sent across the network. However, to be using Digest Authentication, we must use Internet Explorer 5. 0 or


above. Integrated Windows Authentication: In this kind of authentication technique, passwords are not sent across the network.

The application here uses either the kerberos or challenge/response protocols to authenticate users. Kerberos, a network authentication protocol, is designed to provide strong authentication for client-server applications. It provides the tools of authentication and strong cryptography over the network to help secure information in systems across an entire enterprise. Passport Authentication: Passport authentication is a centralized authentication service. This uses Microsoft's Passport service to authenticate the users of an application.

If the authentication mode of an application is configured as "Passport", and if the users have signed up with Passport, then the authentication formalities are pushed over to Passport servers. Passport uses an encrypted cookie mechanism to identify an

View entire sample
Join StudyHippo to see entire essay

indicate authenticated users. If the users have already been signed into Passport when they visit the application page, ASP. NET will consider them as authenticated; otherwise, the users will be redirected to Passport servers to login. Upon successful login, theyll be redirected back to the application page. Forms Authentication: With forms authentication, custom logic can be built into an ASP. NET application. The following happens when forms authentication is us ed in an ASP. NET application: o When a user requests a page for the application, ASP. NET checks for the presence of a special session cookie. o If the cookie is present, ASP. NET assumes the user is authenticated and processes the request. o If the cookie isn't present, ASP. NET redirects the user to a web form where the custom logic has been built into the code.

The authentication checks can be incorporated into the web form, and when the user is authenticated ASP. NET needs to be informed of the same by setting a property. Once this is done, ASP. NET creates the special cookie to handle any subsequent requests. Authentication and Authorization - Configuring Authorization (Page 4 of 4 ) Impersonation is a technique that allows the ASP. NET process to act as the uthenticated user, or as an arbitrary specified user. ASP. NET impersonation is controlled by entries in the application's web. config file. By default, impersonation is disabled.

Including the following code in the file can explicitly turn impersonation off: ASP. NET does not perform impersonation if the above piece of code is found in the file. This means that ASP. NET will run with its own privileges. After

the user has been authenticated, ASP. NET uses it own identity to request access to resources. By default, ASP. NET runs as an unprivileged account. By changing the userName attribute of the process. Model section in the machine. onfg file, the account can be changed from a low-privileged one to a high-privileged one.

When this modification is made, it applies to all sites on the server. If the userName attribute of the process. Model is changed to SYSTEM, the user account becomes a high privileged account. However, this is a security risk as it elevates the privileges of the ASP. NET process and the OS may be at risk. To enable impersonation, the following code should be included: In this case, ASP. NET takes on the identity 11S passes to it. If anonymous access is allowed in I'S, ASP. NET will impersonate the IUSR_ComputerName account that 11S ses. If anonymous access is not allowed, ASP.

NET will take on the credentials of the authenticated user and makes requests for resources taking on that identity. A further important feature of any ASP. NET application is that a particular identity can also be used for all authenticated requests. To accomplish this, the following line of code needs to be included: In this case, all authenticated users will be taking on the identity and using this identity ASP. NET makes all requests for resources. The drawback to this technique is that the password must be coded in plain text in the web. confg file. Though ASP. NET oes not allow for this file to be downloaded, it is still a security risk. Best Practices Below is a list

of some best practices to help you in choosing an authentication mode and configuring authorization: If there is no sensitive data in the application, no anonymous authentication is the best authentication mode. This allows all users, who have access to the host, to access the application. If authentication of users needs to be performed, there are several choices. Windows Authentication in ASP. NET is the best authentication mode to use if all user accounts exist on the network in which the application is running.

Get an explanation on any task
Get unstuck with the help of our AI assistant in seconds