Asp.Net authentication and authorization



Asp.Net includes several features that make it easy to control access to your website. For example, you can use authentication to identify a user with a user name and password. It can store these credentials, along with other information about that user, in a variety of places, such as database. You can use authorization to specify the pages in your application that a particular user has access to. You can configure Asp.Net authentication and authorization by using the web.config file for the website.

We can use Asp.Net login controls to build login pages for user authentication and authorization. These controls enable you to build an access control system and require very less custom coding. The Membership class provides methods for validating users credentials and managing user's settings. You can use the Roles class to group users depending on their role in the application, and assign access to parts of the system on that basis.


In this article you will get to know the following :

  • What is Authentication?
  • Types of Authentication.
  • What is Authorization?
  • Role Management.
  • Configuration of authentication and authorization using web.config file.
  • Implement registration page for users.
  • Implement a login page.

What is Authentication?

Authentication is a process by which users prove their identity. This usually involves users entering username and password onto a login page. Authentication provides three types of authentication mechanisms :

  • Windows Authentication
  • Forms Authentication
  • Passport Authentication

Windows Authenication

If you configure your application to use Microsoft windows Authentication, IIS (internet information services) validate the user by comparing the credentials entered by the user against the user's windows account.

Why Windows Authentication:

  • Windows authentication is generally used if the users accessing the application belong to same organization.
  • This authentication method uses Windows accounts for validating users' credentials. This type of authentication is very good for intranet Web sites where we know our users.

How to implement windows authentication in Asp.Net website?

To use windows authentication, you configure Asp.Net and IIS and create Windows account for each user you need to identify.

Now configure the Asp.Net application

  1. Open the Web.config file in the root folder of your application.
  2. Locate the <system.web> and </system.web> tags. Add the authentication element between this tags:
<authentication mode ="Windows"/>

Forms Authentication

Windows Authenctication is useful only if all the users have Microsoft Windows account. If you are building an internet application, using windows authentication will not be good or desirable. Consequently, you might prefer to store user accounts somwhere other than the windows security system. For example, you can elect to store user credentials in a database hosted on a computer running Micorsoft SQL Server, and you can include other properties not present in a Windows account.

When you configure Forms authentication, you can specify a login page. When users request any page in your application, if they are not authenticated, the are redirected to the login page where they can enter their credentials. You must write code to check these credentials. After they have been authenticated, users are redirected to the page they originally requested.

How to implement Forms authentication in Asp.Net website?

Forms authentication requires a login page to collect credentials from the user and compare them against stored creadentials. 

First you have to create Login page. Follow the following steps :

1. Add new Web Form to your application and name it as "Login.aspx".

2. Now drag and drop login control from toolbox into your form using design view.

that's it you have created your login page.

To configure Forms Authentication for your Asp.Net application 

1. Open the web.config file in the root folder of your application.

2. Locate the <system.web> and </system.web> tags. Add the following element between these tags :

<authentication mode ="Forms">
<forms name ="MainLogin" loginUrl="login.aspx"/>

Passport Authentication

Passport authentication relies on a centralized service provided by Microsoft. Passport authentication identifies a user with using his or her e-mail address and a password and a single Passport account can be used with many different Web sites.

Passoport authentication can be used whenever you are using a single username password combination to authenticate into a group of website. The simplest example that i can give is that of a google gmail account, with a single email and password combination you are able to access youtube, gmail, google+, blogger and most of the google web appplications. 

It will be useful when users are many and you dont want to manage many users. When user logins with credentials, it will be reached to passport website like hotmail, where authentication will happen. If authentication is successful, it will return a token to your website.

How to implement Passport authentication in Asp.Net website?

To implement passport authentication, you must first register with the Microsoft Passport Service on the Micorsoft Passport Network website. You should also download the .NET passport SDK from the same location.

To configure passport authentication for your Asp.Net application

1. Open the web.config file in the root folder of your application.

2. Locate the <system.web> and </system.web> tags. Add the following element between these tags: 

<authentication mode="Passport"/>

What is Authorization?

Authorization is the ability to grant or deny access to resources, according to the rights defined for the different kinds of entities requesting them. Authenticating and authorizing users and groups enable you to customize a site based on user types or preferences or according to their roles.

How to configure Authorization for a web application

To configure URL Authorization for a directory in an Asp.Net website 

1. In Micorsoft Visual Studio, if there is no web.config file in the directory, right click the directory in Solution Explorer and then click Add New Item.

2. In the Add New Item dialog box, click Web Configuration File and then click Add. A new Web.config file is added and displayed.

3. Locate the <system.web> and </system.web> tags. Add the follwoing markup between these tags :

<allow users ="Kim"/>
<allow roles="Admin"/>
<allow users="John"/>
<deny users ="?"/>

This example demonstrates how to assign authorization to users, such as Kim, or roles, such as Admin. Use of <allow> tags permit access and <deny> tags prevent access. Authorizations appearing earlier in the list take precedence over those that appear later.

There are two specail characters that can be used :

  • "?" indicates anonymous users.
  • "*" indicates all users. If you place this entry at the bottom of the list, it becomes the default authorization for any users not mentioned above it.
Give your Valuable Comments.
comments powered by Disqus
Follow me on twitter
About Me
Harpreet Singh
I began programming with C++ when i was 17. Then at the middle of my study .NET came. Then I began to read C# and VB.NET. By the time i learnt SQL and ASP.NET, and developed some websites such as news portals that are active now. Currently i am running my own Software company.
More Articles