Authentication and Authorization in Asp.Net


Published on

This presentation gives a little information about Why Security is important, then moving towards understanding about Authentication and Authorization and its various ways

1. Forms Authentication
2. Windows Authentication
3. Passport Authentication

Published in: Technology
  • Be the first to comment

Authentication and Authorization in Asp.Net

  1. 1. Topics – Authentication and Authorization1. INTRODUCTION  Why Security is important in today’s world?  Different Ways to secure your Website / Application2. What is IIS? and How to install and host an ASP.NET Website?3. What is Authentication?4. What is Authorization?5. What is an Identity Object?6. What is a Principal Object?
  2. 2. Topics – Authentication and Authorization• Different ways of Authentication :  Forms Authentication.  Using Cookies  Cookieless  Windows Authentication.  Passport Authentication.
  3. 3. Introduction – Why Security is Important?1. Security is one of the most important part of any Website or a Web Application.2. Hackers are waiting out there for us and use various ways to exploit a website / web-application.3. Hacker can attack in many ways.  Brute Force  Sniffers  Spoofing  Social Engineering  SQL Injection
  4. 4. Introduction - Different Ways to Secure your Application  Design your Application well.  Encrypting the Data while storing.  Input Validation.  Forcing Users for Strong Passwords.  Authentication and Authorization.
  5. 5. What is Internet Information Service(IIS)?• IIS is one of the most powerful Web Server developed by Microsoft to host ASP.NET Websites or Applications.• Its responsibility is to give a Response back to the Request sent by the Client. How does IIS work?
  6. 6. What is Authentication?• Dictionary meaning of “Authentication” is to “Check someone’s genuineness”• In ASP.NET – Authentication means the same. It is a process where you check a person’s credentials.• Example – Facebook, Yahoo, Gmail. What is Authorization?• Providing access to resource based on User’s role.• Authentication always preceeds Authorization
  7. 7. What is an Identity Object?• An Identity Object is an Object which stores information about an Authenticated User.• Contains 2 types of Objects “WindowsIdentity” and “GenericIdentity” What is a Principal Object?• A Principal Object is an Object that basically defines the roles of the Authenticated User.• Principal Object encapsulates the Identity Object.
  8. 8. Forms Authentication• Forms Authentication is nothing but a Cookie based Authentication where a Cookie is stored on the Client’s machine.• It makes use of a Custom Form to accept User’s Credentials.• Credentials are validated with the information stored in a specific source.• Advantage – – It is the simplest way of authenticating Users for websites and applications. – User does not have to login again and again to the same application.
  9. 9. Windows Authentication• Windows Authentication is used in Intranet Environment.• Users credentials are validated with the information stored in the Windows Users Group.• It is not available in Windows 7 Home - Premium, Basic and Starter Versions.
  10. 10. Types of Windows Authentication1. Anonymous Authentication – It does not authenticates the User.2. Basic Authentication – User is authenticated and information is sent in BASE-64 Encoded format.3. Digest Authentication – Works like Basic Authentication, but sends information in an encrypted format.4. Integrated Windows Authentication – It either uses the NTLM or Kerberos type for authentication.
  11. 11. Working process of NTLM – Also know as Challenge-Response Process
  12. 12. Authentication using Kerberos Mechanism Authentication using Kerberos, contains 3 main components. Authentication Service (AS)  Validates the Username and Password and sends a simple ticket. Ticket Granting Server (TGT)  The Client sends the Ticket to the TGT, which sends a Service Ticket. Service Broker (SB)  The SB, generates the Connection and creates Session for the User to use the Application
  13. 13. 21 1 2
  14. 14. Passport Authentication• User’s Credentials are authenticated using the Microsoft’s websites (Windows Live, Hotmail).• User’s are sent to the Microsoft’s Login page for authentication.• User is not authorized.• Developer does not require to create his own Custom Login Form.• For using the Passport Authentication service, you will have to download the .Net Passport SDK and will also need to register the Application using the .Net Service Manager.
  15. 15. THANK YOU