Authentication Method in ASP.NET


Authentication is a major concern for both application architects and developers. Applications that store sensitive information need to be protected from malicious attacks and from competitors attempting to steal information or intellectual property. When designing a security model for your application, you need to be aware of Authentication requirements from a business perspective and the implications that a chosen security model can have on performance, scalability, and deployment.

Authentication Methods

ASP. NET provides different methods to authenticate a user:

  • Anonymous Authentication
  • Basic Authentication
  • Digest Authentication
  • Integrated Windows Authentication
  • Certificate Authentication
  • port Authentication
  • Forms Authentication
  • Using Cookies

Overview of Anonymous Authentication

  • No authentication occurs in either IIS orASP. NET.
  • Good choice for publicly available Website not requiring the identity of the caller.
  • No browser restrictions

Typical Usage Scenarios

Consider Anonymous authentication when:

  • Caller name and/or word is notrequired for logon or business logic components.
  • The information you are protecting isconsidered "public".

Do not use Anonymous authentication when:

  • You require a logon name and word

Other considerations

Good choice for sites containing personalized content only

  • For example, a news site only interestedin user's zip code

        -Impersonation cannot be used

  • Appropriate permissions need configuringfor anonymous user account

        -Gives highest performance, but lowest security


  • Configure IIS for Anonymous authentication.
  • Configure the appropriate anonymous useraccount in IIS.
  • Configure the ASP.NET Web.config file.

  1. <!-- web.config file -->  
  2. <system.web>  
  3.      <authentication mode="None" />  
  4. </system.web>

Overview of Basic Authentication

IIS instructs the browser to send the user's credentials over HTTP

  • Browser prompts the user with a dialog box.

  • User names and words are sent using Base64encoding, which is NOT secure.

Most browsers support Basic authentication

Usage scenarios Typical

Consider Basic authentication when you require:

  • Users to have Windows NT Domain or ActiveDirectory accounts.

  • Support for multiple browsers.

  • Support for authentication over the Internet.

  • Access to the clear text word in yourapplication code.

  • Delegation

Do not use Basic authentication when you require:

  • Do not use Basic authentication when yourequire.

  • Storage of information in a custom database.

  • A customized form presented to the user as alogon page.

Other considerations

  • Delegation is possible using Basicauthentication.

  • Combine Basic authentication with SSL toprevent words from being deciphered.


  • Configure IIS for Basic authentication.

  • Configure user accounts to have "log onlocally" enabled on Web server.

  • Configure the ASP.NET Web.config file.

  1. <!-- web.config file -->  
  2. <system.web>  
  3.      <authentication mode="Windows" />  
  4. </system.web>

Overview of Digest Authentication

  • New to Windows 2000 and IIS 5.0.

  • Encrypts the user's word using MD5.

  • Dependent on browser and server capabilities.

  • Cannot perform delegation.

Typical usage scenarios

Consider Digest authentication when:

  • The Web server is running Windows 2000 andusers have Windows accounts stored in Active Directory.

  • All clients use either the .NET platform orInternet Explorer 5.0 or later.

  • word encryption above that of Basicauthentication is required.

  • Support of authentication over the Internet isrequired.

Do not use Digest authentication when:

  • Some clients use platforms other than .NET orInternet Explorer 5.0 or later.

  • Users do not have Windows accounts stored inActive Directory.

  • Delegation is required.

Other considerations


  • Digest authentication ismore secure than Basic authentication alone.
  • Less secure than Basicauthentication with SSL.
  • Can also be combined withSSL.
Platform requirements for Digest authentication
  • Clients - .NET orInternet Explorer 5.0 (or later).
  • Server - runningActive Directory with user accounts configured for Digest authentication.
  • Configure IIS for Digestauthentication.
  • Configure the ASP.NETWeb.config file.
  1. <!-- web.config file -->  
  2. <system.web>  
  3.      <authentication mode="Windows" />  
  4. </system.web>
Overview of Integrated Windows Authentication
  • Uses either NTLMchallenge/response or Kerberos to authenticate users with a Windows NTDomain or Active Directory account.
  • No word is sentacross the network.
  • Best suited to anintranet environment.
  • Works with InternetExplorer 3.01 or later.
Typical usage scenarios
Consider Integrated Windows authentication when: 
  • Users have Windows NTDomain or Active Directory accounts.
  • Your application runs onan intranet (behind a firewall).
  • All clients are runningInternet Explorer 3.01 or later.
  • Delegation is required(requires Kerberos).
  • Seamless logon procedurefor domain users is required (e.g. without pop-up logon dialog boxes).
Do not use Integrated Windows authentication when:
  • User accounts are storedin an external database.
  • Authentication over theInternet is required.
  • Clients are usingnon-Microsoft browsers.
  • You need the client'sclear text word.
Other considerations
  • NTLM and Kerberos areconsidered highly secure.
  • NTLM does not supportdelegation; Kerberos does.
  • Neither NTLM or Kerberosare commonly used over the Internet.
  • Kerberos is faster thanNTLM, but neither is as fast as Basic authentication.
Clients and servers must be running Windows 2000 in a Windows 2000 domain 
  • User and service accountsmust be enabled for delegation.
Configure IIS for Integrated Windows authentication

Configure the ASP.NET Web.config file
  1. <!-- web.config file -->  
  2. <system.web>  
  3.      <authentication mode="Windows" />  
  4. </system.web>
Overview of Certificate Authentication
  • A certificate is adigital "key" installed on a computer.
  • Certificates can bemapped to user accounts.
Typical usage scenarios
Consider Certificate authentication when: 
  • Data is considered verysensitive and you require a very secure solution.
  • Mutual authentication isrequired.
  • Third parties will managethe relationship between the server and the certificate holder.
  • Client interaction mustbe seamless; for example, automated B2B exchanges.
Do not use Certificate authentication when:
  • The cost of issuing andmanaging client certificates outweighs the value of the added security.
Other considerations
Client certificates must be deployed to the client workstations

Map certificates to: 
  • Individual user accounts(one-to-one mapping).
  • Any user from a singlecompany (many-to-one mapping).
  • Configure IIS forCertificate authentication.
  • Configure the ASP.NETWeb.config file.
  1. <!-- web.config file -->  
  2. <system.web>  
  3.      <authentication mode="Windows" />  
  4. </system.web>
Overview of port Authentication
  • A centralizedauthentication service provided by Microsoft.
Typical usage scenarios
Consider port authentication when:
  • Your site will interactwith other port-enabled sites.
  • Single sign-on capabilityis required.
  • External maintenance ofuser names and words is useful.
Do not use port authentication when:
  • You want to use usernames and words already stored in your own database or Active Directory.
  • Clients are otherapplications that access the site programmatically.
Other considerations 
  • Requires registrationwith the port service and installation of the port SDK on the server
  • Delegation is notpossible on Windows 2000.
  • port User ID (PUID) is anidentity only.
    • Implement code to map PUID to users in Active Directory or custom database.
  • port uses encryptedcookies making system secure.
    • Combine port with SSLto prevent replay attacks for highest level of security.
  • Install port SDK onserver.
  • Register with portservice.
  • Configure IIS forAnonymous authentication.
  • Configure the ASP.NETWeb.config file.
  1. <!-- web.config file -->  
  2. <system.web>  
  3.      <authentication mode="port" />  
  4. </system.web>
Overview of Forms Authentication
  • A custom user interfaceaccepts user credentials.
  • Authentication isperformed against a database using custom code.
Typical usage scenarios
Consider Forms authentication when: 
  • User names and wordsare stored somewhere other than Windows accounts.
  • Your application runsover the Internet.
  • Support for all browsersand client operating systems is required.
  • A custom logon page isneeded.
Do not use Forms authentication when:
  • Applications are deployedon a corporate intranet and can take advantage of Integrated Windowsauthentication.
  • You cannotprogrammatically verify the user name and word.
Other considerations
  • Use SSL to securewords submitted via the logon page.
  • Set cookie expiration toavoid cookie theft and misuse.
  • SSL degrades performance,so consider separating logon and content servers.
  • Checking for the cookieis automatic in ASP.NET applications.
  • Use Forms authenticationwith Windows accounts as an alternative to Basic or Digest authentication.
  • Create a logon page.
  • Create your customaccount information lookup code.
  • Configure IIS forAnonymous authentication.
  • Configure the ASP.NETWeb.config file, including the redirect URL for unauthenticated clients.

  1. <!-- web.config file -->  
  2. <system.web>  
  3.       <authentication mode="Forms"  
  4.               <forms loginUrl="login.aspx"/>  
  5.       />  
  6. </system.web>


This article discusses the importance of authentication method when designing a server application. Both Microsoft Internet Information Services (IIS) and ASP.NET provide authentication method that will allow you to authenticate your users appropriately and obtain the correct security context within your application.