Authentication and Authorization in ASP.NET


Authentication is a process that determines the identity of a user. After a user has been authenticated, a developer can determine if the identified user has authorization to proceed. It is impossible to give an entity authorization if no authentication process has been applied. Authentication is provided in ASP.NET 3.5 using the membership service.

You can use one of these entries in configuration file to select the corresponding built in authentication provider:

<authentication mode="windows">
authentication mode="passport">
authentication mode="forms">


Authorization is the process of determining whether an authenticated user is allowed access to any

part of an application, access to specific points of an application, or access only to specific datasets that the application provides. When you authenticate and authorize users or groups, you can customize a site based on user types or preferences. Authorization is provided in ASP.NET 3.5 using a role management service.


We can specify a particular identity to use for all authenticated requests:

<identity impersonate="true" username="DOMAIN\username" password="password"/>