Implementing Authorization and authentication in ASP.net

Security is an important aspect while designing internet applications. It provides the robustness and reliability by checking the access to the system resources and thus restricts the usage to only limited group who has been authorized. Authentication process involves validation of the user‘s identity by getting the user credentials and validate the identity with values stored internally.

Authorization determines the level of access to the system resources to the authenticated user based on the profile of the User, which would have already been configured. For example, usually an Administrator level of User will have authorization configured so that he has access rights to access all the system resources. Authorization will always follow Authentication and both are essential for a secured application.

Authentication in ASP.Net

ASP.net offers three types of Authentication which are as below:

• Windows authentication
• Passport authentication
• Forms authentication

Authentication type can be set in the web.config file in the section as below:
<authentication mode= “[Forms/Passport/Windows/none]”/>

Windows authentication is basically managed by IIS. There are four types of Windows authentication which are anonymous, basic, digest and Windows Integrated. All these options are configured in IIS.

By selecting anonymous option, there will be not be any authentication performed by the IIS and hence anyone can be allowed to access the application. Using basic authentication, windows user name and password are used to authenticate for which the information is sent over the network which makes it insecure. If digest authentication is selected, password is encoded before sent across the network.

This option necessitates client machines to be using Internet Explorer (IE) 5.0 or above and windows account to be stored in Active directory. Windows Integrated option uses Kerberos (Challenge/response) protocol to authenticate the user. This method provides secret-key cryptography technique and hence ensures the information transmitted is highly secure. For this, client browser needs to be IE 3.0 or above.

Passport authentication method uses the Passport Authentication service provided by Microsoft for authenticating users. By using this method, applications can be relieved of the authentication routine that needs to be implemented in the main application. Passport identifies an authenticated user by checking for the encrypted cookie in the client system. In case of failure at this level, they will be redirected to passport servers for authentication. To implement this, the Passport Development SDK (Software Development Kit) is required.

Forms authentication is a type of custom authentication where the User can design his own customized logic for logging into the system. This method is based on cookie which gets placed by the first successful request by the client. This will be used to track the User about his state of access to the server. For every request made by the client for a web page, ASP.net checks for the existence of this special cookie in the client system. If it exists, it implies that client is authenticated. Otherwise, it does not process the request and redirects the User to an error page.

Authorization in ASP.net

ASP.net is a process within IIS and executes in the security context of a restricted User account which has limited access to both local and shared resources. To enable it to have additional rights, impersonation is used. Impersonation provides the facility to execute the request from the client using its identity or use a specific account as configured in web.config file. To disable impersonation, set the file as below:
<identity impersonate=false/>

Authorization without impersonation

Without impersonation, ASP.net will execute with its own privileges. Usually, this account (ASPNET) in which the ASP.net runtime executes would be a low-privileged account since this is the default account and is applicable to all the sites in the server. Enabling it to a high-privileged account is a high risk since ASP.net process run by any client can access system resources and can cause harm to them. Machine.config is the file where the privilege of ASPNET account can be configured.

Authorization with impersonation

There are two options with impersonation enabled.

Using identity of the client logging to the system

If Anonymous access is allowed in IIS, ASP.net uses its own configured account which the IIS itself uses.
If Anonymous is not allowed, ASP.net uses the access right that has been configured for the authenticated User who needs to be serviced. This level of authorization can be of File Authorization type (as specified in NTFS) or URL Authorization type (as specified in web.config file).

Using identity of a pre-defined user

By setting the web.config file with details of the User name and password of the User whose credentials need to be used for executing the application, ASP.net process can execute in the identity of that User. The main drawback of this method is the security risk that anyone can access the file containing the password in text form.

Design considerations for implementing Authentication and Authorization in Distributed applications

• IIS is the first level of access for any request coming from a client. In case there is a need to reject request from some pre-defined IP addresses, options can be set in IIS for achieving it.

• When security is not required for the application, set the authentication to Anonymous in IIS

• If the Users are confirmed to be in a single network (like intranet), choose Windows Authentication in ASP.net

• For using customized validation of User identity, choose Forms type of authentication. For example, if User/password information has to be validated in a customized login screen and validation logic is residing in the database in the server, it is preferable to select Forms Authentication

• Passport authentication is used when

o the application needs to focus only on the main business process and offload the security aspect to a reliable service provider
o User wants to use single sign-in (SSI) name and password to access multiple sites

• Authorization at ASP.net level can be resource based or role based. Resource based option is to be used when data access is from a simple data source rather than a complex list of source since user credentials are validated based on Windows ACL only. Role based option is usually chosen when

o there are User groups designed in applications for specific privilege rights for specific operations
o there is a need to track the user access to specific resources
o the User size is not very large since it reduces scalability for large number of users due to high administration effort

• Browser at the client side is also a criterion for choosing security options

| All about Conceptual Analysis on .NET Remoting | Building desktop applications in .Net | Building Distributed Applications Efficiently Using .Net Remoting | C# (C Sharp) Unified Type System: Reference Types | C# (C Sharp) Unified Type System: Value Types | Data access in .Net | Delegates Vs Interfaces in C# (C Sharp) | How is Integration between Java and .NET Achieved | How is Versioning Achieved in C# (C Sharp) | Implementing Authorization and authentication in ASP.net | Implementing design patterns in .Net | List of Query Keywords in C# (C Sharp) |