ASP.NETAuthentication and Authorization

Topics – Authentication and Authorization

1. INTRODUCTION Why Security is important in today’s world?

Different Ways to secure your Website / Application

2. What is IIS? and How to install and host an ASP.NET Website?

3. What is Authentication?

4. What is Authorization?

5. What is an Identity Object?

6. What is a Principal Object?

• Different ways of Authentication :

Forms Authentication. Using Cookies Cookieless

Windows Authentication.

Passport Authentication.

Topics – Authentication and Authorization

Introduction – Why Security is Important?

1. Security is one of the most important part of any Website or a Web Application.

2. Hackers are waiting out there for us and use various ways to exploit a website / web-application.

3. Hacker can attack in many ways. Brute Force Sniffers Spoofing Social Engineering SQL Injection

Introduction - Different Ways to Secure your Application

Design your Application well.

Encrypting the Data while storing.

Input Validation.

Forcing Users for Strong Passwords.

Authentication and Authorization.

What is Internet Information Service(IIS)?• IIS is one of the most powerful Web Server developed by Microsoft

to host ASP.NET Websites or Applications.

• Its responsibility is to give a Response back to the Request sent by the Client.

How does IIS work?

What is Authentication?• Dictionary meaning of “Authentication” is to “Check someone’s

genuineness”

• In ASP.NET – Authentication means the same. It is a process where you check a person’s credentials.

• Example – Facebook, Yahoo, Gmail.

What is Authorization?• Providing access to resource based on User’s role.

• Authentication always preceeds Authorization

What is an Identity Object?

• An Identity Object is an Object which stores information about an Authenticated User.

• Contains 2 types of Objects “WindowsIdentity” and “GenericIdentity”

What is a Principal Object?

• A Principal Object is an Object that basically defines the roles of the Authenticated User.

• Principal Object encapsulates the Identity Object.

Forms Authentication• Forms Authentication is nothing but a Cookie based Authentication

where a Cookie is stored on the Client’s machine.

• It makes use of a Custom Form to accept User’s Credentials.

• Credentials are validated with the information stored in a specific source.

• Advantage – – It is the simplest way of authenticating Users for websites and

applications.– User does not have to login again and again to the same

application.

Windows Authentication• Windows Authentication is used in Intranet Environment.

• Users credentials are validated with the information stored in the Windows Users Group.

• It is not available in Windows 7 Home - Premium, Basic and Starter Versions.

Types of Windows Authentication1. Anonymous Authentication – It does not authenticates the User.

2. Basic Authentication – User is authenticated and information is sent in BASE-64 Encoded format.

3. Digest Authentication – Works like Basic Authentication, but sends information in an encrypted format.

4. Integrated Windows Authentication – It either uses the NTLM or Kerberos type for authentication.

Working process of NTLM – Also know as Challenge-Response Process

Authentication using Kerberos Mechanism

Authentication using Kerberos, contains 3 main components.

Authentication Service (AS) Validates the Username and Password and sends a simple ticket.

Ticket Granting Server (TGT) The Client sends the Ticket to the TGT, which sends a Service Ticket.

Service Broker (SB) The SB, generates the Connection and creates Session for the User to use

the Application

1

2

1

2

Passport Authentication• User’s Credentials are authenticated using the Microsoft’s websites

(Windows Live, Hotmail).

• User’s are sent to the Microsoft’s Login page for authentication.

• User is not authorized.

• Developer does not require to create his own Custom Login Form.

• For using the Passport Authentication service, you will have to download the .Net Passport SDK and will also need to register the Application using the .Net Service Manager.

THANK YOU