Security configuration in ASP.net refers to providing access to
users. i.e design pages for public users which are accessible to everyone
and then also design pages which are accessible based on usernames and
other identification process. Datalevel security and other security issues
are handled externally with other concepts.
ASP.net provides security with 2 process.
The process of verifying user credentials and creating identity is
called as Authentication.
The process of allowing or deny the requested resources is called
We combine both these process for providing effective security
management for our website.
ASP.net provides 3 types of Authentication. Out of which we have to
select one Authentication mode based on our website.
In this method we will use IIS and windows for checking user
credentials. This is default Authentication mode.
How it Works:
client makes a request and IIS at server Check for windows
identity when not found it will redirect login window to client. After
providing username, password by user to IIS it creates identity and
redirects user to ASP.net application. Now, application will result
secured page to user. Once Authenticated all further requests for pages
are also identify. This type of Authentication is suitable for intranet
environment ( LAN ).
EX: monister, Gmail..
This is a third party Authentication and we use Microsoft passport
service for Authentication. It is not implemented for commercial clients
specific website but implemented for Microsoft related websites.
Note: for passport and forms Authentication we must set IIS level
Authentication as anonymous. Which means at IIS level all users are
How it work:
1)Client makes request.
2)IIS allows user as anonymous .
3)Then ASP.net checks for identity and redirect users to Passport websites.
4)Passport displays login page to user.
5)Users enters credentials and submits back to passport.
6)Passport checks and creates identity along with passport given identity
user gets a secured web page.
This authentication is the most implemented authentication in
ASP.net . In this Authentication mode all process will third party
services are used. User can implement any logic and perform authentication
How it works:
1)Client makes a request for secured page.
2)IIS will allow user as Anonymous .
3)ASP.net checks for forms Authentication ticket / identity and redirects
a login page present in root directory. When it is not found.
4)User responds to login page by entering the available credentials.
Submits the page back to IIS. IIS again allows user as Anonymous and then
ASP.net executes login page by verifying credentials against the
DataSource on Successful checking it will create forms identity and
redirects secured page along with created forms Authenticate ticket to
This ticket is used by client for further request. i.e. as long as
ticket is available or valid. ASP.net takes as user as Authenticated user
NOTE: All this implementation is provided by ASP.net with
Authentication, Authorization tags and with System.Web.Security namespace.
1)To provide security first go to root web.Config file and add authentication .
2)Create a folder in root like "Admin" and which pages you want to provide
security create that pages inside this folder.
3)Go to Admin folder and create Web.Config file inside it. In admin web
config add authorization.
Note : Here "?" means do not allow Anonymous Users, "*" means allow all users.
4)Use the following code In Root Web config itself.