Authorization used to determine identities access permission to a resource. To provide authorization, in the authorization section specify the users or roles attributes in allow or deny elements. It is also applies to its subdirectories, and this can be overridden in subdirectories. allow and deny elements has users, roles and verbs attributes. In the users and roles any one of the attribute should be present.
<allow verbs="GET" users="*" roles="users"/>
<allow verbs="HEAD" users="?"/>
<deny verbs="POST" roles="Admin"/>
Authentication process done by getting user credentials like user name and password and validating those credentials. After validation the user is checked for the authorization to the resources. Authentication has four modes like window, forms, passport and none for no authentication.
Windows authentication is done by IIs authentication mechanisms. It incudes anonymous authentication, Basic Authentication, Digest authentication and Integrated authentication. Windows is the default value for authentication element's mode attribute.
Forms authentication mode authenticates the user name and password of user in a login form. Unauthenticated users are redirected to a login page else the system establishes the connection for subsequent requests.
<forms name="auth" loginUrl="Login.aspx">
The credentials element has a mandatory attribute called passwordFormat. It can have three values Clear, MD5, SHA1. If you use clear as passwordFormat then Passwords are stored in clear text. Else if you use MD5 then Passwords are stored using the Message Digest 5 (MD5) algorithm. This gives better performance than SHA1. And with SHA1 Passwords are stored using the secure hash algorithm 1(SHA1).
Impersonation is used when the applications rely on Microsoft Internet Information Services (IIS) for authentication. By default ASP.NET impersonation is disabled. If enabled then the application identity should have read/write access to the files in application directories and subdirectories.
Use identity element to implement impersonation on the application. It has a attribute imporsonate, to enable the value must be true and it is mandatory. And also you can add the user name and password as optional attributes.
<identity impersonate="true" userName="compName\user" password="********"/>