Authentication is the process of identifying valid users by requiring them to prove themselves. The three types of authentication provided by ASP.NET are as follows:
- Windows built-in authentication. IIS uses basic, digest, or integrated Windows authentication to perform the initial authentication. The user gains access to the requested resources under the context of this account. The accounts that are valid for accessing the complete application, or parts of it, can be specified in the web.config file.
- Passport-based authentication. This authentication offers single login and core profile services for member sites. This is possible through the usage of a centralized Web-based authentication service, provided by Microsoft.
- Forms-based authentication. In this authentication, HTTP clientside redirection is used to redirect an unauthenticated user to an HTML form. Using this HTML form, the user provides his/her login credentials and then submits the form. The system issues a cookie (containing the credentials or a key for re-acquiring the identity) if the application authenticates the request. Then, the client browser sends the cookie with all the subsequent requests. The user can access the application while this cookie is retained.
In addition, when none of the preceding methods is used, the default IIS authentication is used and resources can be accessed as specified by the application settings in IIS. Impersonation is still implemented, and the resources are accessed under the context of the local system process account or the IUSR_COMPUTERNAME account.