How many types of authentication do you know?

The ASP.NET Framework supports three types of authentication: -

• Window authentication
• .NET passport authentication
• Forms authentication

Note: - A particular application can have only one type of authentication enabled. We can’t, for example, enable both window and forms authentication at the same time.

•     Window authentication: - It is enabled by default. When Window authentication is enabled, users are identified by their Microsoft Windows account names. Roles correspond to Microsoft Windows groups.

Windows authentication delegates the responsibility of identifying users to IIS. IIS can be configured to use Basic, Integrated Windows or Digest authentication.

 There are four types of window authentication methods:-
1)    Anonymous Authentication – IIS allows any user.
2)    Basic Authentication – A windows username and password has to be sent across the network (in plain text format, hence not very secure).
3)    Digest Authentication – Same as Basic Authentication, but the credentials are encrypted. Works on IE5 or above.
4)    Integrated Windows Authentication – Relies on Kerberos technology, with strong credential encryption.

•   .NET Passport authentication: - It is the same type of authentication used to Microsoft websites such as MSN and Hotmail. If we want to enable users to log in to our application by using their existing Hotmail usernames and passwords, then we can enable .NET passport authentication.

There are two types of .NET passport authentication:-
1)    FileAuthentication – this depends on the NTFS systems for granting permission.
2)    UrlAuthentication – Authorization rules may be explicitly specified in web.config for different web URLs.

Note: - We must download and install the Microsoft .NET passport SDK, register with Microsoft, and pay Microsoft a fee before we can use .NET passport authentication.

•    Form authentication: - When forms authentication is enabled, user are typically identified by a cookie. When a user is authenticated, an encrypted cookie is added to the user’s browser. As the user moves from pages to pate, the user is identified by the cookie.

When Forms authentication is enabled, users and role information is stored in a custom data store.  We can store user information anywhere then we want. For example, we can store usernames and passwords in a database, an XML file, or even a plain text file.

In ASP.NET1.x, after enabling Forms authentication, we had to write all the code for storing and retrieving user information. When building an ASP.NET 3.5 application, on the other hand, we can let ASP.NET Membership do all this work for us. ASP.NET Membership can handle all the details of storing and retrieving user and role information.

We can enable a particular type of authentication for an application in an application’s root web configuration file.