web.config does most of the work
for you as it tells the application the who, what, where, when and how to be
authenticated (it doesn't need to tell it why).
This is the beginnings of something bigger. The
<authentication> tags and what goes between is everything ASP.NET needs to
know to provide security. The 'mode' property is about how to authenticate,
the possible values are - Windows, Forms and Passport.
Note : <authentication> only works in
the root folder of the virtual directory's web.config, not subfolders.