Authentication is the process of identifying and validating
the identity of a client accessing an application. Put more simply -- it
is the process of identifying “who” the end-user is when they visit a
website.
Authentication is typically used in combination with
Authorization -- which is the process of figuring out whether the authenticated
user has permissions to access a particular page/resource or to perform some
action. For example, when an end-user in a browser tries to access a
page, ASP.NET might authenticate the user as “Scott”, and would then run
through the configured authorization rules for the requested page to figure out
whether “Scott” has permission to access it.
ASP.NET supports multiple ways to authenticate browser users
visiting a web application, and implements a flexible set of ways to authorize
which permissions they have within the application.
For Internet web applications, the most common
authentication scenario to use it called Forms Authentication. Forms
Authentication enables a developer to provide a standard HTML login form within
their application, and then validate the username/password an end-user submits
against a database or other credential store. Assuming the
username/password combination is correct, the developer can then ask ASP.NET to
issue an encrypted HTTP cookie to identify and track the user.
For Intranet web applications, the most common
authentication scenario to use is called Windows Authentication. Windows
Authentication avoids the need to create a login form within an application,
and does not require end-users to manually enter their username/password
credentials to login to the application. Instead, ASP.NET and IIS can
automatically retrieve and validate the Windows username of the end-user
visiting the site in a secure way. The benefit of this approach is that
it improves the end-user customer experience since users don’t have to re-type
their passwords, and/or maintain separate accounts. It also allows
companies to re-use a common security identity system across their entire
corporate networks (Windows clients, servers, file-shares, printers, and web
apps).