ASP. NET provides Program Implement additional authentication schemes. These authentication providers are independent of the IIS authentication scheme and are only used after the IIS Authentication Scheme. ASP. NET supports the following authentication providers:
Windows (default)
Forms
Passport
None
To enable the authentication provider for ASP. NET applications, use the authentication elements in machine. config or web. config, as shown below:
<System. Web>
<! -- Mode = [Windows | forms | passport | none] -->
<Authentication mode = "Windows"/>
</System. Web>
Each ASP. NET Authentication provider supports the onauthenticate event, which occurs during authentication. You can use this event to implement a custom authentication scheme. The main purpose of this event is to append the custom object that implements the iprincipal interface to the context.
Which ASP. Net Authentication provider is used usually depends on which IIS Authentication Scheme is selected. If you use any IIS authentication scheme other than "anonymous", you may need to use the Windows Authentication provider. Otherwise, forms, passport, or none are used.
For more information, see <authentication> element and ASP. NET authentication.
Windows
The Windows Authentication provider relies on IIS to perform the required client authentication. After IIS authenticates the client, it passes the security tag to ASP. NET. ASP. NET constructs a windowsprincipal Class Object Based on the security tag obtained from IIS and attaches it to the application context. For more information, see the Windows Authentication provider and windowsprincipal class.
Advantages
Authentication uses a Windows account, so no custom authentication is required. Code .
Disadvantages
You may need to use and manage a Single Windows user account.
In addition, each IIS Authentication solution has its own advantages and disadvantages. When selecting a security model, you should consider these considerations. For more information, see IIS authentication.
Implementation
To implement Windows authentication, refer to the corresponding IIS Authentication Scheme. For more information, see IIS authentication.
Forms (cookie)
The Forms authentication provider is an authentication solution that allows applications to use HTML forms to directly collect creden。 from the client. The client directly submits creden。 to the application code for authentication. If the application verifies the identity of the client, it sends a cookie to the client, and the client submits the cookie in subsequent requests. If requests for protected resources do not contain this cookie, the application redirects the client to the logon page. When verifying creden, the application can store creden。 in multiple ways, such as configuration files or SQL Server databases. For more information, see the forms authentication provider.
Note that the ISAPI Server Extension only processes the resources that it has mapped to its applications. For example, ASP. net isapi Server Extensions only have application mappings for specific resources (such as. asax, ascx,. aspx,. asmx, And. config files. By default, ASP. net isapi Server Extensions and subsequent Forms authentication providers do not process any requests for non-Asp. net resources (such as .htm).jpg or. GIF files.
Advantages
You can use any conditions to customize the authentication scheme.
It can be used for authentication or identity confirmation.
The corresponding Windows account is not required.
Disadvantages
It is subject to cookie-based replay attacks unless SSL/TLS is used.
Only applicable to resources mapped to aspnet_isapi.dll.
Implementation
To implement forms authentication, you must create your own logon page and redirect the URL for an unauthorized client. You must also create your own solution for account verification. The following is an example of Web. config configuration using Forms authentication:
<! -- Web. config file -->
<System. Web>
<Authentication mode = "forms">
<Forms = "401 Kapp" loginurl = "/login. aspx"/>
</Authentication>
</System. Web>
Because you are implementing your own authentication, you usually need to configure IIS for anonymous authentication.
Passport
The passport Authentication provider is a centralized authentication service provided by Microsoft that provides one-time logon and core configuration file services for member sites. Passport is a form-based authentication service. When a member site is registered with passport, the Passport Service grants a site-specific key. The passport Login server uses this key to encrypt and decrypt the query string passed between the member site and the passport Login server. For more information, see the passport provider.
Advantages
Supports one-time logon across multiple domains.
Compatible with all browsers.
Disadvantages
Place an external dependency for the authentication process.
Implementation
To implement passport, you must register your site with the passport service, accept the license agreement, and install the Passport SDK before using it. The Web. config file of the application must be configured as follows:
<! -- Web. config file -->
<System. Web>
<Authentication mode = "Passport"/>
</System. Web>
For more information, see Microsoft Passport web site (http://www.passport.com /).
None (custom authentication)
When the user is not authenticated at all or the user-defined authentication code is to be developed, specify "NONE" as the authentication provider. For example, you may want to use the ISAPI filter to develop your own authentication scheme for user identity authentication, and manually create a genericprincipal class object. For more information, see the genericprincipal class.
Note that the ISAPI Server Extension only processes the resources that it has mapped to its applications. For example, ASP. net isapi Server Extensions only have application mappings for specific resources (such as. asax, ascx,. aspx,. asmx, And. config files. By default, Asp. the net ISAPI Server Extension and subsequent none (custom) authentication providers do not process any non-Asp.. net resources (such as .htm).jpg or..
Advantages
Provides full control over the authentication process with maximum flexibility.
If the authentication method is not implemented, the highest performance is provided.
Disadvantages
Custom authentication schemes are rarely as secure as those provided by the operating system.
Additional work is required to customize the authentication scheme.
Implementation
If you do not want to perform authentication or develop your own custom authentication, create a custom ISAPI filter to skip IIS authentication. Use the following web. config Configuration:
<! -- Web. config file -->
<System. Web>
<Authentication mode = "NONE"/>
</System. Web>
