Topics Authentication and Authorization

1. INTRODUCTION
Why Security is important in todays world?

Different Ways to secure your Website / Application

2. What is IIS? and How to install and host an ASP.NET Website?

3. What is Authentication?

4. What is Authorization?

5. What is an Identity Object?

6. What is a Principal Object?

Topics Authentication and Authorization

Different ways of Authentication :

Forms Authentication.
Using Cookies
Cookieless

Windows Authentication.

Passport Authentication.
 Introduction Why Security is Important?

1. Security is one of the most important part of any Website or a

Web Application.

2. Hackers are waiting out there for us and use various ways to
exploit a website / web-application.

3. Hacker can attack in many ways.

Brute Force
Sniffers
Spoofing
Social Engineering
SQL Injection
Introduction - Different Ways to Secure your Application
Design your Application well.

Encrypting the Data while storing.

Input Validation.

Forcing Users for Strong Passwords.

Authentication and Authorization.

 What is Internet Information Service(IIS)?
IIS is one of the most powerful Web Server developed by Microsoft
to host ASP.NET Websites or Applications.

Its responsibility is to give a Response back to the Request sent by

the Client.
How does IIS work?
 What is Authentication?
Dictionary meaning of Authentication is to Check someones
genuineness

In ASP.NET Authentication means the same. It is a process where

you check a persons credentials.

Example Facebook, Yahoo, Gmail.

What is Authorization?
Providing access to resource based on Users role.

Authentication always preceeds Authorization

 What is an Identity Object?

An Identity Object is an Object which stores information about an

Authenticated User.

Contains 2 types of Objects WindowsIdentity and

GenericIdentity

What is a Principal Object?

A Principal Object is an Object that basically defines the roles of the

Authenticated User.

Principal Object encapsulates the Identity Object.

 Forms Authentication
Forms Authentication is nothing but a Cookie based Authentication
where a Cookie is stored on the Clients machine.

It makes use of a Custom Form to accept Users Credentials.

Credentials are validated with the information stored in a specific

source.

Advantage
It is the simplest way of authenticating Users for websites and
applications.
User does not have to login again and again to the same
application.
 Windows Authentication
Windows Authentication is used in Intranet Environment.

Users credentials are validated with the information stored in the

Windows Users Group.

It is not available in Windows 7 Home - Premium, Basic and Starter

Versions.
 Types of Windows Authentication
1. Anonymous Authentication It does not authenticates the User.

2. Basic Authentication User is authenticated and information is sent in

BASE-64 Encoded format.

3. Digest Authentication Works like Basic Authentication, but sends

information in an encrypted format.

4. Integrated Windows Authentication It either uses the NTLM or

Kerberos type for authentication.
Working process of NTLM Also know as Challenge-Response Process
 Authentication using Kerberos Mechanism

Authentication using Kerberos, contains 3 main components.

Authentication Service (AS)

Validates the Username and Password and sends a simple ticket.

Ticket Granting Server (TGT)

The Client sends the Ticket to the TGT, which sends a Service Ticket.

Service Broker (SB)

The SB, generates the Connection and creates Session for the User to use
the Application
 2

2
 Passport Authentication
Users Credentials are authenticated using the Microsofts websites
(Windows Live, Hotmail).

Users are sent to the Microsofts Login page for authentication.

User is not authorized.

Developer does not require to create his own Custom Login Form.

For using the Passport Authentication service, you will have to

download the .Net Passport SDK and will also need to register the
Application using the .Net Service Manager.
THANK YOU