Understanding Forms Authentication
A
common security approach used by Web developers is to use standard HTTP
forms to transmit logon information. Forms authentication uses an HTTP
302 (Login/Redirect) response to redirect users to a logon page.
Generally, the logon page will provide users with locations to enter a
logon name and their password. When this information is submitted back
to the logon page, it is validated. Assuming that the credentials are
accepted, users are redirected to the content they originally
requested. By default, form submissions send data in an unencrypted
format. To secure the transmission of logon information, enable
encryption through SSL or TLS.
Forms
authentication is the most common approach used on the Internet because
it does not have any specific Web browser requirements. Web developers
typically will build their own logon pages. Logons are often validated
against user account information stored in a relational database (for
Internet sites) or against an Active Directory directory services
domain.
The
default settings for forms authentication are designed for use by
ASP.NET Web applications. You can edit the settings of forms
authentication to manage several settings. (See Figure 2.)
The primary setting is the Login URL. This specifies the name of the
Web page to which users will be sent when they attempt to access
protected content.
Once
the user has provided authentication information, cookies are sent from
the Web browser to the Web server during each request. This enables the
client to prove that it has authenticated with the Web server and is
necessary because HTTP is a stateless protocol. The Cookie Settings
section enables you to configure how cookies will be used by the site.
The Mode options include:
Do Not Use Cookies
Use Cookies
Auto Detect
Use Device Profile
The
most appropriate option will be based on Web browser requirements (for
example, whether your Web site requires users to enable support for
cookies) and the requirements of the Web application or Web content.
Understanding Challenge-Based Authentication
Users
who access secure Web sites on the Internet are familiar with the
process of providing a username and password to access secured content
or to perform actions such as placing online orders. IIS supports three
methods of presenting a security challenge to users who are attempting
to access Web content that has been secured using file system
permissions. Each of these methods relies on sending an HTTP 401
Challenge—a standard method that prompts users to provide logon
information. These three authentication methods are:
Basic authentication
Basic authentication presents an authentication challenge to Web users
through a standard method that is supported by all Web browsers. The
main drawback to basic authentication is that information users provide
is encoded but not encrypted. This means that, if the information is
intercepted, the logon and password details can be obtained easily. To
transfer basic authentication information securely, either ensure that
your network connections are secure (for example, in a data center
environment) or enable encryption using SSL or TLS.
Digest authentication
Digest authentication relies on the HTTP 1.1 protocol to provide a
secure method of transmitting logon credentials. It does this by using
a Windows domain controller to authenticate the user. A potential
drawback is that it requires clients’ Web browsers to support HTTP 1.1.
Current versions of most popular browsers support this method, so it is
possible to use digest authentication for both Internet and intranet
environments.
Windows authentication
Windows authentication provides a secure and easy-to-administer
authentication option. It relies on the use of either the NTLM or
Kerberos authentication protocol to validate users’ credentials against
a Windows domain or local security database. Windows authentication is
designed primarily for use in intranet environments, where clients and
Web servers are members of the same domain. To simplify administration,
administrators can use Active Directory domain accounts to control
access to content.
One
important consideration about these challenge-based authentication
methods is their interaction with anonymous authentication. If you want
to require users to provide logon information before accessing Web
content, you must disable anonymous authentication. If anonymous
authentication remains enabled, content that is not protected by using
file system permissions will be made automatically available to users
without requiring authentication. Another requirement to note is that
you cannot enable both forms authentication and challenge-based
authentication for the same content.