Share via


Architecture in ASP.NET

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1

This section provides an overview of the ASP.NET infrastructure and subsystem relationships, as they relate to the subject of security. The following illustration shows the relationships among the security systems in ASP.NET.

Art Image

As the illustration shows, all Web clients communicate with ASP.NET applications through Internet Information Services (IIS). IIS deciphers and optionally authenticates the request. If Allow Anonymous is set to true, no authentication occurs. IIS also finds the requested resource (such as an ASP.NET application), and, if the client is authorized, returns the appropriate resource.

In addition to the built-in ASP.NET features, an ASP.NET application can use the low-level security features of the .NET Framework. For more information, see the "Key Security Concepts" topic in .NET Framework Help.

Integrating with IIS

When considering ASP.NET authentication, you should understand the interaction with IIS authentication services.

IIS always assumes that a set of credentials maps to a Microsoft Windows NT account and uses them to authenticate a user. There are three different kinds of authentication available in IIS 5.0 through IIS 6.0: basic, digest, and Integrated Windows Authentication (NTLM or Kerberos). You can select the type of authentication to use in IIS administrative services. For more information about IIS authentication, see Authentication in IIS 6.0.

If you request a URL containing an ASP.NET application, the request and authentication information are handed off to the application. ASP.NET provides the two additional types of authentication described in the following table.

ASP.NET authentication provider Description

Forms authentication

A system by which unauthenticated requests are redirected to an HTML form using HTTP client side redirection. The user provides credentials and submits the form. If the application authenticates the request, the system issues an authentication ticket in a cookie that contains the credentials or a key for reacquiring the identity. Subsequent requests are issued with the cookie in the request headers; they are authenticated and authorized by an ASP.NET handler using whatever validation method the application developer specifies.

Passport authentication

Centralized authentication service provided by Microsoft that offers a single logon and core profile services for member sites.

Using ASP.NET Configuration Files

ASP.NET configuration, of which security is a part, has a hierarchical architecture. All configuration information for ASP.NET is contained in files named Web.config and Machine.config. Web.config can be placed in the same directories as the application files. The Machine.config file is in the Config directory of the install root. Subdirectories inherit a directory's settings unless overridden by a Web.config file in the subdirectory. In a Web.config file, there are sections for each major category of ASP.NET functionality. To see an example of the way in which the hierarchical configuration system works for security, see Hierarchical Configuration Architecture in ASP.NET.

The security section of a Web.config file is organized as follows.

<authentication mode="[Windows|Forms|Passport|None]">

<forms name="[name]"

loginUrl="[url]"

protection="[All|None|Encryption|Validation]"

path="[path]" timeout="[minutes]"

requireSSL="[true|false]"

slidingExpiration="[true|false]">

<credentials passwordFormat="[Clear|MD5|SHA1]">

<user name="[UserName]"

password="[password]"/>

</credentials>

</forms>

<passport redirectUrl="internal"/>

</authentication>

<authorization>

<allow users="[comma separated list of users]"

roles="[comma separated list of roles]"/>

<deny users="[comma separated list of users]"

roles="[comma separated list of roles]"/>

</authorization>

<identity impersonate ="[true|false]"

userName="[domain\user_name]"

password="[user_password]"/>

<trust level="[Full|High|Medium|Low|Minimal]"

originUrl=""/>

<securityPolicy>

<trustLevel name="Full" policyFile="internal"/>

<trustLevel name="High" policyFile="web_hightrust.config"/>

<trustLevel name="Medium" policyFile="web_mediumtrust.config"/>

<trustLevel name="Low" policyFile="web_lowtrust.config"/>

<trustLevel name="Minimal" policyFile="web_minimaltrust.config"/>

</securityPolicy>

The default settings for these elements are shown in the following table.

Default value Description

<allow roles= >

No default value.

<allow users="*">

All

<authentication mode="Windows">

The authentication mode cannot be set at a level below the application root directory.

<credentials passwordFormat="SHA1">

The hashing algorithm to be used on passwords.

<deny roles="">

Empty

<deny users="">

Empty

<forms loginUrl="login.aspx">

If you set the mode to Forms, and if the request does not have a valid ticket (cookie), this is the URL to which the request is directed for a forms-based logon.

<forms name=".ASPXAUTH">

Default cookie name.

<forms path="/">

Path

<forms protection="All">

Type=[All|None|Encryption|Validation].

<forms requireSSL="false">

Specifies that an encrypted connection is not required to transmit the authentication cookie.

<forms slidingExpiration="true">

Specifies that sliding expiration is enabled.

<forms timeout="30">

Time-out in minutes. 30 minutes is the default.

<identity impersonate="false">

Impersonation is disabled by default.

<identity userName="">

Empty

<identity password="">

Empty

<passport redirectUrl="internal">

If you set the mode to Passport, and if the requested page requires authentication (anonymous users are denied access) but the user has not logged on with Passport, then the user will be redirected to this URL.

<trustLevel name="Full" policyFile="internal"/>

Default policy file for Full trust level.

<trustLevel name="High" policyFile="web_hightrust.config"/>

Default policy file for High trust level.

<trustLevel name="Medium" policyFile="web_mediumtrust.config"/>

Default policy file for Medium trust level.

<trustLevel name="Low" policyFile="web_lowtrust.config"/>

Default policy file for Low trust level.

<trustLevel name="Minimal" policyFile="web_minimaltrust.config"/>

Default policy file for Minimal trust level.

<user name="">

Empty

<user password="">

Empty

There are three major subsections to a Web.config file: authentication, authorization, and identity. The values for each of the security elements are usually set by overriding a section of the computer-level configuration file with a similar section in an application configuration file placed in the application root directory. All subdirectories automatically inherit those settings. However, subdirectories can have their own configuration files that override other settings.

Note

ASP.NET configuration applies only to ASP.NET resources (those registered to be handled by Aspnet_isapi.dll). Unfortunately, ASP.NET configuration cannot provide authorization for non-Aspnet_isapi.dll resources, so TXT, HTML, GIF, JPEG, ASP, and other types of files are still accessible by all users, subject to IIS permissions. For example, although the ASP.NET resources in a directory might be restricted by a Web.config file, all users can still view the files located in that directory if directory browsing is turned on and no other restrictions are in place.

You can avoid this situation by explicitly mapping such files, but not directories, to Aspnet_isapi.dll using the IIS administration tool. However, there could be a performance impact if you do this.

You can use the <location></location> tags to specify a particular file or directory to which settings should apply. For more information about how to use the <location> tag, see Configuration <location> Settings in ASP.NET and <location> Element.