Authentication in ASP.NET MVC

Introduction to Authentication

             When you authenticate a user, you are verifying the identity of a user. If you need to verify a user in an MVC application it is  probably because you are building an application that restricts access to specific users. This is completely separate from authorization, which is determining whether a specific person is allowed to do certain action.

There are two authentication mechanisms in MVC :

  •    Forms Authentication 
  •     Windows Authentication  

Forms Authentication 

        Form based authentication is providing an input form where users can enter the username and password with accompanying logic in the application needed to validate those credential. MVC provides a lot of infrastructure support for Forms Authentication. Forms authentication is highly customizable , you can customize everything from the sign in form,  to where the credentials are stored and how those credentials are validated. Forms Authentication in ASP.NET relies on cookies by default. Once the user is signed in to an Application the runtime can issue a cookie on the browser. The browser will then send the cookie  with every subsequent request to the application.  ASP.NET will see the cookie and know that the user is already authenticate and does not need to sign on again.

 Note: word of warning , SSL is required to make Forms authentications secured. If you are running the application over http anybody snooping the network can see the users credentials. 

Windows Authentication 

 Windows Authentication is also known as integrated authentication because user components that built in to the Windows operating system are used to authenticate users . Once a user is logged in to a domain, windows can automatically authenticate them in to application. Windows Authentication is commonly used in Intranet Apps that run inside a company’s firewall  where all of the users are logged in-to a windows domain. It will provide a single sign on experience.They sign on once in a domain and can be authenticate to several intranet apps.

When we choose a Forms Authentication and Windows Authentication? 

  •  If you want to build a public websites then  Forms Authentication is best because  it can be used outside of a windows domain.
  •  If you want to build an Intranet application which runs with windows identity use Windows Authentication.

How is Forms Authentication configure?

First we need to change the configuration in web.config like below 

ww

This bit of configuration tells runtime when we need to authenticate the user redirect the browser /Account/Logon. This Account controller and this Logon view as well as some other view allow me to register on site. These things are provided by default in ASP.NET MVC internet template. Everything needed for the Forms Authentications are along with this template.

Selecting the Forms Authentication template

Open Visual Studio 2010 >> New Project >> Select ASP.NET MVC4 Web Application and Click Ok

view as well as some other view allow me to register on site. These things are provided by default in ASP.NET MVC internet template. Everything needed for the Forms Authentications are along with this template.

Selecting the Forms Authentication template

Open Visual Studio 2010 >> New Project >> Select ASP.NET MVC4 Web Application and Click Ok

2

 And then select Internet Application Template which gives us to everything needed for the Forms Authentication like AccountController, Views etc and then click OK.

3

Authorize

5

The Authorize attribute doesn’t really care about how we authenticate a user. We can use a Form Authentication or Windows Authentication. All authorize cares about that the user does have an identity and we know whom they are and it’s  not  going to let  a anonymous user get in to the Index action. When we going to take an index action without authenticating it automatically redirect to Account/Logonbecause the user has no account in this application. So we need to register for to Logon.

How we are Authenticate with Windows Authentication?

                First we need to change a little bit in the configuration section like below in the web.config file.

6

Then apply the authorize attribute to the index action

5

You can apply authorize filter to an individual action method or to a controller. When you apply a filter to a controller, it works as though you had applied it to every action method in the controller class applied the Authorize filter to the class, so all of the action methods in the Account controller are available only to authenticated users.

                In order for windows integrated authentication works   we need to enable windows authentication in IIS Express else we got the below error and this is the scenario you commonly face in today’s server configuration.

7

 

Server programs’ like Web services and Database services typically have features turn off by default to reduce the attack surface. If we want to become Windows Authentication works we need to turn it on.

Go to Document >> IISExpress >> config >> applicationhost.config file and windows authentication enable to true.

8

9

You can take authentication details like below

10

Hope you are enjoying my article…

 

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s