How the ASP.NET Authentication Process Works ?

In this article we’ll take a look at how the ASP.NET authentication process works. ASP.NET does not run by itself, it runs inside the process of IIS.

Therefore, there are two authentication layers, which exist in ASP.NET system. First Subscription happens at the IIS level and then ASP.NET level depending on the WEB.CONFIG file.

Below is how the whole process works :

1. IIS first checks to make sure the incoming request comes from an IP address that is allowed access to the domain. If not it denies the request.
2. Next IIS performs it’s own user authentication if it is configured to do so. By default IIS allows anonymous access, so requests are automatically authenticated, but you can change this default on a per-application basis within IIS.
3. If the user request is passed to ASP.NET with an authenticated user, ASP.NET checks to see whether impression is enabled. If impression is enabled, ASP.net acts as through it were the authenticated user. If not ASP.net acts with its own configured account.
 4. Finally, the identity from step 3 is used to request resources from the operating system.

If ASP.net authentication can obtain all the necessary resources it grants the user requests otherwise it is denied. Resources can include much more than just the ASP.net page itself you can also use .NET code access security features to extend this authorization step to disk files, registry keys and other resources.