2.1 Describe the security authentication flow and process in ASP.NET?
When a user requests a web page, there exists a process of security too, so that every anonymous user is checked for authentication before gaining access to the webpage. The following points are followed in the sequence for authentication when a client attempts a page request:
* A .aspx web page residing on an IIS web server is requested by an end user
* IIS checks for the user's credentials
* Authentication is done by IIS. If authenticated, a token is passed to the ASP.NET worker process along with the request
* Based on the authentication token from IIS, and on the web.config settings for the requested resource, ASP.NET impersonates the end user to the request thread. For impersonation, the web.config impersonate attribute's value is checked.
2.2 What is the Website Administrative Tool in ASP.NET 2.0 ?
In ASP.NET 2.0, while using Visual Studio 2005 Express Edition or above, the development IDE provides an interface for editing the web.config rather than manually editing the web.config.
In the IDE, click on "Website" and then on "ASP.NET Configuration". This shall open the Website configuration tool. Note that the Web Site Administration Tool is a set of prebuilt ASP.NET 2.0 webpages and resources that are located within the C:\Inetpub\wwwroot\aspnet_webadmin\2_0_40607 directory.
2.3 What is Authentication? What are the different types of Authentication?
In a client-server environment, there are plenty of cases where the server has to interact and identify the client that sends a request to the server. Authentication is the process of determining and confirming the identity of the client.
If a client is not successfully identified, it is said to be anonymous.
Types of Authentication
Windows Authentication
Forms Authentication
Passport Authentication
Essentially the Windows Authentication and Forms Authentication are the famous ones, as Passport Authentication is related to a few websites (like microsoft.com, hotmail.com, msn.com etc. only).
Windows Authentication is implemented mostly in Intranet scenarios. When a browser (client) sends a Request to a server where in windows authentication has been implemented, the initial request is anonymous in nature. The server sends back a Response with a message in HTTP Header. This Prompts a Window to display a Modal Dialog Box on the browser, where the end user may enter the "User name" and "Password".
The end user enters the credentials, which are then validated against the User Store on the Windows server. Note that each user who access the Web Application in a Windows Authentication environment needs to have a Windows Account in the company network.
2.4 How to avoid or disable the modal dialog box in a Windows Authentication environment?
By enabling the Windows Integrated Authentication checkbox for the web application through settings in IIS.
Forms Authentication is used in Internet based scenarios, where its not practical to provide a Windows based account to each and every user to the Web Server. In a Forms Authentication environment, the user enters credentials, usually a User Name and a corresponding Password, which is validated against a User Information Store, ideally a database table.
Forms Authentication Ticket is the cookie stored on the user's computer, when a user is authenticated. This helps in automatically logging in a user when he/she re-visits the website. When a Forms Authentication ticket is created, when a user re-visits a website, the Forms Authentication Ticket information is sent to the Web Server along with the HTTP Request.
2.5 What is Authorization in ASP.NET?
Authorization, in simple words means "which user can access which resource on a web server". Authentication of users may be set in the web.config file. See web.config snippet below...
Based on the user and the role, access to different folders across the website may be controlled using the authorization feature of ASP.NET
2.6 What is IIS Metabase? How to edit IIS metabase? How to backup IIS metabase file?
IIS Metabase - sounds like geek stuff right! What is IIS Metabase??? In the simplest words, IIS metabase is the repository of the configuration values that are set in the Internet Information Server (IIS). The IIS metabase in an XML file. It may be controlled through program or manually too.
In order to edit IIS metabase entries, the user needs to have administrative rights on the system. To do this, in run window, type "inetmgr". Browse to "Local Computer" and right click it. Click on "Properties". Select the "Enable Direct Metabase Edit" check box.
Many times, due to the existence of multiple versions of .NET framework, some settings in the IIS metabase may get affected and cause your program not to run. For such scenarios, you may take a backup of the IIS metabase XML file and recover it. To create a portable backup, open run window and type "inetmgr". Next browse to "Local Computer" and go to "All Tasks". Next, click on Backup/Restore Configuration. Next, click on "Create Backup". In the textbod box for Configuration Backup name, type a name for your backup file. Also select the encrypt backup option and type a password. To finish the process, click "OK".
Search for Metabase.xml file on your IIS Web Server.
2.7 What is mixed mode authentication in ASP.NET?
Mixed mode authentication in an asp.net web application has the ability to feature both Forms Authentication and Windows Authentication to the end user.
In such a web application, the website user is identified based on whether the user is accessing the site from within the local domain or an external domain. When the user is from within the domain, Windows Authentication is applied and thus, the user can be configured to have higher authorization rights. The users logging into the web application from an external domain access the site using Forms authentication.
But this is tricky!!! For such an application to work, there needs to be 2 virtual directories setup for the web application on the IIS. This is because an asp.net web application cannot be set to two different authentication modes.
So if someone asks Can an ASP.NET application support 2 authentication modes at the same time???
the answer is TECHNICALLY NO!, but there is a workaround!!! ... there are always workarounds for everything in ASP.NET... its so powerful!
The windows authentication site's authentication information is basically used to get information about the intranet users and this is passed to the web application for Forms authentication. In such a scenario, the windows authentication information from the windows authentication site in IIS is passed to the Forms Authentication and thus user role is verified
When a user requests a web page, there exists a process of security too, so that every anonymous user is checked for authentication before gaining access to the webpage. The following points are followed in the sequence for authentication when a client attempts a page request:
* A .aspx web page residing on an IIS web server is requested by an end user
* IIS checks for the user's credentials
* Authentication is done by IIS. If authenticated, a token is passed to the ASP.NET worker process along with the request
* Based on the authentication token from IIS, and on the web.config settings for the requested resource, ASP.NET impersonates the end user to the request thread. For impersonation, the web.config impersonate attribute's value is checked.
2.2 What is the Website Administrative Tool in ASP.NET 2.0 ?
In ASP.NET 2.0, while using Visual Studio 2005 Express Edition or above, the development IDE provides an interface for editing the web.config rather than manually editing the web.config.
In the IDE, click on "Website" and then on "ASP.NET Configuration". This shall open the Website configuration tool. Note that the Web Site Administration Tool is a set of prebuilt ASP.NET 2.0 webpages and resources that are located within the C:\Inetpub\wwwroot\aspnet_webadmin\2_0_40607 directory.
2.3 What is Authentication? What are the different types of Authentication?
In a client-server environment, there are plenty of cases where the server has to interact and identify the client that sends a request to the server. Authentication is the process of determining and confirming the identity of the client.
If a client is not successfully identified, it is said to be anonymous.
Types of Authentication
Windows Authentication
Forms Authentication
Passport Authentication
Essentially the Windows Authentication and Forms Authentication are the famous ones, as Passport Authentication is related to a few websites (like microsoft.com, hotmail.com, msn.com etc. only).
Windows Authentication is implemented mostly in Intranet scenarios. When a browser (client) sends a Request to a server where in windows authentication has been implemented, the initial request is anonymous in nature. The server sends back a Response with a message in HTTP Header. This Prompts a Window to display a Modal Dialog Box on the browser, where the end user may enter the "User name" and "Password".
The end user enters the credentials, which are then validated against the User Store on the Windows server. Note that each user who access the Web Application in a Windows Authentication environment needs to have a Windows Account in the company network.
2.4 How to avoid or disable the modal dialog box in a Windows Authentication environment?
By enabling the Windows Integrated Authentication checkbox for the web application through settings in IIS.
Forms Authentication is used in Internet based scenarios, where its not practical to provide a Windows based account to each and every user to the Web Server. In a Forms Authentication environment, the user enters credentials, usually a User Name and a corresponding Password, which is validated against a User Information Store, ideally a database table.
Forms Authentication Ticket is the cookie stored on the user's computer, when a user is authenticated. This helps in automatically logging in a user when he/she re-visits the website. When a Forms Authentication ticket is created, when a user re-visits a website, the Forms Authentication Ticket information is sent to the Web Server along with the HTTP Request.
2.5 What is Authorization in ASP.NET?
Authorization, in simple words means "which user can access which resource on a web server". Authentication of users may be set in the web.config file. See web.config snippet below...
Based on the user and the role, access to different folders across the website may be controlled using the authorization feature of ASP.NET
2.6 What is IIS Metabase? How to edit IIS metabase? How to backup IIS metabase file?
IIS Metabase - sounds like geek stuff right! What is IIS Metabase??? In the simplest words, IIS metabase is the repository of the configuration values that are set in the Internet Information Server (IIS). The IIS metabase in an XML file. It may be controlled through program or manually too.
In order to edit IIS metabase entries, the user needs to have administrative rights on the system. To do this, in run window, type "inetmgr". Browse to "Local Computer" and right click it. Click on "Properties". Select the "Enable Direct Metabase Edit" check box.
Many times, due to the existence of multiple versions of .NET framework, some settings in the IIS metabase may get affected and cause your program not to run. For such scenarios, you may take a backup of the IIS metabase XML file and recover it. To create a portable backup, open run window and type "inetmgr". Next browse to "Local Computer" and go to "All Tasks". Next, click on Backup/Restore Configuration. Next, click on "Create Backup". In the textbod box for Configuration Backup name, type a name for your backup file. Also select the encrypt backup option and type a password. To finish the process, click "OK".
Search for Metabase.xml file on your IIS Web Server.
2.7 What is mixed mode authentication in ASP.NET?
Mixed mode authentication in an asp.net web application has the ability to feature both Forms Authentication and Windows Authentication to the end user.
In such a web application, the website user is identified based on whether the user is accessing the site from within the local domain or an external domain. When the user is from within the domain, Windows Authentication is applied and thus, the user can be configured to have higher authorization rights. The users logging into the web application from an external domain access the site using Forms authentication.
But this is tricky!!! For such an application to work, there needs to be 2 virtual directories setup for the web application on the IIS. This is because an asp.net web application cannot be set to two different authentication modes.
So if someone asks Can an ASP.NET application support 2 authentication modes at the same time???
the answer is TECHNICALLY NO!, but there is a workaround!!! ... there are always workarounds for everything in ASP.NET... its so powerful!
The windows authentication site's authentication information is basically used to get information about the intranet users and this is passed to the web application for Forms authentication. In such a scenario, the windows authentication information from the windows authentication site in IIS is passed to the Forms Authentication and thus user role is verified
Posts
0 comments:
Post a Comment