ASP.NET Security Architecture

This section provides an overview of the ASP.NET security infrastructure. The following illustration shows the relationships among the security systems in ASP.NET.

ASP.NET architecture


As the illustration shows, all Web clients communicate with ASP.NET applications through Microsoft Internet Information Services (IIS). IIS authenticates the request if required and then locates the requested resource (such as an ASP.NET application). If the client is authorized, the resource is made available.

When an ASP.NET application is running, it can use built-in ASP.NET security features. In addition, an ASP.NET application can use the security features of the .NET Framework. For more information, see Key Security Concepts.

Integrating ASP.NET Authentication with IIS

In addition to relying on the authentication capabilities of IIS, you can perform authentication in ASP.NET. When considering ASP.NET authentication, you should understand the interaction with IIS authentication services.

IIS assumes that a set of credentials maps to a Microsoft Windows NT account and that it should use those credentials to authenticate a user. There are three different kinds of authentication available in IIS 5.0 and IIS 6.0: basic, digest, and Windows Integrated Security (NTLM or Kerberos). You can select the type of authentication to use in IIS administrative services. For more information on IIS authentication, see the IIS documentation.

If users request a URL that maps to an ASP.NET application, the request and authentication information are handed off to the application. ASP.NET provides forms authentication. Forms authentication is a system by which unauthenticated requests are redirected to an ASP.NET Web page that you create. The user provides credentials and submits the page. If your application authenticates the request, the system issues an authentication ticket in a cookie that contains the credentials or a key for reacquiring the identity. Subsequent requests include an authentication ticket with the request.


ASP.NET membership and ASP.NET login controls implicitly work with forms authentication.

ASP.NET Configuration File Security Settings

ASP.NET security settings are configured in the Machine.config and Web.config files. As with other configuration information, base settings and default settings are established in the Machine.config file in the Config subdirectory of the current .NET Framework installation. You can establish site-specific and application-specific settings (including overriding settings from the Machine.config file) in Web.config files in the Web site root and application root directories. Subdirectories inherit a directory's settings unless overridden by a Web.config file in the subdirectory. To see an example of the way in which the hierarchical configuration system works for security, see configSections Element (General Settings Schema).

There are three major subsections to a Web.config file: the authentication, authorization, and identity sections. The values for each security element are usually set in the Machine.config file and overridden as required in the application-level Web.config file. All subdirectories automatically inherit those settings. However, subdirectories can have their own configuration files that override inherited settings.


ASP.NET configuration applies only to ASP.NET resources, namely those registered to be handled in IIS by the Aspnet_isapi.dll extension. ASP.NET configuration cannot provide authorization for resources not processed by ASP.NET. Therefore, .txt, .htm, .html, .gif, .jpg, .jpeg, .asp, and other types of files are accessible by all users (subject to IIS permissions). For example, even though the ASP.NET resources in a directory might be restricted by a Web.config file, all users can still view the files located in that directory if directory browsing is turned on and no other restrictions are in place. You can put these types of files under ASP.NET security by explicitly mapping such file name extensions to the Aspnet_isapi.dll extension using the IIS administration tool. However, processing these types of files through ASP.NET can affect the performance of the Web site. For more information about how to secure files in a folder, see How to: Configure Specific Directories Using Location Settings.

You can use the location configuration element to specify a particular file or directory to which settings should apply. For more information, see configSections Element (General Settings Schema) and Configuring Specific Files and Subdirectories. For more details about ASP.NET configuration in general, see ASP.NET Configuration Overview.

The following example shows the syntax of the security sections of a configuration file:

<authentication mode="[Windows|Forms| None]">
  <forms name="name" 
    path="path" timeout="minutes"
    <credentials passwordFormat="[Clear|MD5|SHA1]">
      <user name="********" 

  <allow users="comma-separated list of users"
      roles="comma-separated list of roles" />
  <deny  users="comma-separated list of users"
      roles="comma-separated list of roles" />

<identity impersonate ="[true|false]"
  password="password" />

<trust level="[Full|High|Medium|Low|Minimal]" 

  <trustLevel name="Full" policyFile="internal"/>
  <trustLevel name="High" policyFile="web_hightrust.config"/>
  <trustLevel name="Medium" policyFile="web_mediumtrust.config"/>
  <trustLevel name="Low"  policyFile="web_lowtrust.config"/>
  <trustLevel name="Minimal" policyFile="web_minimaltrust.config"/>

The default settings for these elements are shown in the following table.

Default value


<allow roles="" />

An empty string indicating that all roles are allowed by default.

<allow users="*" />

An empty string indicating that all users are allowed access (no authentication is required).

<authentication mode="Windows" />

The authentication type that determines the source of the current User value. The default is Windows.

<credentials passwordFormat="SHA1" />

The hashing algorithm used on passwords. The default is SHA1.

<deny roles="" />

An empty string indicating that no roles are denied by default.

<deny users="" />

An empty string indicating that no users are denied by default.

<forms loginUrl="logon.aspx" />

The URL to which the request is directed if you set the authentication mode to Forms and if the request does not have a valid authentication ticket.

<forms name=".ASPXAUTH" />

The name under which the forms authentication cookie is stored on the user's computer.

<forms path="/" />

The path to which forms authentication applies. The default is all paths from the application root down.

<forms protection="All" />

The security applied to the forms authentication ticket. Values include: All, None, Encryption, and Validation.

<forms timeout="30" />

The timeout in minutes before the forms authentication ticket expires and users must re-authenticate.

<forms requireSSL="false" />

A Boolean value indicating whether an SSL connection is required to transmit the authentication cookie.

<forms slidingExpiration="true" />

A Boolean value indicating whether sliding expiration is enabled. For more information, see the SlidingExpiration property.

<identity impersonate="false" />

A Boolean value indicating whether impersonation is disabled. For more information, see ASP.NET Impersonation.

<identity userName="" />

An empty string indicating that no user identity is specified by default.

<identity password="" />

An empty string indicating that no password for the user identity is specified by default.

<trust level="Full" originUrl="" />

The security policy that will be applied to the application.

<trustLevel name="Full" policyFile="internal"/>

The default policy file for Full trust level.

<trustLevel name="High" policyFile="web_hightrust.config"/>

The default policy file for High trust level.

<trustLevel name="Medium" policyFile="web_mediumtrust.config"/>

The default policy file for Medium trust level.

<trustLevel name="Low" policyFile="web_lowtrust.config"/>

The default policy file for Low trust level.

<trustLevel name="Minimal" policyFile="web_minimaltrust.config"/>

The default policy file for Minimal trust level.

See Also


ASP.NET Configuration Overview

Other Resources

Securing ASP.NET Web Sites

Key Security Concepts

Forms Authentication Provider