ASP.NET authentication: Three new options for Web services

Web developers migrating to ASP.NET are about to find themselves faced with new authentication options available for use in Web services. These tools offer greatly enhanced functionality over prior authentication mechanisms and allow you to seamlessly integrate the appropriate level of security into your applications.

Let's take a brief look at each of the three authentication modes supported by ASP.NET.

• Forms Authentication is the most popular (and most flexible) authentication technique. It replaces the common login form manually coded by many developers with an easy-to-use implementation available within the .NET framework. When an unauthenticated user requests a protected resource, IIS redirects him to a login page requiring a valid username and password. After successful authentication, IIS returns a cookie with reusable login credentials to the user's browser. Future requests are made with the assistance of this cookie. Re-authentication is not required until the cookie expires at a time set by the developer.

• Read the SearchSecurity.com Tip Security issues with Web services.
• Learn how XML firewalls protect Web services better than other firewalls.
• Learn more about designing trust into Web services at Information Security Decisions April 19-21 in New York City.

• Windows Authentication is familiar to IIS Web developers who worked with older versions of Visual Studio. It allows users with a Windows account to authenticate to the server using IIS' standard authentication techniques:
  • Basic authentication transmits usernames and passwords "in the clear" without any authentication.
  • Digest authentication uses nonce-based encryption to secure the username/password exchange.
  • Integrated Windows authentication provides additional security through the use of Kerberos or NT Challenge/Response authentication.

• Passport Authentication allows users of Microsoft's Passport service to use their existing .NET Passport credentials to authenticate to your site. This technique is mainly used by extremely large-scale Web sites, such as Microsoft's own MSN network, the USA Today Web site and e-Bay.

So which authentication mechanism is right for you? It depends upon your needs. If you're building a public Web application that will see large-scale use, you'll probably find Forms Authentication the most flexible and appropriate technique. Windows Authentication offers a viable alternative when users already possess a domain account. This makes it an ideal choice for intranet applications and minimizes the number of times users must provide their authentication credentials during a single session. Microsoft's Passport is a great idea in theory, but it's unlikely that you'll find it useful enough to justify the $10,000 annual licensing fee charged by Microsoft.

About the author
Mike Chapple, CISSP, currently serves as Chief Information Officer of the Brand Institute, a Miami-based marketing consultancy. He previously worked as an information security researcher for the U.S. National Security Agency. His publishing credits include the TICSA Training Guide from Que Publishing, the CISSP Study Guide from Sybex and the upcoming SANS GSEC Prep Guide from John Wiley. He's also the About.com Guide to Databases.