Authentication in ASP.NET Applications

There are three main types of authentication in ASP.NET:

  • Windows authentication
  • Forms authentication
  • Passport authentication

Users who are not authenticated are known as anonymous users.

Windows Authentication

Windows Authentication validates callers against Windows user accounts. Every valid caller must have a Windows user account on the server or in the Web server's domain. IIS performs the actual user authentication, and then makes the caller's identity available to ASP.NET. Windows Authentication lets you use the operating system's built-in security mechanisms to protect files and other resources. The Web application can impersonate a caller by temporarily assuming their identity. This prevents requests from accessing resources that callers do not have the permission to access.

Windows Authentication is typically used for intranets that have employees logging in locally or remotely.

Forms Authentication

Forms Authentication relies on login forms in Web pages to authenticate users against user names and passwords that are stored in a database such as SQL Server or in Active Directory. User names and passwords can also be stored in a web.config file, but it's not practical to store thousands of names and passwords this way. Forms Authentication does not require users to have Windows accounts.

The .NET Help file describes Forms Authentication this way:

A system by which unauthenticated requests are redirected to an HTML form using HTTP client-side redirection. The user provides credentials and submits the form. If the application authenticates the request, the system issues a form that contains the credentials or a key for reacquiring the identity. Subsequent requests are issued with the form in the request headers; they are authenticated and authorized by an ASP.NET handler using whatever validation method the application developer specifies.

Forms Authentication is typically used for sites designed to serve the general public but still need to know the identity of a user before allowing access to certain pages.

Passport Authentication

Passport Authentication uses Microsoft Passport to authenticate callers. Passport is a Microsoft Web Service that accesses a large database of user names and passwords maintained by Microsoft. When a user is authenticated, Passport returns an authentication ticket that can be encoded in a cookie.

Passport Authentication can be useful when you need single log on capabilities across multiple domains. In reality, many companies do not use Passport Authentication because they don't trust a high-profile hacker target such as Microsoft to store their user names and passwords (I'm surprised Microsoft hasn't figured this out yet).

Turning Off Authentication

If all areas of your Web application are completely open to the general public and you don't need to know the identity of visitors, you can completely turn off authentication as described in the next section.

Specifying the Type of Authentication to Use

The ASP.NET machine.config file specifies the default authentication used for all Web applications on your server. The default mode is Windows Authentication. You can change this setting at the machine level, or override this setting for a particular Web application by changing the application's web.config file. For example:

<configuration>
	<system.web>
		<authentication mode="Forms" />
	</system.web>
</configuration>

Here are the valid authentication settings:

  • Windows
  • Forms
  • Passport
  • None (empty string)

© (c) 2026 Oak Leaf Enterprises, Inc., 1996-2026 • Updated: 02/12/26
Comment or report problem with topic