Authentication VS. Authorization | Asp.Net

Authentication and authorization are two essential concepts in ASP.NET and play distinct roles in the security of an application.


Authentication refers to the process of verifying the identity of a user or entity. It ensures that the user is who they claim to be. In ASP.NET, authentication is typically performed by validating credentials, such as a username and password, provided by the user. The authentication process establishes the identity of the user, allowing them to access protected resources or perform certain actions within the application.

What is ASP.Net Authentication

ASP.Net Authentication

The ASP.NET authentication scheme that is used to identify users who view an ASP.NET application. An application has two separate authentication levels because all requests coming through IIS before it handled by ASP.NET. After IIS authentication schemes ASP.NET implements additional authentication schemes. They are :

  1. Windows Authentication
  2. Forms Authentication
  3. Passport Authentication

The mode attribute specifies the authentication scheme.

<authentication mode="[Windows|Forms|Passport|None]" >

None Authentication

You can specify "None" as the authentication provider when requests are not authenticated at all or if you plan to develop custom authentication code.

When you need "None" authentication, use the following Web.config configuration:

<system.web> <authentication mode="None" /> </system.web>


What is ASP.Net Authorization

Authorization, on the other hand, deals with granting or denying access to specific resources or functionality based on the authenticated user's privileges. Once a user's identity is established through authentication, authorization determines what the user is allowed to do within the application. It involves checking whether the authenticated user has the necessary permissions or roles to access certain pages, perform specific operations, or view confidential data. Authorization helps ensure that users can only access the resources they are entitled to based on their assigned roles or privileges.

Asp.Net Authorization

ASP.NET allows two ways to authorize access to a given resources, they are URL authorization and File authorization

URL authorization

URL authorization maps users and roles to URLs in ASP.NET applications

File authorization

File authorization validate the ACL (access control list) of the .aspx or .asmx handler file to determine whether a user should have access to the file.

How to implement Authorization ?

The following example shows a sample implementation of Authorization logic in web.config file.

<authorization> <allow roles="Administrators" /> <deny users="*" /> </authorization>


Authentication focuses on verifying the identity of users, while authorization controls access to resources based on the authenticated user's permissions. Both authentication and authorization are crucial components of a secure ASP.NET application, working together to protect sensitive data and restrict unauthorized access.