Configuring Forms-Based Authentication

Forms-based authentication (FBA) is a non-HTTP-based mechanism for authenticating users. Instead of using HTTP headers, users are redirected to a normal HTML page that contains form elements (such as textboxes) where they can enter credentials. Upon submitting the form, back-end .NET code will process the credentials against a pre-configured user store (for example, Active Directory, an XML file or database). If the user is authenticated, a cookie is set that permits access to further pages.

Although IIS Manager offers an option to configure FBA, this feature is still truly an ASP.NET feature, which has been available with the .NET Framework since v1 was released in 2002. All settings are stored in the <system.web> configuration section rather than IIS 8.0's <system.webServer> section. Traditionally, ASP.NET's FBA feature has been used in conjunction with ASP.NET's URL Authorization feature. However, IIS 8.0 contains a native (non-managed) URL Authorization module as well. The native URL Authorization module can be used for requests for all resources (both ASP.NET and other files), whereas the managed .NET URL Authorization module can only be used, by default, when a request is for a .NET resource (similar to how this functionality worked in IIS 5.0 and IIS 6.0)

Although IIS Manager exposes options to configure FBA settings, if you wish to configure ASP.NET authorization rules, you must still edit ASP.NET configuration files. The following ...