Authentication is the process of ensuring that clients are who they claim to be. Authentication is accomplished using credentials, or some form of identification. The requesting client presents the credentials to IIS and the ASP.NET application, usually in the form of a username and password.

The credentials are validated against some authority. Depending on how authentication is configured, that authority might be Windows 2000/XP/2003 security, or it might be a store of names, passwords, and rights maintained in a configuration file such as web.config, a relational database such as SQL Server, or an XML file.

Authentication is not required. If no authentication is performed, then the client will be an anonymous user. By default, all web sites allow anonymous access . However, if you need to restrict access to any part of the web site, authentication is a necessary step.

If the system cannot identify a user based on the credentials presented and if anonymous users are disallowed, then access will be denied. If the system can identify the user, then that user will be considered an authenticated identity and allowed to proceed on to authorization. Sometimes the identity is known as a principal.

Authentication is provided through code modules called authentication providers . Authentication providers are enabled using the ASP.NET configuration files, either machine.config or the copy of web.config in the application virtual root directory. (For a complete description ...