There are three layers of security wrapped around ASP.NET applications: the IIS layer, the ASP.NET worker process layer, and the application layer. As a developer, you can configure parameters in the first two levels, but you are totally responsible for planning and implementing the third one. Forms authentication is the most reasonable approach to protecting pages from unauthorized access in an Internet-exposed application. The most reasonable approach for an intranet application is integrated Windows authentication. Although it's not perfect, Forms authentication is broadly used because it is simple to understand and functional. In ASP.NET 2.0 and newer versions, Forms authentication is partnered with the membership API.

The membership ...