Authentication is the process of ensuring that clients are who they claim to be. Authentication is accomplished using credentials, or some form of identification. The requesting client presents the credentials to IIS and the ASP.NET application, usually in the form of a username and password.

The credentials are validated against some authority. Depending on how authentication is configured, that authority might be Windows security, or it might be a store of names, passwords, and rights maintained in a configuration file such as web.config, a relational database such as SQL Server (preferably), your Active Directory, or an XML file.

Authentication is not required. If no authentication is performed, the client will be an anonymous user. By default, all websites allow anonymous access. However, if you need to restrict access to any part of the website, authentication is a necessary step.

If the system cannot identify a user based on the credentials presented and if anonymous users are disallowed, access will be denied. If the system can identify the user, that user will be considered an authenticated identity and will be allowed to proceed to authorization. Sometimes the identity is known as a principal.

In ASP.NET, authentication is provided through code modules called authentication providers. Once installed, authentication providers are enabled using the ASP.NET configuration files, either machine.config or the copy of web.config in the application virtual root directory. ...