Describe how the ASP.NET authentication process works
ASP.NET runs inside the process of IIS due to which there are two authentication layers which exist in the system.
First authentication happens at the IIS level and the second at ASP.NET level per the WEB.CONFIG file.
Working:
At first, IIS ensures that the incoming request is from an authenticated IP address.
Otherwise the request is rejected.
By default IIS allows anonymous access due to which requests are automatically authenticated.
However, if this is changed, IIS performs its own user authentication too.
ASP.net checks if impersonation is enabled if a request is passed to ASP.net by an authenticated user. If it is enabled, ASP.net acts itself as an authenticated user else it acts with its own configured account.
Finally the OS resources are requested by the identity obtained from previous step.
The user is granted the resources if the authentication is successful else the resources are denied.
Resources can include ASP.net page, code access security features to extend authorization step to disk files, registry keys, etc.
What is different b/w webconfig.xml & Machineconfig.xml
Web.config & machine.config both are configuration files.Web.config contains settings specific to an application where as machine.config contains settings to a computer. The Configuration system first searches settings in machine.config file & then looks in application configuration files, Web.config, can appear in multiple directories on an ASP.NET Web application server. Each Web.config file applies configuration settings to its own directory and all child directories below it. There is only Machine.config file on a web server.
What is Web.config?
In classic ASP all Web site related information was stored in the metadata of IIS. This had the disadvantage that remote Web developers couldn't easily make Web-site configuration changes. For example, if you want to add a custom 404 error page, a setting needs to be made through the IIS admin tool, and you're Web host will likely charge you a flat fee to do this for you. With ASP.NET, however, these settings are moved into an XML-formatted text file (Web.config) that resides in the Web site's root directory. Through Web.config you can specify settings like custom 404 error pages, authentication and authorization settings for the Web sitempilation options for the ASP.NET Web pages, if tracing should be enabled, etc.
The Web.config file is an XML-formatted file. At the root level is the tag. Inside this tag you can add a number of other tags, the most common and useful one being the system.web tag, where you will specify most of the Web site configuration parameters. However, to specify application-wide settings you use the tag.
For example, if we wanted to add a database connection string parameter we could have a Web.config file like so.
