1 Introduction
Secure Communication is an integral part of securing any applications to protect sensitive data, including credentials, passed to and from the application and between application tiers. The need of authentication and authorization is that it eliminates a high percentage of application vulnerabilities. To build effective application-level authentication and authorization, one needs to understand using an appropriate specific technology to provide an effective, in-depth security strategy. To use this guide to design and build secure .NET web applications, one should have familiarity and experience with .NET development techniques and technologies.

2 Scope
This white paper focuses on:
• Authentication (To identify the clients of your application)
• Authorization (To define the access controls to resources that your client requests)
• How to make your web application secure (a sample code example with all required settings).

3 Goals
This document is not targeted for beginners (not an introduction to security) or it is not a security reference for the .NET Framework. This document presents a scenario based approach to sharing techniques as gleaned from the field.
This document is designed how to:
• Raise the security bar for your application
• How you need to perform authentication
• How you need to perform authorization

4 Key Terminology
• Authentication: Identifying the clients of a web application. Here the clients referred to end-users, services (e.g. windows services), processes or computers (internal or external to the server).
• Authorization: Defining what authenticated clients are allowed to see and do within the application.
• Secure communications: Ensuring that a message remains private and contents remain unaltered.
• Impersonation: The clients’ security context is used by the server to access the resources.
• Identity: It refers to a service or user that can uniquely identified by its name. (e.g. User name or machine name, where the request comes from).

5 ASP.NET Security Architecture
To provide the authentication and authorization mechanism, ASP.NET works in conjunction with IIS, .Net Framework and the security features provided by the operating system. Refer the sketch mentioned beneath.