The server-side infrastructure is based on ASP.NET and it use XML serialization. When an HTTP request for a Web service is processed by the Web server, Internet Information Services (IIS) maps the requested extension (.asmx) to the ASP.NET ISAPI extension (aspnet_isapi.dll.) The ASP.NET ISAPI extension then forwards the request to the ASP.NET worker process where it enters the request processing pipeline, controlled by the HttpRuntime object.

The request is initially passed to the HttpApplication object, followed by the series of registered HttpModule objects declared in Machine.config beneath <httpModules> to handle authentication, authorization, caching and other services. This request flow is shown in Figure1.1.

After passing through the HTTP modules in the pipeline, the HttpRuntime identifies that the .asmx extension is registered with the WebServiceHandlerFactory handler. This creates an instance of a WebServiceHander object which processes the Web service request.

The growth of applications using the .NET platform has generated an increased emphasis on performance measurement and analysis. Distributed applications, while much more flexible and potentially more scalable than monolithic ones, have characteristics that make it more difficult to achieve these very goals.

The problem arises both in the individual components and in their interactions with one another. Individual application components may include computationally expensive code and bottlenecks that don’t manifest themselves during unit testing, because the functionality is correct. Once separately developed components are integrated into the full application, performance bottlenecks may result from interactions between them.

These problems are especially true of distributed applications utilizing Web services. In the case of traditional components utilizing COM or CORBA, processing tended to be more synchronous, or at least more tightly coupled, which in turn can result in performance more in line with the overall application. In the case of asynchronous and loosely coupled Web services, there could well be significant differences in their ability to provide the performance and scalability required by the application.

Web services adapt the traditional Web programming model for use from all sorts of applications, not just browser-based ones. These applications are loosely coupled and remarkably interoperable because they can be called from any location that is reachable with a URL or URI, and are not limited by the calling conventions of a specific language.

This section would discuss about how to implement the Forms Authentication with Data stores such as SQL Server / Oracle in step by step wise for a web based application built using VB.NET. For C#, just rewrite the syntax.

Lets’ take a look at the configuration settings before moving onto coding:

Create a Web Application using VB.Net or C# and make the below shown changes to your web.config file.

Configuration settings in Web.config file:
In the web.config file, you find <authorization> element, add a child element called <forms> as shown beneath.

Authentication:

<authentication mode=”Forms”>
<forms loginUrl=”login.aspx” name=”FORMSAUTHX” path=”/” timeout=”5” Protection=”ALL” requireSSL=”false” slidingExpiration=”true” />
</forms>
</authentication>

Authorization:
Below the authorization element, add a child element called <allow> as shown beneath.

<authorization>
<allow users=”*” />
</authorization>

Configuration in IIS:
For forms based authentication with Database there is no need to do any change in the IIS settings, I give you an information how does settings in IIS looks.
1. In IIS MMC Panel, right click on your web applications’ virtual directory,
2. Go to property sheet and select the Directory tab.
3. Upon clicking the edit button on the Directory tab, default option “Anonymous option” is checked in with the username as IUSR_MachineName, let it remains unchanged.
Note: For windows authentication or Forms authentication with Active Directory, the above IIS configuration may get changed.

This shows how to configure the windows (IIS) authentication and impersonation in web.config or machine.config file. Configure authentication on an individual application basis in each applications’ web.config file. Note that authentication changes in machine.config are not required, since it reflects for all the web applications running on the server.

• #1

<authentication mode=”Windows”/ >
<identity impersonate=”true”/ > <!—this enables the impersonation 
The above line makes the ASP.NET application code impersonates the IIS-authenticated caller. By default, impersonation is disabled.

• #2

<authentication mode=”Windows”/ >
<identity impersonate=”true” username=”Ibee\UserID” password=”UserID@123”/ >

This enables the entire application to run as “Ibee\UserID”, regardless of the identity of the request, as long as the password is correct.

Please note that UserName and Password are stored in a clear text in web.config file. Even though IIS will not transmit the web.config in response to a request, it can be read by other means. This approach is not recommendable.

To increase the security, the identity section can be encrypted and stored in the windows registry.

• #3
Username = “registry:HKLM\Software\ASPNetIdentity, Name”
Password = “registry:HKLM\Software\ASPNetIdentity, Password”

Criteria: Comma is required and the credentials must be stored in HKLM hive. The credentials must be in REG_BINARY Format. To do this, you can use the “Aspnet_setreg” executable available (can be downloaded), to accomplish the encryption, this executable uses the CryptProtectData windows API Function.

How to read the identity value programmatically?

Dim strUserName as string = System.Security.Principal.WindowsIdentity.GetCurrent ().Name

Configurable Setting

• Windows ACLs
Configure Windows Access Control Lists on resources accessed by your applications (Files, Folder and so on) against the original caller.

• URL Authorization
Configure URL Authorization in web.config file as mentioned beneath

<authorization>
<deny user=”Ibee\UserID”/ >
<allow roles=”Ibee\WindowsUserGroup”/ >
</authorization>

UserName follows the format DomainName\UserName.
Roles map the roles with windows-group

• Enterprise Level (COM+) Roles
Configure roles with the Component services administration tool or script.

Programmatic or Derivate Setting

• PrincipalPermission Demands

PrincipalPermission objPermChk = new PrincipalPermission (null, @“DomainName\WindowsGroup”);

• Explicit Role Check

Explicit role checking in .NET can be performed by using IPrincipal interface.
(e.g.) IPrincipal.IsInRole (@”Domain\WindowsGroup”);

• Enterprise Level (COM+) Roles

Explicit role checking in COM+ can be performed through the code using the ContextUtil class.
(e.g.) ContextUtil.IsCallerInRole (“RoleName”); RoleName can be manager.

Usage Scenario:
• Users have windows accounts that can be authenticated by the server.
• It requires minimal coding.

ASP.NET authentication works?

• The client browser sends the requests to IIS
• IIS authenticates the caller by using Basic, Digest, Integrated (NTLM or Kerberos), and Or Certificate authentication. IIS creates a Windows access token for each authenticated user. If a site or part of a site does not require authenticated access, IIS treats this as a anonymous authentication. In this case, IIS creates an access token for the anonymous Internet user account (which is IUSR_MACHINE).
• IIS is done with authentication. It goes for authorizing the requested resource. If NTFS permission is selected, IIS will use the attached ACL’s (Access Control List used by the OS) with requested resource to authorize the requests. IIS can also be configured to accept resources only from specific client computers (IP address of the client machine has to be specified.)
• Now, IIS is done with the authorization, it passes the access token or windows access token to ASP.NET
• ASP.NET authenticates the caller
• If ASP.NET is configured for windows authentication, no additional authentication occurs at this point. ASP.NET will accept a windows token that it receives from IIS.
• If ASP.NET is configured for Forms authentication, the credentials supplied by the caller (using an HTML Form) are authenticated against a Data Store (MS-SQL or Oracle Database / Active Directory Service)
• If ASP.NET is configured for Passport authentication, the user will be redirected to a passport site and Passport authentication service authenticates the user.
• ASP.NET authenticates access to the requested resource or operation.

ASP.NET authorization works? There are three types of authorization modules in ASP.NET

• URLAuthorizationModule It uses authorization rules configured in web.config (especially the <authorization> element) to ensure that the caller can access the requested file or folder.You can configure your <authorization> elements within your applications’ web.config file to control which users and groups of users should have access to the application.
• FileAuthorizationModule It works in conjunction with Windows Authentication. This checks that the caller has necessary permission to access the requested resources. The mechanism is that it compares the callers’ access token against the Access Control List that protects the resource.For file types requested by user, ASP.NET engine performs automatic access checks using windows access token supplied by IIS against the ACL attached to the requested .NET file.
• Roles .NET Roles can also be used to ensure that the caller is authorized to access the requested resource or perform the requested operation.Roles can also be used as an additional fine-grained access mechanism to check whether the requested user can access the requested file or folder by using declaratively or programmatically. Individual users are identified by the IPrincipal object attached to the current thread request. (Example-1) With Windows Authentication, ASP.NET automatically creates a WindowsPrincipal object that contains the authenticated user to the current web request. With Forms and Passport Authentication, ASP.NET automatically creates a GenericPrincipal object with the current authenticated user identity or name. But no roles are attached with this object.To have a fine granularity of access control, various authentications options are available as follows:
  •Windows authentication with impersonation.
  •Windows authentication without impersonation.
  •Windows authentication using fixed identity.
  •Forms authentication.
  •Passport authentication.