ASP.net Architecture

This section provides an overview of the ASP.NET infrastructure and subsystemrelationships, as they relate to the subject of security. The following illustration shows the relationships among the security systems in ASP.NET.

As the illustration shows, all Web clients communicate with ASP.NET applications through IIS. IIS deciphers and optionally authenticates the request. If Allow Anonymous is turned on, no authentication occurs. IIS also finds the requested resource ( such as an ASP.NET application ), and, if the client is authorized, returns the appropriate resource.
In addition to the built-in ASP.NET security features, an ASP.NET application can use the low-level security features of the .NET Framework.
Integrating with IIS
This release of ASP.NET uses IIS 5.0 as the primary host environment. When considering ASP.NET authentication, you should understand the interaction with IIS authentication services.
IIS always assumes that a set of credentials maps to a Windows NT account and uses them to authenticate a user. There are three different kinds of authentication available in IIS 5.0: basic, digest, and Integrated Windows Authentication ( NTLM or Kerberos ). You can select the type of authentication to use in the IIS administrative services.
If you request a URL containing an ASP.NET application, the request and authentication information are handed off to the application.