Authentication and Authorization are two interrelated security concepts. In short, authentication is a process of identifying a user, while authorization is the process of determining if an authenticated user has access to the resource(s) they requested. Typically, authentication is achieved by the user sharing credentials that somehow verify the user's identity.
Whenever a user logs on to an application, the user is first authenticated and then authorized. With ASP.NET Web applications, the users requesting a page are, by default, anonymous.

How ASP.NET and IIS Handle Authentication and Authorization:

Both IIS - Microsoft's Web server software - and ASP.NET provide means for authentication and authorization. It is important to understand that ASP.NET is not a stand-alone product - rather, it is utilized from IIS. When a request comes in for an ASP.NET Web page, the request is sent to the Web server software (IIS), which performs authentication and authorization. Depending on the settings in IIS and the user accessing the site, these checks might pass or they might not. If the user is not authenticated, or does not have access, they're request will be stopped and an appropriate message will be returned. If, however, the request passes IIS's authentication and authorization, the request will be handed off to the ASP.NET engine, which can impose its own authentication and authorization schemes.

The sequence of authentication and authorization actions performed by IIS and ASP.NET on an incoming request:

1. The incoming request is first checked by IIS. If the IP address from where the request is sought is not allowed access to the domain, IIS denies the request.

2. IIS allows anonymous access by default and hence requests are automatically authenticated. However, this can be overridden for each application within IIS. Next in the sequence IIS performs this authentication, if it has been configured to do so.

3. The authenticated user request is passed to ASP.NET.

4. ASP.NET checks whether Impersonation is enabled or not. By default impersonation is not enabled in ASP .NET. Generally, some applications require impersonation for ASP compatibility and Windows server authentication.

        • If impersonation is enabled, ASP.NET executes with the identity of the entity on behalf of which it is            performing executing the task.
        • If impersonation is not enabled, the application runs with the privileges of the ASP.NET user account.

5. Finally, the identity that has been authenticated and checked for in the previous steps is used to request resources from the OS. ASP.NET uses two forms of authorization:
        • FileAuthorization
        • UrlAuthorization