Introduction to Authentication and Authorization in Internet Information Services (IIS) 7

Authentication is the process of determining whether an entity (normally a remote user or computer) is in fact what it claims to be.

Normally authentication require an entity (user in this case) to provide an identifier (username) and then prove the identity by providing something you know (a password), something you have (security token), or something you are (biometric identification).

Multifactor authentication combines multiple factors of authentication information to improve security. Multifactor authentication normally combines something you know (a password) with something you are (biometric identification).

The process of Authorization occurs once the user is authenticated. Authorization is the process which system uses to determine what a user is allowed to do once he/she is authenticated.  Whenever the authenticated user need to access some file or resource, the system verifies that operation against an Access Control List (ACL) maintained for the file or resource. The ACL consists of a set of Access Control Entries (ACEs) that define which users can or cannot perform certain operations. These operations include read a file, modify a file’s contents, update a file’s properties, perform a backup, shut down a system etc.