Authentication is the process of identifying and verifying who the client accessing the server is.
For example, if you use
- Windows authentication and are browsing an ASP.NET page from server — ASP.NET/IIS would automatically use NTLM to authenticate you as SYNCFUSION\user1 (for example).
- Forms based authentication, then you would use an html based forms page to enter username/password — which would then check a database and authenticate you against the username/password in the database.
Authorization is the process of determining whether an authenticated user has access to run a particular page within an ASP.NET web application. Specifically, as an application author decide to grant or deny the authenticated user ‘SYNCFUSION\user1’ access to the admin.aspx page. This could be done either by explicitly granting/denying rights based on the username — or use role based mappings to map authenticated users into roles (for example: an administrator might map ‘SYNCFUSION\user1’ into the ‘Power Users’ role) and then grant/deny access based on role names (allowing a degree of abstraction to separate out your authorization policy).