I am trying to understand concepts of windows authentication, forms authentication and their differences. I am confused. Can someone help me in clarifying this.

Thanks.

Windows Authentication refers to authenticating against Windows user accounts on the box that the application is running on.

Forms authentication is a stand alone method of authenticating in .NET forms that you can hook up to some other system, such as a database.

Windows Authentication provider is the default authentication provider for ASP.NET applications. When a user using this authentication logs in to an application, the credentials are matched with the Windows domain through IIS.

There are 4 types of Windows Authentication methods:

1) Anonymous Authentication - IIS allows any user

2) Basic Authentication - A windows username and password has to be sent across the network (in plain text format, hence not very secure).

3) Digest Authentication - Same as Basic Authentication, but the credentials are encrypted. Works only on IE 5 or above

4) Integrated Windows Authentication - Relies on Kerberos technology, with strong credential encryption

Forms Authentication - This authentication relies on code written by a developer, where credentials are matched against a database. Credentials are entered on web forms, and are matched with the database table that contains the user information.

It's pretty simple. Windows Authentication makes use of the Windows Login system. http://en.wikipedia.org/wiki/Integrated_Windows_Authentication

And with Forms Authentication the user will need to provide a username and password manually. http://www.asp.net/web-forms/tutorials/security/introduction/an-overview-of-forms-authentication-vb

The Forms Authentication also allows you to choose where you access the login data from. It could for example be stored in your own local database. While Windows Authentication is only going to use your Windows login data. This data usually comes from Active Directory, if your network is built using an enterprise/buisness/domain setup. http://en.wikipedia.org/wiki/Active_Directory

Windows Authentication-- The user will be authenticated on the IIS server against the credentials he provided when logging into his system. If the authentication fails then a pop up form will be displayed in the Internet Explorer asking for his credentials i.e. username and password.

Forms Authentication-- A default Login Page will be available like Facebook login, where user will be authenticated instead of automatically getting the credentials from the system credentials i.e. the current user of the Windows system. If the user requests a secure page and has not logged in, then ASP.NET redirects him/her to the login page. Once the user is authenticated, he/she will be allowed to access the requested page. Here IIS does not come into effect for authentication, it completely depends on the web application.