Can you explain how the ASP.NET authentication process works?

 The ASP.NET does not run by itself, it runs inside the process of the IIS. So there are 2  authentication layers which exist in ASP.NET system. First authentication execute  at the IIS level and then at the ASP.NET level depending on the WEB.CONFIG file.

The working of the whole process is shown below:-

1) The IIS first checks to make sure that the incoming request comes from an IP address that has  allowed access to the domain. If not it denies the request.

2) The Next IIS performs its own user authentication if it is configured to do . By default the IIS allows anonymous access, so requests are automatically authenticated, but you can change this default on a per - application basis within the IIS.

3) If the request is passed to the ASP.net with an authenticated user, the ASP.net checks to see whether  the impersonation is enabled. If impersonation is enabled, ASP.net acts as though it were the authenticated user. If not ASP.net acts with its own configured account.

4) Finally the identity from the step 3 is used to request resources from the operating system. If the ASP.net authentication can obtain all the necessary resources it grants the users request otherwise it is denied. The Resources can include much more than just the ASP.net page itself you can also use .The Net's code access security facility to extend this authorization step to Registry keys, disk files and other resources.