ASP.NET's security system is probably TOO complete for most organizations--the default settings, for instance, set up a new database in the website that holds the site's usernames and passwords. Most organizations probably already have a list of usernames and passwords and want to use that list. Fortunately, the ASP.NET provider model lets you replace the "security management" portion of ASP.NET with code that you probably alread have lying around. Writing a security provider to use your own list of usernames and passwords shouldn't take you more than 20 or 30 minutes.
There are three steps to implementing your own security provider:
1. Add a class module to your ASP.NET application and have it inherit from System.Web.Security.MembershipProvider
2. In the class file, put code in those methods or properties that you want to use. The more routines that you provide code for, the more of ASP.NET's security features you'll be able to use--but the only method that you must fill in is the ValidateUser method.
3. In the site's web.config file, tell ASP.NET that you want to use your security provider by adding these tags after the <system.web> tag. In the type attribute put the name of the class you added:
<membership defaultProvider="MyNewProvider">
<providers>
<add name="MyNewProvider" type="nameOfYourSecurityProviderClass" />
</providers>
</membership>
The ValidateUser method is automatically passed the username and password so, in the ValidateUser routine, all you have to do is validate those two strings against your existing list of users (this is code you probably already have). ValidateUser must either return True (if the username/password is a valid combination) or False (if they're not). The ValidateUser method is the method called from the ASP.NET Login control so, once you've written this method, you can use the Login control on your website. ASP.NET will handle setting up the ASP.NET security cookie and checking that cookie each time the user accesses the site.
If you fill in the other methods in your class file you can use other ASP.NET security controls. For instance, if you put code in the class' ChangePassword method, you can use the ASP.NET ChangePassword control. It just depends on how much work you want to do and what security functionality you want to add to your site.
One caveat: If you only fill in the ValidateUser method then you'll have to use user-based security (rather than role-based security) to control access to the pages on your site. If you want to use role-based security with your own security provider, you'll need to write your own role manager. Fortunately, that's just as easy.