Presentation is loading. Please wait.

Presentation is loading. Please wait.

Microsoft ASP.NET Security Venkat Chilakala Support Professional Microsoft Corporation.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Microsoft ASP.NET Security Venkat Chilakala Support Professional Microsoft Corporation."— Presentation transcript:

1 Microsoft ASP.NET Security Venkat Chilakala Support Professional Microsoft Corporation

2 2 Agenda  Introduction  Security flow for a request  Authentication  Authorization  Role-based security  Impersonation  FAQ  Questions and answers

3 3 Security Flow for a Request (ASP)

4 4 Security Flow for a Request (ASP.NET)

5 5 Authentication  Defined  Authentication in ASP  Authentication in ASP.NET IIS authentication IIS authentication ASP.NET authentication ASP.NET authentication  ASP.NET authentication providers Forms, Windows, Passport, Default, and Custom Forms, Windows, Passport, Default, and Custom

6 6 Forms Authentication  Uses cookie to authenticate  Enables SSL for logon page  Often used for personalization

7 7 Forms Authentication Flow

8 8 Forms Authentication Configuration  Enable anonymous access in IIS  Configure section Set mode to “Forms” Set mode to “Forms” Add the section Add the section  Configure section Deny access to anonymous user Deny access to anonymous user  Create logon page Validate the user Validate the user Provide authentication cookie Provide authentication cookie Redirect the user to the requested page Redirect the user to the requested page

9 9 Section Attributes Section Attributes  loginUrl: unauthenticated request are redirected to this page  name: name of the authentication cookie  path: path of the authentication cookie  protection: All | None | Encryption | Validation  timeout: authentication cookie expiration time in minutes <forms name= ".ASPXAUTH " loginUrl= " login.aspx " protection= " All " timeout= " 30 " path= " / " />

10 10 Forms Authentication Code If FormsAuthentication.Authenticate(txtUserName.Value,txtUserPass.value) Then FormsAuthentication.RedirectFromLoginPage(txtUserName.Value, _ chkPersistCookie.Checked) Else Response.Redirect("logon.aspx", false) End If

11 11 Windows Authentication  Can be used in combination with Basic, NTLM, Digest, Kerberos, and so forth  User is authenticated by IIS  Easiest of all  Request flow Client makes request Client makes request IIS authenticates request, forwards to ASP.NET IIS authenticates request, forwards to ASP.NET Impersonation turned on? Impersonation turned on? ASP.NET returns response to client ASP.NET returns response to client

12 12 Windows Authentication Configuration  Set mode to “Windows”  Configure section  Example

13 13 Passport Authentication  Single sign-in across member sites  Includes user profiles services  Integrated into ASP.NET authentication  Scenarios Don’t want to maintain a database of users Don’t want to maintain a database of users Provide personalized content Provide personalized content Need to provide single-sign in capabilities Need to provide single-sign in capabilities  More details at http://www.passport.com/ http://www.passport.com/

14 14 Passport Authentication Configuration  What you need: Install Passport SDK Install Passport SDK Register with Microsoft Passport Register with Microsoft Passport  Set mode to “Passport”  Configure section  Example

15 15 Default and Custom Authentication  Why use default authentication? Increases performance Increases performance Allows you to perform custom authentication Allows you to perform custom authentication  Configuration: Set mode to “None”  Example

16 16 Custom Authentication  Handle AuthenticateRequest event Application level (global.asax) Application level (global.asax) HTTP module (implement IHttpModule) HTTP module (implement IHttpModule)  Scenarios Custom authentication using munged URLs for Web applications Custom authentication using munged URLs for Web applications Customize forms authentication Customize forms authentication

17 17 Authorization  Process of determining whether a user is allowed to perform a requested action  File-based authorization Performed by FileAuthorizationModule Performed by FileAuthorizationModule Performs checks against Windows ACLs Performs checks against Windows ACLs  Custom – handle AuthorizeRequest event Application level (global.asax) Application level (global.asax) HTTP module (implement IHttpModule) HTTP module (implement IHttpModule)  URL-based authorization Performed by UrlAuthorizationModule Performed by UrlAuthorizationModule Positive and negative assertions Positive and negative assertions Can selectively allow or deny access to URI namespaces Can selectively allow or deny access to URI namespaces

18 18 URL Authorization Configuration  Add section  Add and sections  Example - allow “Admins” or “WebUsers” and deny all others:

19 19 Role-Based Security  What is this?  Do not get confused with MTS and COM+ role-based security  How does this work? With Microsoft® Windows® users With Microsoft® Windows® users With non-Windows users With non-Windows users

20 20 Windows Users(Check Roles) If User.IsInRole("BUILTIN\Administrators") then If User.IsInRole("BUILTIN\Administrators") then Response.Write("You are an Admin") Response.Write("You are an Admin") Else If User.IsInRole("BUILTIN\Users") then Else If User.IsInRole("BUILTIN\Users") then Response.Write("You are a User") Response.Write("You are a User") Else Else Response.Write("Invalid user") Response.Write("Invalid user") End if End if

21 21 Non-Windows Users (Attach Roles)  Handle AuthenticateRequest event Create GenericPrincipal Create GenericPrincipal Attach roles to Identity Attach roles to Identity Assign new Principal to User Assign new Principal to User  Sample Sub Application_AuthenticateRequest(s As Object, e As EventArgs) If Not (User Is Nothing) Then If User.Identity.AuthenticationType = " Forms " Then Dim Roles(1) As String Roles(0) = " Admin " User = new GenericPrincipal(User.Identity,Roles) End If End Sub

22 22 Non-Windows Users (Check Roles) if User.IsInRole("Admin") then if User.IsInRole("Admin") then Response.Write ("You are an Administrator") Response.Write ("You are an Administrator") Else Else Response.Write ("You do not have any role assigned") Response.Write ("You do not have any role assigned") End if End if

23 23 Impersonation  Defined  Request gets impersonated automatically in ASP  In ASP.NET, developer has more control over this You can set to automatically impersonate You can set to automatically impersonate You can set to not impersonate (that is, use Process Identity) You can set to not impersonate (that is, use Process Identity) Different ways to impersonate in ASP.NET Different ways to impersonate in ASP.NET tag tag Code-based impersonation Code-based impersonation

24 24 Impersonation Configuration  

25 25 Code Impersonation  Call LogonUser API  Call ImpersonateLoggedOnUser API Run the code in the security context of the impersonated user Run the code in the security context of the impersonated user  Call RevertToSelf

26 26 Frequently Asked Questions  Q: Request.ServerVariables(“Logon_User”) returns an empty string  A: <authorization> </authorization>

27 27 Frequently Asked Questions (2)  Q: Access denied to “NT Authority\System” or access denied to “NT Authority\Anonymous Logon” when you try to access resources on a remote machine. (for example, Remote SQL Server, remote file system, and so forth)  A: This may occur because your application is running into a delegation scenario. The solution is to ensure that you have a primary security token when requesting these resources. There are many ways to resolve this issue based on your requirement. One of them is to use Basic Authentication for your Application.

28 28 Frequently Asked Questions (3)  Q: Using Forms Authentication for a Web application, how do I allow anonymous access to default.aspx page but not other pages in the same directory?  A: The answer is to use the section of the web.config file to allow anonymous access to default.aspx page only and deny anonymous access to all the other pages.  Example: <configuration>....................... <authorization> </authorization></system.web></location></configuration>

29 29 Resources  Knowledge Base article “BETA-INFO: ASP.NET Security Overview” http://support.microsoft.com/support/misc/kblook up.asp?id=Q306590 http://support.microsoft.com/support/misc/kblook up.asp?id=Q306590 http://support.microsoft.com/support/misc/kblook up.asp?id=Q306590 http://support.microsoft.com/support/misc/kblook up.asp?id=Q306590  MSDN article “Authentication in ASP.NET:.NET Security Guidance” http://msdn.microsoft.com/library/default.asp?url =/library/en-us/dnbda/html/authaspdotnet.asp http://msdn.microsoft.com/library/default.asp?url =/library/en-us/dnbda/html/authaspdotnet.asp http://msdn.microsoft.com/library/default.asp?url =/library/en-us/dnbda/html/authaspdotnet.asp http://msdn.microsoft.com/library/default.asp?url =/library/en-us/dnbda/html/authaspdotnet.asp

30 30 Thank you for joining us for today’s Microsoft Support WebCast. For information about all upcoming Support WebCasts and access to the archived content (streaming media files, PowerPoint® slides, and transcripts), please visit: http://support.microsoft.com/webcasts/ We sincerely appreciate your feedback. Please send any comments or suggestions regarding the Support WebCasts to feedback@microsoft.com and include feedback@microsoft.com “Support WebCasts” in the subject line.

Download ppt "Microsoft ASP.NET Security Venkat Chilakala Support Professional Microsoft Corporation."

Similar presentations

Forms Authentication, Users, Roles, Membership Ventsislav Popov Crossroad Ltd.

Forms Authentication, Users, Roles, Membership Ventsislav Popov Crossroad Ltd.
ASP.Net Security Chapter 10 Jeff Prosise’s Book. Authentication To ascertain the caller’s identity –Windows authentication –Forms authentication –Passport.

ASP.Net Security Chapter 10 Jeff Prosise’s Book. Authentication To ascertain the caller’s identity –Windows authentication –Forms authentication –Passport.
ASP.NET Web Application Security Hannes Preishuber ppedv AG

ASP.NET Web Application Security Hannes Preishuber ppedv AG
Authenticating Users in an ASP.NET Application. Web Site Administration Tool From VS 2008, click Website/ ASP.Net Configuration to open Web Site Administration.

Authenticating Users in an ASP.NET Application. Web Site Administration Tool From VS 2008, click Website/ ASP.Net Configuration to open Web Site Administration.
ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.

ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.
Chapter 13 – Site Security. Internet Information Server ASP.NET Applications.NET Framework Windows NT/2000 Operating System Forms Passport Windows Certificates.

Chapter 13 – Site Security. Internet Information Server ASP.NET Applications.NET Framework Windows NT/2000 Operating System Forms Passport Windows Certificates.
Managing Identity and Permissions

Managing Identity and Permissions
Internet Information Server (IIS)

Internet Information Server (IIS)
Building Applications using ASP.NET and C# / Session 14 / 1 of 18 Session 14.

Building Applications using ASP.NET and C# / Session 14 / 1 of 18 Session 14.
Jonas Thomsen, Ph.d. student Computer Science University of Aarhus Best Practices and Techniques for Building Secure Microsoft.

Jonas Thomsen, Ph.d. student Computer Science University of Aarhus Best Practices and Techniques for Building Secure Microsoft.
Microsoft Windows XP Remote Desktop Alvin Loh Program Manager Terminal Services Group.

Microsoft Windows XP Remote Desktop Alvin Loh Program Manager Terminal Services Group.
Role based Security in.NET By By Aasia Riasat Aasia RiasatCS-795.

Role based Security in.NET By By Aasia Riasat Aasia RiasatCS-795.
Developing an ASP.NET Application and using the Mobile Internet Toolkit Bart Vande Ghinste Developer Consultant Microsoft Belux.

Developing an ASP.NET Application and using the Mobile Internet Toolkit Bart Vande Ghinste Developer Consultant Microsoft Belux.
Module 4 Managing Client Access. Module Overview Configuring the Client Access Server Role Configuring Client Access Services for Outlook Clients Configuring.

Module 4 Managing Client Access. Module Overview Configuring the Client Access Server Role Configuring Client Access Services for Outlook Clients Configuring.
Internet Information Server 6.0. Overview  What’s New in IIS 6.0?  Built-in Accounts and IIS 6.0  IIS Pass-Through Authentication  Securing Web Traffic.

Internet Information Server 6.0. Overview  What’s New in IIS 6.0?  Built-in Accounts and IIS 6.0  IIS Pass-Through Authentication  Securing Web Traffic.
Delivering Excellence in Software Engineering ® 2006. EPAM Systems. All rights reserved. ASP.NET Authentication.

Delivering Excellence in Software Engineering ® EPAM Systems. All rights reserved. ASP.NET Authentication.
1 ASP.NET SECURITY Presenter: Van Nguyen. 2 Introduction Security is an integral part of any Web-based application. Understanding ASP.NET security will.

1 ASP.NET SECURITY Presenter: Van Nguyen. 2 Introduction Security is an integral part of any Web-based application. Understanding ASP.NET security will.
Edwin Sarmiento Microsoft MVP – Windows Server System Senior Systems Engineer/Database Administrator Fujitsu Asia Pte Ltd

Edwin Sarmiento Microsoft MVP – Windows Server System Senior Systems Engineer/Database Administrator Fujitsu Asia Pte Ltd
Understanding Integrated Authentication in IIS Chris Adams IIS Supportability Lead Microsoft Corp.

Understanding Integrated Authentication in IIS Chris Adams IIS Supportability Lead Microsoft Corp.
Copyright 2007, Information Builders. Slide 1 WebFOCUS Authentication Mark Nesson, Vashti Ragoonath Information Builders Summit 2008 User Conference June.

Copyright 2007, Information Builders. Slide 1 WebFOCUS Authentication Mark Nesson, Vashti Ragoonath Information Builders Summit 2008 User Conference June.

Similar presentations

Ads by Google