Presentation is loading. Please wait.

Presentation is loading. Please wait.

Windows NT ® Single Sign On BackOffice ® Applications (Part I) Peter Brundrett Program Manager Windows NT Security Microsoft Corporation.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Windows NT ® Single Sign On BackOffice ® Applications (Part I) Peter Brundrett Program Manager Windows NT Security Microsoft Corporation."— Presentation transcript:

1 Windows NT ® Single Sign On BackOffice ® Applications (Part I) Peter Brundrett Program Manager Windows NT Security Microsoft Corporation

2 Agenda  Windows NT single sign on  Kerberos v5 authentication and SSPI  Three-tier security delegation  Windows NT authorization

3 Single Sign On Issues  User issue: Too many passwords to remember Too many passwords to remember  Administrator issue: Too many places to define user accounts Too many places to define user accounts Hard to determine user access Hard to determine user access  Security issue: Clear text passwords Clear text passwords Hard to disable an account Hard to disable an account  IT Manager issue: Heterogeneous computer systems Heterogeneous computer systems

4 Single Sign On Goals  User Logon once to the Enterprise Logon once to the Enterprise Use few passwords, ideally one! Use few passwords, ideally one!  Administrator Create user account once Create user account once Assign access based on roles Assign access based on roles Manage accounts across systems Manage accounts across systems  Security administrator Define and verify security policies Define and verify security policies

5  Integrated Kerberos v5 logon Key Distribution Center (KDC)  Protected store for public key credentials  Industry standard network security protocols Kerberos, SSL/TLS, others Windows NT Single Sign On  Single account store in Active Directory

6 PK Kerberos ProfileCerts Keys Internet Explorer  User profile for other keys and certificates Domain credentials  Obtain Kerberos TGT and NTLM credentials TGT Smart Card Logon  Private key and certificate on card  Public key domain authentication

7 Windows NT Single Sign On  Standards-based Distributed System Infrastructure  Well documented APIs for developers  Platform services used in applications  Integrated logon to strategic platforms  Integrated Windows NT authorization

8 File and Print Services Exchange SQL Server Internet Information Proxy Internet Remote Access Public network Your app HERE SNA Server Integrated Single Sign On Today

9 BackOffice Logo Program  Security requirements for client/ server applications  Core baseline requirements  Windows NT authentication NTLM for Windows NT 4.0 NTLM for Windows NT 4.0 Kerberos v5 for Windows NT 5.0 Kerberos v5 for Windows NT 5.0  Benefits Easier administration, stronger security Easier administration, stronger security Intranet ready! Intranet ready!

10 Secure Applications  Connection authentication Establish credentials Establish credentials Mutual authentication of client and server Mutual authentication of client and server  Secure communication Message privacy and integrity Message privacy and integrity  Impersonation and delegation Assuming client’s identity Assuming client’s identity  Authorization and auditing Using security descriptors Using security descriptors

11 Client Kerberos Security Package Server SSPISSPI Security Support Provider Interface  Application protocol carries all data  Kerberos SSP manages security context

12 Connection Authentication  Client side Acquire credentials Acquire credentials Default or alternate Default or alternate Initialize security context Initialize security context Initiate connection Initiate connection  Server side Acquire credentials Acquire credentials Default or alternate Default or alternate Accept client’s security context Accept client’s security context

13 Example: SSPI  Security package name “Kerberos” or “Negotiate” “Kerberos” or “Negotiate” Negotiate package will choose Kerberos Negotiate package will choose Kerberos  Authentication InitializeSecurityContext InitializeSecurityContext AcceptSecurityContext AcceptSecurityContext  Impersonation

14 Impersonation  Security contexts Access Token associated with processes and threads Access Token associated with processes and threads Primary Token Primary Token Client Token Client Token  Impersonation Accessing system resources on client’s behalf Accessing system resources on client’s behalf Access check and auditing on private resources Access check and auditing on private resources

15 Impersonation API  Using SSPI ImpersonateSecurity Context ImpersonateSecurity Context RevertSecurity Context RevertSecurity Context  Using RPC RpcImpersonateClient RpcImpersonateClient RpcRevertToSelf RpcRevertToSelf RpcRevertToSelfEx RpcRevertToSelfExSECURITY_STATUSImpersonateSecurityContext( PCtxtHandle phContext );SECURITY_STATUSRevertSecurityContext( );RPC_STATUSRpcImpersonateClient( RPC_BINDING_HANDLE pBinding );RPC_STATUSRpcRevertToSelf();

16 Impersonation API  Using DCOM IServerSecurity IServerSecurity CoImpersonate Client CoImpersonate Client CoRevertToSelf CoRevertToSelf  For HTTP, Internet Information Server impersonates the client ISAPI runs in the client’s context ISAPI runs in the client’s context HRESULTCoImpersonateClient()HRESULTCoRevertToSelf()HRESULT IServerSecurity :: ImpersonateClient() HRESULT IServerSecurity :: RevertToSelf()

17 Application DCOM security Authenticated RPC SSPI Kerberos SChannel Crypto API WinInet Public Key Application Where Does SSPI Fit In

18 Kerberos Authentication  Kerberos service uses Active Directory  Implemented by SSPI security provider  Mutual authentication  Supports 3-tier delegation  Windows NT access control  Standards-based interoperability

19 Windows NT Workstation Unix Server Windows NT KDC GSS-Kerb5 Token formats (RFC 1964) SSPI Kerberos SSP Application protocol GSS Kerberos mechanism GSS-API TICKET Cross-platform Strategy  Common Kerberos domain

20 Three-Tier Security Delegation  End-to-end user authentication  Application requires data from several sources  Flexibility to separate Web server from back-end data servers  Single user account Simplify user management Simplify user management  Access control through groups

21 SQL Server IIS 1. 401 Access Denied WWW-Authenticate: Negotiate 2. Ticket request to KDC 6. SQL Server impersonates original client, then data access 5. ASP uses ADO to query SQL, integrated security requests ticket 3. WWW-Authenticate: Negotiate 3. WWW-Authenticate: Negotiate ISAPI 4. IIS impersonates client, invokes ISAPI extension Server-A Server-B Example: Delegation in Action

22 Configuration Setup  Windows NT 5.0 with Kerberos protocol Internet Information Server Internet Information Server SQL Server ™ SQL Server ™  Client is Windows NT 5.0 or Windows ® 95/98 With Distributed Systems client update With Distributed Systems client update  Internet Information Server Virtual Directory uses “Windows NT Authentication”  SQL Server is using Integrated Security

23 Trusted For Delegation  Delegation means… Server can do anything on behalf of client Server can do anything on behalf of client Trusted not to run unauthorized services Trusted not to run unauthorized services Enabled on per-server basis Enabled on per-server basis  Enable on the computer object in Active Directory  Do not assume delegation is always enabled!

24 Windows NT Authorization  What is the client allowed to do?  Single sign on is not sufficient Centralize authorization through roles Centralize authorization through roles Windows NT group membership Windows NT group membership  Integrate authentication with server security model Windows NT object security model Windows NT object security model

25 SecureServer Client access request Impersonate Client Get object’s security descriptor Get client’s access token Perform access check Private Store Return response Encrypted Files Object Access Control

26 … // COM server impersonates client CoImpersonateClient(…); // Obtain private object security descriptor MyStatus = GetObjectSD(Object,…,&SD); // your own routine // Obtain client’s token Status = OpenThreadToken(…,&Token); // Perform Access Check Status = AccessCheck( SD, Token, DesiredAccess, GenericMapping, &PrivsUsed, &PrivLength, &GrantedAccess, &PrivsUsed, &PrivLength, &GrantedAccess, &Allowed); &Allowed); // Act as per the result if(Allowed) { …} AccessCheck

27 … // Impersonate client CoImpersonateClient(…); // Obtain private object security descriptor MyStatus = GetObjectSD(Object,…,&SD); // your own routine // Perform Access Check & Audit Status = AccessCheckAndAuditAlarm( L”YourServerName”, Object, L”ObjectTypeName”, L”ObjectName”, SD, DesiredAccess, GenericMapping, FALSE, &GrantedAccess, &Allowed, &OnClose); // Act as per the result if(Allowed) { …} AccessCheckAndAuditAlarm

28 User Account Management  One unified enterprise account image All account properties, extensible schema All account properties, extensible schema LDAP access, remote management LDAP access, remote management  Synchronize with other account stores Directory synchronization - LDAP, LDIF Directory synchronization - LDAP, LDIF Password change notification Password change notification  Authorization based on group membership for central access control Roles defined by group membership Roles defined by group membership

29 Single Sign On Summary  Comprehensive solution today Windows NT and BackOffice services Windows NT and BackOffice services Platform security services for applications Platform security services for applications  Cross-platform with industry standards Kerberos v5 and GSS token formats Kerberos v5 and GSS token formats X.509 v3 certificates with SSL/TLS X.509 v3 certificates with SSL/TLS  Familiar Windows NT security model extended to n-tier applications

30 Call To Action  Stop prompting for passwords! Use Windows NT distributed security Use Windows NT distributed security Use SSPI or DCOM/RPC security Use SSPI or DCOM/RPC security Use Windows NT access control Use Windows NT access control  Leverage industry standard protocols for cross-platform security  Depend on Active Directory for single user account store  Check out the Security Showcase!

31 More Information  SSPI SSPI Whitepaper on MSDN SSPI Whitepaper on MSDN Platform SDK: doc and samples Platform SDK: doc and samples \mssdk\samples\win32\winnt\security\sockauth \mssdk\samples\win32\winnt\security\sockauth  Kerberos v5 Distributed Security Services whitepaper Distributed Security Services whitepaper http://www.microsoft.com/ntserver http://www.microsoft.com/ntserver  BackOffice logo program http://www.microsoft.com/backoffice/designed http://www.microsoft.com/backoffice/designed  MSPress ® “Running Microsoft Internet Information Server” “Running Microsoft Internet Information Server”

32

Download ppt "Windows NT ® Single Sign On BackOffice ® Applications (Part I) Peter Brundrett Program Manager Windows NT Security Microsoft Corporation."

Similar presentations

The following is intended to outline our general product direction

The following is intended to outline our general product direction
Single Sign-On with GRID Certificates Ernest Artiaga (CERN – IT) GridPP 7 th Collaboration Meeting July 2003 July 2003.

Single Sign-On with GRID Certificates Ernest Artiaga (CERN – IT) GridPP 7 th Collaboration Meeting July 2003 July 2003.
Enabling Secure Internet Access with ISA Server

Enabling Secure Internet Access with ISA Server
Windows 2000 Security --Kerberos COSC513 Project Sihua Xu June 13, 2014.

Windows 2000 Security --Kerberos COSC513 Project Sihua Xu June 13, 2014.
1.1 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 1: Introducing Windows Server.

1.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 1: Introducing Windows Server.
Password? CLASP Project Update C5 Meeting, 16 June 2000 Denise Heagerty, IT/IS.

Password? CLASP Project Update C5 Meeting, 16 June 2000 Denise Heagerty, IT/IS.
National Center for Supercomputing Applications Integrating MyProxy with Site Authentication Jim Basney Senior Research Scientist National Center for Supercomputing.

National Center for Supercomputing Applications Integrating MyProxy with Site Authentication Jim Basney Senior Research Scientist National Center for Supercomputing.
Active Directory: Final Solution to Enterprise System Integration

Active Directory: Final Solution to Enterprise System Integration
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.
Identity and Access Management: Strategy and Solution Sandeep Sinha Lead Product Manager Windows Server Product Management Redmond,

Identity and Access Management: Strategy and Solution Sandeep Sinha Lead Product Manager Windows Server Product Management Redmond,
Introduction To Windows NT ® Server And Internet Information Server.

Introduction To Windows NT ® Server And Internet Information Server.
Windows 2000 Security Architecture Peter Brundrett Program Manager Windows 2000 Security Microsoft Corporation.

Windows 2000 Security Architecture Peter Brundrett Program Manager Windows 2000 Security Microsoft Corporation.
Course 6421A Module 7: Installing, Configuring, and Troubleshooting the Network Policy Server Role Service Presentation: 60 minutes Lab: 60 minutes Module.

Course 6421A Module 7: Installing, Configuring, and Troubleshooting the Network Policy Server Role Service Presentation: 60 minutes Lab: 60 minutes Module.
Internet Information Server 6.0. Overview  What’s New in IIS 6.0?  Built-in Accounts and IIS 6.0  IIS Pass-Through Authentication  Securing Web Traffic.

Internet Information Server 6.0. Overview  What’s New in IIS 6.0?  Built-in Accounts and IIS 6.0  IIS Pass-Through Authentication  Securing Web Traffic.
TAM STE Series 2008 © 2008 IBM Corporation WebSEAL SSO, Session 108/2008 TAM STE Series 2008 - WebSEAL SSO, Session 1 Presented by: Andrew Quap.

TAM STE Series 2008 © 2008 IBM Corporation WebSEAL SSO, Session 108/2008 TAM STE Series WebSEAL SSO, Session 1 Presented by: Andrew Quap.
Smart Card Single Sign On with Access Gateway Enterprise Edition

Smart Card Single Sign On with Access Gateway Enterprise Edition
Ins and Outs of Authenticating Users Requests to IIS 6.0 and ASP.NET Chris Adams Program Manager IIS Product Unit Microsoft Corporation.

Ins and Outs of Authenticating Users Requests to IIS 6.0 and ASP.NET Chris Adams Program Manager IIS Product Unit Microsoft Corporation.
Understanding Integrated Authentication in IIS Chris Adams IIS Supportability Lead Microsoft Corp.

Understanding Integrated Authentication in IIS Chris Adams IIS Supportability Lead Microsoft Corp.
Slide Master Layout Useful for revisions and projector test  First-level bullet  Second levels  Third level  Fourth level  Fifth level  Drop body.

Slide Master Layout Useful for revisions and projector test  First-level bullet  Second levels  Third level  Fourth level  Fifth level  Drop body.
Security features of Windows 2000. What is computer security ? Computer security refers to the protection of all components—hardware, software, and stored.

Security features of Windows What is computer security ? Computer security refers to the protection of all components—hardware, software, and stored.

Similar presentations

Ads by Google