Understanding Integrated Authentication in IIS Chris Adams IIS Supportability Lead Microsoft Corp.

Slides:



Advertisements
Similar presentations
Enabling Secure Internet Access with ISA Server
Advertisements

AUTHENTICATION AND KEY DISTRIBUTION
Windows 2000 Security --Kerberos COSC513 Project Sihua Xu June 13, 2014.
Active Directory and NT Kerberos Rooster JD Glaser.
Key distribution and certification In the case of public key encryption model the authenticity of the public key of each partner in the communication must.
Kerberos 1 Public domain image of Heracles and Cerberus. From an Attic bilingual amphora, 530–520 BC. From Italy (?).
Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.
Forms Authentication, Users, Roles, Membership Ventsislav Popov Crossroad Ltd.
1 Configuring Internet- related services (April 22, 2015) © Abdou Illia, Spring 2015.
The Elbert HTTP Server HTTP Authentication, providing security in tough times By: Shawn M. Jones.
Module 10: Troubleshooting Network Access. Overview Troubleshooting Network Access Resources Troubleshooting LAN Authentication Troubleshooting Remote.
(Remote Access Security) AAA. 2 Authentication User named "flannery" dials into an access server that is configured with CHAP. The access server will.
ISA 3200 NETWORK SECURITY Chapter 10: Authenticating Users.
Introduction To Windows NT ® Server And Internet Information Server.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 10 Authenticating Users By Whitman, Mattord, & Austin© 2008 Course Technology.
1 Enabling Secure Internet Access with ISA Server.
Internet Information Server 6.0. Overview  What’s New in IIS 6.0?  Built-in Accounts and IIS 6.0  IIS Pass-Through Authentication  Securing Web Traffic.
Edwin Sarmiento Microsoft MVP – Windows Server System Senior Systems Engineer/Database Administrator Fujitsu Asia Pte Ltd
TAM STE Series 2008 © 2008 IBM Corporation WebSEAL SSO, Session 108/2008 TAM STE Series WebSEAL SSO, Session 1 Presented by: Andrew Quap.
Smart Card Single Sign On with Access Gateway Enterprise Edition
MS systems use one of the following: LanManager Hash (LM) LanManager Hash (LM) NT LanManager (NTLM) NT LanManager (NTLM) Cached passwords Cached passwords.
Ins and Outs of Authenticating Users Requests to IIS 6.0 and ASP.NET Chris Adams Program Manager IIS Product Unit Microsoft Corporation.
Slide Master Layout Useful for revisions and projector test  First-level bullet  Second levels  Third level  Fourth level  Fifth level  Drop body.
Copyright 2007, Information Builders. Slide 1 WebFOCUS Authentication Mark Nesson, Vashti Ragoonath Information Builders Summit 2008 User Conference June.
Configuring a Web Server. Overview Overview of IIS Preparing for an IIS Installation Installing IIS Configuring a Web Site Administering IIS Troubleshooting.
70-294: MCSE Guide to Microsoft Windows Server 2003 Active Directory Chapter 9: Active Directory Authentication and Security.
Session 11: Security with ASP.NET
Authenticating Users Chapter 6. Learning Objectives Understand why authentication is a critical aspect of network security Describe why firewalls authenticate.
15.47 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 15: Configuring a Windows.
Understanding Digest and Advanced Digest Authentication in IIS 6.0
Copyright 2000 eMation SECURITY - Controlling Data Access with
Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®
Course ILT Internet/intranet support Unit objectives Use the Internet Information Services snap-in to manage IIS, Web sites, virtual directories, and WebDAV.
© FPT SOFTWARE – TRAINING MATERIAL – Internal use 04e-BM/NS/HDCV/FSOFT v2/3 Securing a Microsoft ASP.NET Web Application.
1 Web services and security ---discuss different ways to enforce security Presenter: Han, Xue.
Designing Authentication for a Microsoft Windows 2000 Network Designing Authentication in a Microsoft Windows 2000 Network Designing Kerberos Authentication.
Module 5 Configuring Authentication. Module Overview Lesson 1: Understanding Classic SharePoint Authentication Providers Lesson 2: Understanding Federated.
SQL Server Security By Mattias Lind For PASS Security VC.
Mastering Windows Network Forensics and Investigation Chapter 13: Logon and Account Logon Events.
Kerberos Named after a mythological three-headed dog that guards the underworld of Hades, Kerberos is a network authentication protocol that was designed.
Module 8: Designing Security for Authentication. Overview Creating a Security Plan for Authentication Creating a Design for Security of Authentication.
70-291: MCSE Guide to Managing a Microsoft Windows Server 2003 Network, Enhanced Chapter 11: Internet Authentication Service.
Module 11: Securing a Microsoft ASP.NET Web Application.
Module 6: Managing Client Access. Overview Implementing Client Access Servers Implementing Client Access Features Implementing Outlook Web Access Introduction.
G CITRIXHACKIN. Citrix Presentation Server 4.5 New version is called XenApp/Server Common Deployments Nfuse classic CSG – Citrix Secure Gateway Citrix.
Turning Windows 7 into a Web Server Ch 28. Understanding Internet Information Services.
CS795.Net Impersonation… why & How? Presented by: Vijay Reddy Mara.
Ins and Outs of Authenticating Users Requests to IIS 6.0 and ASP.NET Chris Adams Program Manager IIS Product Unit Microsoft Corporation.
MEMBERSHIP AND IDENTITY Active server pages (ASP.NET) 1 Chapter-4.
IIS and.Net security -Vasudha Bhat. What is IIS? Why do we need IIS? Internet Information Services (IIS) is a Web server, its primary job is to accept.
Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®
1 Chapter Overview Creating Web Sites and FTP Sites Creating Virtual Directories Managing Site Security Troubleshooting IIS.
Web Services Security Patterns Alex Mackman CM Group Ltd
Security E-Learning Chapter 08. Security Control access to your web site –3 Techinques for Identifying users Giving users access to your site Securing.
TOPIC: AUTHENTICITY CREATED BY SWAPNIL SAHOO AuthenticityAuthorisation Access Control Basic Authentication Apache BASIC AUTHENTICATIONDIGEST ACCESS AUTHENTICATIONDHCP.
4.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 12: Implementing Security.
9.2 SECURE CHANNELS JEJI RAMCHAND VEDULLAPALLI. Content Introduction Authentication Message Integrity and Confidentiality Secure Group Communications.
Active Directory and NT Kerberos. Introduction to NT Kerberos v5 What is NT Kerberos? How is it different from NTLM NT Kerberos vs MIT Kerberos Delegation.
KERBEROS, SQL AND YOU Adam W. Saxton Microsoft - SQL
Kerberos Miha Pihler MVP – Enterprise Security Microsoft Certified Master | Exchange 2010.
Presented by Deepak Varghese Reg No: Introduction Application S/W for server load balancing Many client requests make server congestion Distribute.
Daniel Doubrovkine (dblock[at]dblock[dot]org) Single Sign-On w/ Tomcat & WAFFLE 6/8/2010 Tomcat -> Waffle ->
Taming the Beast How a SQL DBA can keep Kerberos under control David Postlethwaite 29/08/2015David Postlethwaite.
#SummitNow Alfresco Authentication and Synchronization Nov 2013 Mark Rogers.
Enabling Secure Internet Access with TMG
Radius, LDAP, Radius used in Authenticating Users
الخطوات المطلوب القيام بها قبل انشاء الموقع
Configuring Internet-related services
Kerberos Kerberos Ticket.
Web Servers (IIS and Apache)
Presentation transcript:

Understanding Integrated Authentication in IIS Chris Adams IIS Supportability Lead Microsoft Corp.

Agenda  Introduction to Integrated Authentication  Dynamics of NTLM Authentication  Dynamics of Negotiate Authentication  Demonstration One  Best Practices for Integrated Authentication  References

Introduction to Integrated Authentication  Introduced in Windows 2000  Commonly referred to as “Windows Integrated Authentication”  Secure: It is considered secure because it does not transmit password “on the wire”  Internet Explorer preferred –  IF Basic and Integrated are both enabled, IE will use Integrated for security reasons

Introduction: Let’s review…  How authentication works in IIS Anonymous Basic Digest Kerberos NTLM Passport Server Core 1.Request enters server core 2.Server core forwards to anonymous provider. IIS builds path (w3svc/1/root) and verifies if anonymous is enabled. Yes: Provide path and Anon. users token to authorization manager No: IIS passes the path to each provider to determine if path has that provider enabled. Each provider that is enabled returns to Server core the appropriate header.

Introduction… Negotiate Kerberos NTLM

Introduction to Integrated Authentication Platform information for Windows Integrated Windows NT 4:  Supports only NTLM (Not known as Windows Integrated) Windows 2000:  Supports Negotiate and NTLM Windows 2003:  Supports Negotiate and NTLM

Introduction to Integrated Authentication

 How the appropriate integrated authentication is determined? AuthNTLM NO Yes NTAuthenticationProviders NegotiateNTLM Access Denied

Dynamics of NTLM  Connection Oriented  Same Connection always used per request  HTTP Keep-Alives Required  Understanding Auth Dialog Boxes  NTLM, by default, doesn’t prompt  NTLM may prompt if original request fails with  NTLM’s use of Domain\Username\Password  Domain and Username are always shared over the wire between client and server  Password is never – Always uses Hash of password  Authentication Header includes:  Domain\Username\HashedPassword

Dynamics of NTLM: Security  Why is NTLM authentication secure?  Hash Algorithm of password is unknown when hackers monitor the HTTP requests on the wire  If connections are broke, manipulated (by proxies), then NTLM fails

Work… Get /Default.HTM Get /Default.HTM w/ AuthNTLM Get /Default.HTM w/ AuthNTLM Hashed 401 – WWW Auth: NTLM OK 401 – Access Denied

Dynamics of NTLM  NTLM at work… (previous slide) 1. IE Client requests a IIS resource (Anon) 2. IIS returns 401 with WWWAuthenticate Header saying NTLM 3. IE submits new request for a IIS resource with NTLM Authentication header (username) 4. IIS uses NT Authentication Header to build secret key and sends 401 with key back to client 5. IE submits new request for a IIS resource with NTLM Authentication header (username\password\hash of password) 6. IIS checks username\password\hash and matches, return 200 OK –or Login failed (IE prompts)

Dynamics of Negotiate  Why create another authentication protocol?  NTLM limitations  NTLM Tokens cannot be delegated  NTLM is proprietary and only supported by Windows platform  Is Negotiate a new protocol?  No, it is just a wrapper that allows either Kerberos or NTLM authentication based on client request

Dynamics of Negotiate Key Terms of Negotiate  Client: Internet Explorer  Server: IIS Server that is member of Active Directory Domain  Active Directory:  Key Distribution Center (KDC) for all clients  Ticket Granting Service: Issues all tickets (aka tokens)

Dynamics of Negotiate IIS Server The IIS server is started and when the server authenticates to domain (aka KDC) it receives it ticket. Active Directory (KDC) Ticket Granting Services

Dynamics of Negotiate Active Directory (KDC) Registered ServicePrincipalNames for CN=CA- WEBCAST-IIS,OU=Domain Controllers,DC= ca-webcast,DC=local: GC/ca-webcast-iis.ca-webcast.local/ca- webcast.local HOST/ca-webcast-iis.ca-webcast.local/CA- WEBCAST HOST/CA-WEBCAST-IIS HOST/ca-webcast-iis.ca-webcast.local HOST/ca-webcast-iis.ca-webcast.local/ca- webcast.local E B06-11D1-AB04- 00C04FC2DCD2/84bbfa aa bc4ecb6/ca -webcast.local ldap/84bbfa aa bc4ecb6._msdcs.ca-webcast.local ldap/ca-webcast-iis.ca-webcast.local/CA-WEBCAST ldap/CA-WEBCAST-IIS ldap/ca-webcast-iis.ca-webcast.local ldap/ca-webcast-iis.ca-webcast.local/ca- webcast.local NtFrs-88f5d2bd-b646-11d2-a6d3-00c04fc9b232/ca- webcast-iis.ca-webcast.local Setspn %computername%

Work… KDC (Active Directory) IIS Server I need a ticket for The following service (aka HTTP\HOST) If Service located in KDC, Secret Key shared with Client Initial Client request for IIS resource anonymously The Server esponse is 401 – WWWAuth Header for Negotiate Using key provided, Client creates hash (key) and sends IIS IIS uses secret key and verifies that password matches Shared

Demonstration One Configuring a Process to use a Domain Account and Kerberos The purpose of this demonstration is to show how a worker process identity set on a application pool affects authentication when the authenticated user uses the Negotiate protocol and Kerberos

References  IIS 6 Help Documentation  ault.asp?url=/technet/prodtechnol/windowsser ver2003/proddocs/standard/sec_auth_intwinau th.aspIIS 6 Deployment Guide  Load Balancing and Kerberos  ault.asp?url=/technet/prodtechnol/windowsser ver2003/maintain/security/nlbsecbp.asp ault.asp?url=/technet/prodtechnol/windowsser ver2003/maintain/security/nlbsecbp.asp ault.asp?url=/technet/prodtechnol/windowsser ver2003/maintain/security/nlbsecbp.asp

Q & A

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.