Presentation is loading. Please wait.

Presentation is loading. Please wait.

Ins and Outs of Authenticating Users Requests to IIS 6.0 and ASP.NET Chris Adams Program Manager IIS Product Unit Microsoft Corporation.

Published byErik Jacobs Modified over 8 years ago

Similar presentations

Presentation on theme: "Ins and Outs of Authenticating Users Requests to IIS 6.0 and ASP.NET Chris Adams Program Manager IIS Product Unit Microsoft Corporation."— Presentation transcript:

1 Ins and Outs of Authenticating Users Requests to IIS 6.0 and ASP.NET Chris Adams Program Manager IIS Product Unit Microsoft Corporation

2 Agenda Introduction to Authentication Diving into Authentication Types Anonymous Access Basic Authentication Windows Authentication Digest & Advanced Digest Authentication ASP.NET Forms Authentication Setup SPN for kerberos and constrained delegation Mapping virtual directories to UNC shares

3 Introduction to Authentication How authentication works in IIS Anonymous Basic Digest Kerberos NTLM Server Core Request enters server core Server core forwards to anonymous provider. IIS builds path (w3svc/1/root) and verifies if anonymous is enabled. Yes: Provide path and Anon.users token to authorization manager No: IIS passes the path to each provider to determine if path has that provider enabled. Each provider that is enabled returns to Server core the appropriate header.

4 Anonymous Authentication Anonymous Account: Role of IUSR Is automatically added during setup to the systems Guests group The IUSR account is intrinsically provided Read access to all folders as a member of the Guests group Also used by MS FTP server for anonymous authentication IIS Sub-authentication Avoids password synchronization problems

5 Anonymous Authentication (2) Define IIS's Sub-authenticator “Allow IIS to Control Password” = SubAuth is being Used What component is IIS SubAuth? Why does it exist? Avoids password synchronization problems Security Concerns: Must run in-process (Inetinfo) Must run as LocalSystem Default on IIS 4.0, 5.0, and 5.1 Not the default on IIS 6.0

6 Anonymous Authentication (3) Is IIS Sub-Authentication enabled? This checked enables IIS Sub-Authentication in IIS 4, 5, and 5.1. This does not exist in IIS 6.0 IIS Manager. Must be done manually.

7 Anonymous Authentication (4) Metabase Properties Two Secure Properties: Anonymoususername : (STRING) "IUSR_CA-MAIN“ anonymoususerpass : (STRING) "**********" Token obtained at startup of w3svc service for IUSR_MachineName Both properties must contain correct information on user account and password when sub-auth disabled If not correct, a 401.1 results Use Event Viewer Security log to track failures Can be customize at the site or virtual directory level

8 Watching IIS Sub- Authentication in action Chris Adams Program Manager IIS Product Unit

9 Basic Authentication Limitations and Risks of Basic “Clear Text Passwords” – Base64 Encoded Advantages RFC backed (RFC 2617) Supports proxies Wide browser support Good authentication when combined with SSL Disadvantages Requires a Windows account Very insecure if not protected with Secure Socket Layer (SSL) Password sent directly on the wire (encoded) allows administrators to decrypt if desired (less secure)

10 Decoding Basic Authentication Chris Adams Program Manager IIS Product Unit

11 Introduction… “Negotiate” Kerberos NTLM “Negotiate” is a wrapper for these two protocols

12 Introduction to Integrated Authentication MetaBase Property: AuthNTLM Internet Explorer prefers Integrated over Basic when each is enabled on path NTAuthenticationProvider s has no UI support. Must use adsutil or Metabase Explorer.

13 Introduction to Integrated Authentication How the appropriate integrated authentication is determined? AuthNTLM NO Yes NTAuthenticationProviders NegotiateNTLM 401.3 Access Denied

14 Dynamics of NTLM Connection Oriented Same Connection always used per request HTTP Keep-Alives Required Understanding Auth Dialog Boxes NTLM, by default, doesn’t prompt NTLM may prompt if original request fails with 401.1 NTLM’s use of Domain\Username\Password Domain and Username are always shared over the wire between client and server Password is never – Always uses Hash of password Authentication Header includes: Domain\Username\HashedPassword

15 Dynamics of NTLM: Security Why is NTLM authentication secure? Hash Algorithm of password is unknown when hackers monitor the HTTP requests on the wire If connections are broke, manipulated (by proxies), then NTLM fails Versions: Lan Manager – Windows 95 NTLM v1 – NT 4.0 NTLM v2 – Windows 2000 / 2003

16 NTLM @ Work… Get /Default.HTM Get /Default.HTM w/ AuthNTLM Get /Default.HTM w/ AuthNTLM Hashed 401 – WWW Auth: NTLM 200 - OK 401 – Access Denied Client IIS Server

17 Dynamics of NTLM NTLM at work… (previous slide) 1.IE Client requests a IIS resource (Anon) 2.IIS returns 401 with WWWAuthenticate Header saying NTLM 3.IE submits new request for a IIS resource with NTLM Authentication header (username) 4.IIS uses NT Authentication Header to build secret key and sends 401 with key back to client 5.IE submits new request for a IIS resource with NTLM Authentication header (username\password\hash of password) 6.IIS checks username\password\hash and matches, return 200 OK –or- 401.1 Login failed (IE prompts)

18 Dynamics of Kerberos Why create another authentication protocol? NTLM limitations NTLM Tokens cannot be delegated NTLM is proprietary and only supported by Windows platform NTLM has limited support out of the box... (other browsers) Is Negotiate a new protocol? No, it is just a wrapper that allows either Kerberos or NTLM authentication based on client request

19 Dynamics of Kerberos Key Terms of Negotiate Client: Internet Explorer Server: IIS Server that is member of Active Directory Domain Active Directory: Key Distribution Center (KDC) for all clients Ticket Granting Service: Issues all tickets (aka tokens)

20 Dynamics of Negotiate The IIS server is started and when the server authenticates to domain (aka KDC) it receives it ticket. Ticket Granting Services Domain Controller (KDC) Client IIS Server

21 Negotiate @ Work… I need a ticket for The following service (aka HTTP\HOST) If Service located in KDC, Secret Key shared with Client Initial Client request for IIS resource anonymously The Server esponse is 401 – WWWAuth Header for Negotiate Using key provided, Client creates hash (key) and sends IIS IIS uses secret key and verifies that password matches Shared Client Domain Controller (KDC) IIS Server

22 Deciphering Kerberos vs. Integrated Authentication Name Title Group

23 Digest Authentication What is digest authentication? Limitation and Risks of Digest Requirement of Digest IIS Sub-Auth (iissuba - LocalSystem) Active Directory Password stored in AD with Reversible Encryption Platforms available Windows 2000 Windows 2003

24 Advanced Digest What is advanced digest authentication? Requirements of Adv. Digest 2003 Active Directory Forest required Hash Pre-Compiled at User Creation Strictly RFC Compliant Platforms available Determining which digest is being used? More details on Digest and Adv. Digest Authentication: http://www.microsoft.com/windowsserver2003/iis/supp ort/webcasts.mspx http://www.microsoft.com/windowsserver2003/iis/supp ort/webcasts.mspx

25 ASP.NET Forms Authentication Developer Driven Authentication. Does not use windows authentication. Advantage: You can easily support your existing user base. i.e. Novell, AS400

26 ASP.NET uses IIS’s authentication token when the authentication is set to “Windows” ASP.NET Forms Authentication Setup: ____ _ ______________ _____ ____ ___ ______________ __ ___ __ ______ ____ _ ______________ _____ ____ ___ ______________ __ ___ __ ______ ASP.NET implements forms authentication when selected and uses the provider specified

27 Setup SPN Service Registration Services running as Local System Automatically registered at installation time Services running with customized account Manually registered by administrator

28 Mapping virtual directories to UNC shares Can use a static username / password

29 Mapping virtual directories to UNC shares Can pass authenticated users credentials through

30 Session Summary There are a lot of variables that go into authentication in IIS Understanding how IIS Sub-Authentication works is key to two authentication types: Anonymous and Digest Basic authentication is commonly supported by browsers, but is insecure without encryption technology Integrated authentication is complex and difficult to troubleshoot without knowing key metabase properties such as NTAuthenticationProviders

31 © 2005 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

Download ppt "Ins and Outs of Authenticating Users Requests to IIS 6.0 and ASP.NET Chris Adams Program Manager IIS Product Unit Microsoft Corporation."

Similar presentations

Enabling Secure Internet Access with ISA Server

Enabling Secure Internet Access with ISA Server
Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.

Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.
Forms Authentication, Users, Roles, Membership Ventsislav Popov Crossroad Ltd.

Forms Authentication, Users, Roles, Membership Ventsislav Popov Crossroad Ltd.
1 Configuring Internet- related services (April 22, 2015) © Abdou Illia, Spring 2015.

1 Configuring Internet- related services (April 22, 2015) © Abdou Illia, Spring 2015.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 13: Administering Web Resources.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 13: Administering Web Resources.
Module 5: Configuring Access for Remote Clients and Networks.

Module 5: Configuring Access for Remote Clients and Networks.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 13: Administering Web Resources.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 13: Administering Web Resources.
1 Configuring Web services (Week 15, Monday 4/17/2006) © Abdou Illia, Spring 2006.

1 Configuring Web services (Week 15, Monday 4/17/2006) © Abdou Illia, Spring 2006.
Using Internet Information Server And Microsoft ® Internet Explorer To Implement Security On The Intranet HTTP.

Using Internet Information Server And Microsoft ® Internet Explorer To Implement Security On The Intranet HTTP.
ISA 3200 NETWORK SECURITY Chapter 10: Authenticating Users.

ISA 3200 NETWORK SECURITY Chapter 10: Authenticating Users.
Chapter 13 Chapter 13: Managing Internet and Network Interoperability.

Chapter 13 Chapter 13: Managing Internet and Network Interoperability.
1 of 3 Open Outlook 2007. On the Tools menu, click Account Settings. 1 Enable Outlook Anywhere 2 Click your Microsoft Exchange account, and then click.

1 of 3 Open Outlook On the Tools menu, click Account Settings. 1 Enable Outlook Anywhere 2 Click your Microsoft Exchange account, and then click.
Introduction To Windows NT ® Server And Internet Information Server.

Introduction To Windows NT ® Server And Internet Information Server.
ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.

ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.
How Clients and Servers Work Together. Objectives Learn about the interaction of clients and servers Explore the features and functions of Web servers.

How Clients and Servers Work Together. Objectives Learn about the interaction of clients and servers Explore the features and functions of Web servers.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 10 Authenticating Users By Whitman, Mattord, & Austin© 2008 Course Technology.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 10 Authenticating Users By Whitman, Mattord, & Austin© 2008 Course Technology.
1 Chapter Overview Creating User and Computer Objects Maintaining User Accounts Creating User Profiles.

1 Chapter Overview Creating User and Computer Objects Maintaining User Accounts Creating User Profiles.
Course 6421A Module 7: Installing, Configuring, and Troubleshooting the Network Policy Server Role Service Presentation: 60 minutes Lab: 60 minutes Module.

Course 6421A Module 7: Installing, Configuring, and Troubleshooting the Network Policy Server Role Service Presentation: 60 minutes Lab: 60 minutes Module.
Internet Information Server 6.0. Overview  What’s New in IIS 6.0?  Built-in Accounts and IIS 6.0  IIS Pass-Through Authentication  Securing Web Traffic.

Internet Information Server 6.0. Overview  What’s New in IIS 6.0?  Built-in Accounts and IIS 6.0  IIS Pass-Through Authentication  Securing Web Traffic.
Delivering Excellence in Software Engineering ® 2006. EPAM Systems. All rights reserved. ASP.NET Authentication.

Delivering Excellence in Software Engineering ® EPAM Systems. All rights reserved. ASP.NET Authentication.

Similar presentations

Ads by Google