Presentation is loading. Please wait.

Presentation is loading. Please wait.

Understanding Integrated Authentication in IIS Chris Adams IIS Supportability Lead Microsoft Corp.

Similar presentations


Presentation on theme: "Understanding Integrated Authentication in IIS Chris Adams IIS Supportability Lead Microsoft Corp."— Presentation transcript:

1 Understanding Integrated Authentication in IIS Chris Adams IIS Supportability Lead Microsoft Corp.

2 Agenda  Introduction to Integrated Authentication  Dynamics of NTLM Authentication  Dynamics of Negotiate Authentication  Demonstration One  Best Practices for Integrated Authentication  References

3 Introduction to Integrated Authentication  Introduced in Windows 2000  Commonly referred to as “Windows Integrated Authentication”  Secure: It is considered secure because it does not transmit password “on the wire”  Internet Explorer preferred –  IF Basic and Integrated are both enabled, IE will use Integrated for security reasons

4 Introduction: Let’s review…  How authentication works in IIS Anonymous Basic Digest Kerberos NTLM Passport Server Core 1.Request enters server core 2.Server core forwards to anonymous provider. IIS builds path (w3svc/1/root) and verifies if anonymous is enabled. Yes: Provide path and Anon. users token to authorization manager No: IIS passes the path to each provider to determine if path has that provider enabled. Each provider that is enabled returns to Server core the appropriate header.

5 Introduction… Negotiate Kerberos NTLM

6 Introduction to Integrated Authentication Platform information for Windows Integrated Windows NT 4:  Supports only NTLM (Not known as Windows Integrated) Windows 2000:  Supports Negotiate and NTLM Windows 2003:  Supports Negotiate and NTLM

7 Introduction to Integrated Authentication

8  How the appropriate integrated authentication is determined? AuthNTLM NO Yes NTAuthenticationProviders NegotiateNTLM 401.3 Access Denied

9 Dynamics of NTLM  Connection Oriented  Same Connection always used per request  HTTP Keep-Alives Required  Understanding Auth Dialog Boxes  NTLM, by default, doesn’t prompt  NTLM may prompt if original request fails with 401.1  NTLM’s use of Domain\Username\Password  Domain and Username are always shared over the wire between client and server  Password is never – Always uses Hash of password  Authentication Header includes:  Domain\Username\HashedPassword

10 Dynamics of NTLM: Security  Why is NTLM authentication secure?  Hash Algorithm of password is unknown when hackers monitor the HTTP requests on the wire  If connections are broke, manipulated (by proxies), then NTLM fails

11 NTLM @ Work… Get /Default.HTM Get /Default.HTM w/ AuthNTLM Get /Default.HTM w/ AuthNTLM Hashed 401 – WWW Auth: NTLM 200 - OK 401 – Access Denied

12 Dynamics of NTLM  NTLM at work… (previous slide) 1. IE Client requests a IIS resource (Anon) 2. IIS returns 401 with WWWAuthenticate Header saying NTLM 3. IE submits new request for a IIS resource with NTLM Authentication header (username) 4. IIS uses NT Authentication Header to build secret key and sends 401 with key back to client 5. IE submits new request for a IIS resource with NTLM Authentication header (username\password\hash of password) 6. IIS checks username\password\hash and matches, return 200 OK –or- 401.1 Login failed (IE prompts)

13 Dynamics of Negotiate  Why create another authentication protocol?  NTLM limitations  NTLM Tokens cannot be delegated  NTLM is proprietary and only supported by Windows platform  Is Negotiate a new protocol?  No, it is just a wrapper that allows either Kerberos or NTLM authentication based on client request

14 Dynamics of Negotiate Key Terms of Negotiate  Client: Internet Explorer  Server: IIS Server that is member of Active Directory Domain  Active Directory:  Key Distribution Center (KDC) for all clients  Ticket Granting Service: Issues all tickets (aka tokens)

15 Dynamics of Negotiate IIS Server The IIS server is started and when the server authenticates to domain (aka KDC) it receives it ticket. Active Directory (KDC) Ticket Granting Services

16 Dynamics of Negotiate Active Directory (KDC) Registered ServicePrincipalNames for CN=CA- WEBCAST-IIS,OU=Domain Controllers,DC= ca-webcast,DC=local: GC/ca-webcast-iis.ca-webcast.local/ca- webcast.local HOST/ca-webcast-iis.ca-webcast.local/CA- WEBCAST HOST/CA-WEBCAST-IIS HOST/ca-webcast-iis.ca-webcast.local HOST/ca-webcast-iis.ca-webcast.local/ca- webcast.local E3514235-4B06-11D1-AB04- 00C04FC2DCD2/84bbfa08-5854-4729-80aa- 56117bc4ecb6/ca -webcast.local ldap/84bbfa08-5854-4729-80aa- 56117bc4ecb6._msdcs.ca-webcast.local ldap/ca-webcast-iis.ca-webcast.local/CA-WEBCAST ldap/CA-WEBCAST-IIS ldap/ca-webcast-iis.ca-webcast.local ldap/ca-webcast-iis.ca-webcast.local/ca- webcast.local NtFrs-88f5d2bd-b646-11d2-a6d3-00c04fc9b232/ca- webcast-iis.ca-webcast.local Setspn %computername%

17 Negotiate @ Work… KDC (Active Directory) IIS Server I need a ticket for The following service (aka HTTP\HOST) If Service located in KDC, Secret Key shared with Client Initial Client request for IIS resource anonymously The Server esponse is 401 – WWWAuth Header for Negotiate Using key provided, Client creates hash (key) and sends IIS IIS uses secret key and verifies that password matches Shared

18 Demonstration One Configuring a Process to use a Domain Account and Kerberos The purpose of this demonstration is to show how a worker process identity set on a application pool affects authentication when the authenticated user uses the Negotiate protocol and Kerberos

19 References  IIS 6 Help Documentation  http://www.microsoft.com/technet/treeview/def ault.asp?url=/technet/prodtechnol/windowsser ver2003/proddocs/standard/sec_auth_intwinau th.aspIIS 6 Deployment Guide  Load Balancing and Kerberos  http://www.microsoft.com/technet/treeview/def ault.asp?url=/technet/prodtechnol/windowsser ver2003/maintain/security/nlbsecbp.asp http://www.microsoft.com/technet/treeview/def ault.asp?url=/technet/prodtechnol/windowsser ver2003/maintain/security/nlbsecbp.asp http://www.microsoft.com/technet/treeview/def ault.asp?url=/technet/prodtechnol/windowsser ver2003/maintain/security/nlbsecbp.asp

20 Q & A


Download ppt "Understanding Integrated Authentication in IIS Chris Adams IIS Supportability Lead Microsoft Corp."

Similar presentations


Ads by Google