ins and outs of authenticating users requests to iis 6.0 and asp.net chris adams program manager iis...
TRANSCRIPT
Ins and Outs of Ins and Outs of Authenticating Users Authenticating Users Requests to IIS 6.0 and Requests to IIS 6.0 and ASP.NETASP.NET
Chris AdamsChris AdamsProgram ManagerProgram ManagerIIS Product UnitIIS Product UnitMicrosoft CorporationMicrosoft Corporation
AgendaAgenda
Introduction to AuthenticationIntroduction to AuthenticationDiving into Authentication TypesDiving into Authentication Types
Anonymous AccessAnonymous AccessBasic AuthenticationBasic AuthenticationWindows AuthenticationWindows AuthenticationDigest & Advanced Digest AuthenticationDigest & Advanced Digest Authentication
ASP.NET Forms AuthenticationASP.NET Forms AuthenticationSetup SPN for kerberos and constrained delegationSetup SPN for kerberos and constrained delegationMapping virtual directories to UNC sharesMapping virtual directories to UNC shares
Introduction to AuthenticationIntroduction to Authentication
How authentication works in IISHow authentication works in IIS
Anonymous
Basic
Digest
Kerberos
NTLM
Server
Core
Request enters server coreServer core forwards to anonymous provider.
IIS builds path (w3svc/1/root) and verifies if anonymous is enabled.Yes: Provide path and Anon.users token to authorization managerNo: IIS passes the path to each provider to determine if path has that provider enabled.
Each provider that is enabled returns to Server core the appropriate header.
Anonymous AuthenticationAnonymous Authentication
Anonymous Account: Role of IUSRAnonymous Account: Role of IUSRIs automatically added during setup to the Is automatically added during setup to the systems Guests group systems Guests group
The IUSR account is intrinsically provided The IUSR account is intrinsically provided Read access to all folders as a member of Read access to all folders as a member of the Guests groupthe Guests group
Also used by MS FTP server for anonymous Also used by MS FTP server for anonymous authenticationauthentication
IIS Sub-authenticationIIS Sub-authenticationAvoids password synchronization problemsAvoids password synchronization problems
Anonymous Authentication (2)Anonymous Authentication (2)
Define IIS's Sub-authenticatorDefine IIS's Sub-authenticator““Allow IIS to Control Password” = SubAuth is Allow IIS to Control Password” = SubAuth is being Usedbeing UsedWhat component is IIS SubAuth?What component is IIS SubAuth?Why does it exist?Why does it exist?
Avoids password synchronization problemsAvoids password synchronization problems
Security Concerns:Security Concerns:Must run in-process (Inetinfo)Must run in-process (Inetinfo)Must run as LocalSystemMust run as LocalSystemDefault on IIS 4.0, 5.0, and 5.1Default on IIS 4.0, 5.0, and 5.1Not the default on IIS 6.0Not the default on IIS 6.0
Anonymous Authentication (3)Anonymous Authentication (3)Is IIS Sub-Authentication enabled?Is IIS Sub-Authentication enabled?
This checked enables IIS Sub-Authentication in IIS 4, 5, and 5.1.
This does not exist in IIS 6.0 IIS Manager. Must be done manually.
Anonymous Authentication (4)Anonymous Authentication (4)
Metabase PropertiesMetabase PropertiesTwo Secure Properties:Two Secure Properties:
Anonymoususername : (STRING) "IUSR_CA-MAIN“
anonymoususerpass : (STRING) "**********"
Token obtained at startup of w3svc serviceToken obtained at startup of w3svc service
for IUSR_MachineNamefor IUSR_MachineName
Both properties must contain correct information on Both properties must contain correct information on user account and password when sub-auth disableduser account and password when sub-auth disabled
If not correct, a 401.1 resultsIf not correct, a 401.1 results
Use Event Viewer Security log to track failuresUse Event Viewer Security log to track failures
Can be customize at the site or virtual directory Can be customize at the site or virtual directory levellevel
Watching IIS Sub-Watching IIS Sub-Authentication in actionAuthentication in action
Chris AdamsChris AdamsProgram ManagerProgram ManagerIIS Product UnitIIS Product Unit
Basic AuthenticationBasic AuthenticationLimitations and Risks of BasicLimitations and Risks of Basic
““Clear Text Passwords” – Base64 EncodedClear Text Passwords” – Base64 Encoded
AdvantagesAdvantagesRFC backed (RFC 2617)RFC backed (RFC 2617)
Supports proxiesSupports proxies
Wide browser supportWide browser support
Good authentication when combined with SSLGood authentication when combined with SSL
DisadvantagesDisadvantagesRequires a Windows accountRequires a Windows account
Very insecure if not protected with Secure Socket Layer Very insecure if not protected with Secure Socket Layer (SSL)(SSL)
Password sent directly on the wire (encoded) allows Password sent directly on the wire (encoded) allows administrators to decrypt if desired (less secure)administrators to decrypt if desired (less secure)
Decoding Basic Decoding Basic AuthenticationAuthentication
Chris AdamsChris AdamsProgram ManagerProgram ManagerIIS Product UnitIIS Product Unit
Introduction…Introduction…
“Negotiate”
Kerberos NTLM
““Negotiate” is a wrapper for Negotiate” is a wrapper for these two protocolsthese two protocols
Introduction to Integrated Introduction to Integrated AuthenticationAuthentication
MetaBase Property: MetaBase Property: AuthNTLMAuthNTLM
Internet Explorer prefers Internet Explorer prefers Integrated over Basic Integrated over Basic when each is enabled on when each is enabled on pathpath
NTAuthenticationProviderNTAuthenticationProviders has no UI support. Must s has no UI support. Must use adsutil or Metabase use adsutil or Metabase Explorer.Explorer.
Introduction to Integrated Introduction to Integrated AuthenticationAuthenticationHow the appropriate integrated authentication How the appropriate integrated authentication is determined?is determined?
AuthNTLM
NO
Yes
NTAuthenticationProviders
Negotiate NTLM401.3
Access
Denied
Dynamics of NTLMDynamics of NTLMConnection OrientedConnection Oriented
Same Connection always used per requestSame Connection always used per requestHTTP Keep-Alives RequiredHTTP Keep-Alives Required
Understanding Auth Dialog BoxesUnderstanding Auth Dialog BoxesNTLM, by default, doesn’t promptNTLM, by default, doesn’t promptNTLM may prompt if original request fails with 401.1NTLM may prompt if original request fails with 401.1
NTLM’s use of Domain\Username\PasswordNTLM’s use of Domain\Username\PasswordDomain and Username are always shared over the wire Domain and Username are always shared over the wire between client and serverbetween client and serverPassword is never – Always uses Hash of passwordPassword is never – Always uses Hash of passwordAuthentication Header includes: Authentication Header includes:
Domain\Username\HashedPasswordDomain\Username\HashedPassword
Dynamics of NTLM: SecurityDynamics of NTLM: Security
Why is NTLM authentication secure?Why is NTLM authentication secure?Hash Algorithm of password is unknown when Hash Algorithm of password is unknown when hackers monitor the HTTP requests on the wirehackers monitor the HTTP requests on the wire
If connections are broke, manipulated (by proxies), If connections are broke, manipulated (by proxies), then NTLM failsthen NTLM fails
Versions:Versions:
Lan Manager – Windows 95Lan Manager – Windows 95
NTLM v1 – NT 4.0NTLM v1 – NT 4.0
NTLM v2 – Windows 2000 / 2003NTLM v2 – Windows 2000 / 2003
NTLM @ Work…NTLM @ Work…
Get /Default.HTM
Get /Default.HTM w/ AuthNTLM
Get /Default.HTM w/ AuthNTLM Hashed
401 – WWW Auth: NTLM
200 - OK
401 – Access Denied
Laptop
Laptop
Client
Client
IIS Server
IIS Server
Dynamics of NTLMDynamics of NTLMNTLM at work… (previous slide)NTLM at work… (previous slide)
1.1. IE Client requests a IIS resource (Anon)IE Client requests a IIS resource (Anon)2.2. IIS returns 401 with WWWAuthenticate Header saying IIS returns 401 with WWWAuthenticate Header saying
NTLMNTLM3.3. IE submits new request for a IIS resource with NTLM IE submits new request for a IIS resource with NTLM
Authentication header (username)Authentication header (username)4.4. IIS uses NT Authentication Header to build secret key and IIS uses NT Authentication Header to build secret key and
sends 401 with key back to clientsends 401 with key back to client5.5. IE submits new request for a IIS resource with NTLM IE submits new request for a IIS resource with NTLM
Authentication header (username\password\hash of Authentication header (username\password\hash of password)password)
6.6. IIS checks username\password\hash and matches, return IIS checks username\password\hash and matches, return 200 OK –or- 401.1 Login failed (IE prompts)200 OK –or- 401.1 Login failed (IE prompts)
Dynamics of KerberosDynamics of Kerberos
Why create another authentication Why create another authentication protocol?protocol?
NTLM limitationsNTLM limitationsNTLM Tokens cannot be delegatedNTLM Tokens cannot be delegatedNTLM is proprietary and only supported by Windows NTLM is proprietary and only supported by Windows platformplatformNTLM has limited support out of the box... (other NTLM has limited support out of the box... (other browsers)browsers)
Is Negotiate a new protocol?Is Negotiate a new protocol?No, it is just a wrapper that allows either No, it is just a wrapper that allows either Kerberos or NTLM authentication based on Kerberos or NTLM authentication based on client requestclient request
Dynamics of KerberosDynamics of Kerberos
Key Terms of NegotiateKey Terms of Negotiate
Client: Internet ExplorerClient: Internet Explorer
Server: IIS Server that is member of Active Server: IIS Server that is member of Active Directory DomainDirectory Domain
Active Directory:Active Directory:Key Distribution Center (KDC) for all clientsKey Distribution Center (KDC) for all clients
Ticket Granting Service: Issues all tickets (aka Ticket Granting Service: Issues all tickets (aka tokens)tokens)
Dynamics of NegotiateDynamics of Negotiate
The IIS server isstarted and when the server authenticates todomain (aka KDC) itreceives it ticket.
Ticket Granting Services
Domain Controller (KDC)
Laptop
Client
IIS Server
Negotiate @ Work…Negotiate @ Work…
I need a ticket for The following service(aka HTTP\HOST)
If Service located in KDC, Secret Key shared with Client
Initial Client request for IIS resource anonymously
The Server esponse is 401 – WWWAuth Header for Negotiate
Using key provided, Client creates hash (key) and sends IIS
IIS uses secret key and verifies that password matches
Shared
Laptop
Client
Domain Controller (KDC)
IIS Server
Deciphering Kerberos vs. Deciphering Kerberos vs. Integrated AuthenticationIntegrated Authentication
NameNameTitleTitleGroupGroup
Digest AuthenticationDigest Authentication
What is digest authentication?What is digest authentication?Limitation and Risks of DigestLimitation and Risks of Digest
Requirement of Digest Requirement of Digest IIS Sub-Auth (iissuba - LocalSystem)IIS Sub-Auth (iissuba - LocalSystem)
Active DirectoryActive Directory
Password stored in AD with Reversible Password stored in AD with Reversible EncryptionEncryption
Platforms availablePlatforms availableWindows 2000Windows 2000
Windows 2003Windows 2003
Advanced DigestAdvanced DigestWhat is advanced digest authentication?What is advanced digest authentication?
Requirements of Adv. DigestRequirements of Adv. Digest2003 Active Directory Forest required2003 Active Directory Forest requiredHash Pre-Compiled at User CreationHash Pre-Compiled at User Creation
Strictly RFC CompliantStrictly RFC CompliantPlatforms availablePlatforms available
Determining which digest is being used?Determining which digest is being used?More details on Digest and Adv. Digest More details on Digest and Adv. Digest Authentication:Authentication:
http://www.microsoft.com/windowsserver2003/iis/supphttp://www.microsoft.com/windowsserver2003/iis/support/webcasts.mspxort/webcasts.mspx
ASP.NET Forms ASP.NET Forms AuthenticationAuthentication
Developer Driven Authentication. Does not Developer Driven Authentication. Does not use windows authentication.use windows authentication.
Advantage: You can easily support your Advantage: You can easily support your existing user base. i.e. Novell, AS400existing user base. i.e. Novell, AS400
ASP.NET uses IIS’s ASP.NET uses IIS’s authentication token authentication token when the when the authentication is set authentication is set to “Windows”to “Windows”
ASP.NET Forms AuthenticationASP.NET Forms AuthenticationSetup:Setup:
____ _ ____ _ ______________ ______________ _____ ____ ___ _____ ____ ___ ______________ ______________ __ ___ __ ______ __ ___ __ ______
ASP.NET ASP.NET implements forms implements forms authentication when authentication when selected and uses selected and uses the provider the provider specifiedspecified
Setup SPN Service Setup SPN Service RegistrationRegistration
Services running as Local SystemServices running as Local SystemAutomatically registered at installation timeAutomatically registered at installation time
Services running with customized accountServices running with customized accountManually registered by administratorManually registered by administrator
Mapping virtual directories to Mapping virtual directories to UNC sharesUNC shares
Can use a static Can use a static username / username / passwordpassword
Mapping virtual directories to Mapping virtual directories to UNC sharesUNC shares
Can pass Can pass authenticated authenticated users credentials users credentials throughthrough
Session SummarySession SummaryThere are a lot of variables that go into There are a lot of variables that go into authentication in IISauthentication in IISUnderstanding how IIS Sub-Authentication Understanding how IIS Sub-Authentication works is key to two authentication types: works is key to two authentication types: Anonymous and DigestAnonymous and DigestBasic authentication is commonly supported Basic authentication is commonly supported by browsers, but is insecure without by browsers, but is insecure without encryption technologyencryption technologyIntegrated authentication is complex and Integrated authentication is complex and difficult to troubleshoot without knowing key difficult to troubleshoot without knowing key metabase properties such as metabase properties such as NTAuthenticationProvidersNTAuthenticationProviders
© 2005 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.