SEC320Developing Identity-aware apps on Microsoft’s Identity Platform (Part 1)

David MowersProgram ManagerMicrosoft Security Solutions

Agenda – Part I

MSFT Identity platform

Authentication mechanisms

Authorization mechanisms

Trust mechanisms

Multi-tier Application Scenarios Extranet

Intranet

What is in Part – II?

Application ScenariosPersonalization

Application Configuration

Using LDAP based authentication and authorization

Accessing AD using .NET framework

Agenda – Part I

MSFT Identity platform

Authentication mechanisms

Authorization mechanisms

Trust mechanisms

Multi-tier Application Scenarios Extranet

Intranet

MSFT Identity platform

Windows Server 2003, Active Directory, ADAM, MMS 2003, BizTalk, EBiz Suite, .NET Passport

Interoperability through standardsLDAP, Kerberos, SSL, XML, many more

Roles-based Access Control with Authorization manager

Security, Auditing, and Usability

MSFT Identity Platform - Goals

Lower TCO by improving manageability

Increase ROI by enabling new business opportunities

Rapid application development cycle

Build secure applications easily

Provide SSO (where possible)

Agenda – Part I

MSFT Identity platform

Authentication mechanisms

Authorization mechanisms

Trust mechanisms

Multi-tier Application Scenarios Extranet

Intranet

Windows Integrated AuthN

BackgroundUses Negotiate protocol (RFC2478)Prefers Kerberos(RFC1510) but falls back to NTLM when not available

Pros/ConsLeverages existing AD and infrastructureSimple to enable – checkbox in IISBest user experience

RequirementsRequires IE 5.0 or higher on W2K or higherCode required - none

SSL authentication

BackgroundBoth Server and client authentication availableWidely used for server auth but also useful for client auth

Pros/ConsRequires widespread distribution and availability of certificatesOnce certs are distributed, easy to implement

RequirementsSupported by most browsers/web serversCode required - none

Basic/Digest authentication

BackgroundBasic and Digest are HTTP specific authentication methodsBasic sends clear passwords

Pros/ConsEasy to enable with IIS checkboxSSL encryption advised for both to protect password data

RequirementsNetscape only supports basicCode required - none

ASP.NET AuthenticationImplemented through authentication providers

Windows authentication providerKerberos, SSL, Digest, Basic, Passport/AD mapping

Forms authentication provider

Passport authentication provider

// Web.config file // Web.config file <authentication mode= "[Windows|Forms|Passport|None]"/><authentication mode= "[Windows|Forms|Passport|None]"/>

One line of code to change security contextto authenticated user

Windows Authentication Provider

WindowsImpersonationContext Ic = WindowsImpersonationContext Ic = WindowsIdentity.Impersonate(impersonateToken); WindowsIdentity.Impersonate(impersonateToken);

// Perform some action while impersonating. // Perform some action while impersonating.

Ic.Undo();Ic.Undo();

Forms Authentication

BackgroundUser types in name and password in app form

Cookie written back to browser

Pros/ConsEasy to develop with ASP.NET forms authentication

Non-trivial to add SSO between different ASP.NET applications

No SSO for non-ASP.NET applications

RequirementsSupports most browsers

One line of code logs user in to application

Forms Authentication

//Bind to AD to verify user creds//Bind to AD to verify user creds

FormsAuthentication.RedirectFromLoginPageFormsAuthentication.RedirectFromLoginPage(Username, Persist);(Username, Persist);

.NET Passport AuthenticationBackground

3rd party authentication service

No worries about managing user passwords

Other information can be stored locally

Pros/ConsSSO for users

Reduce customer password pain

No control over Passport account

RequirementsCode required – none for authentication

Write the Passport user name(this will be the PUID)

.NET Passport Authentication

using System.Security.Principal;using System.Security.Principal;

PassportIdentity Passport = Context.User.Identity;PassportIdentity Passport = Context.User.Identity;Response.Write(Passport.Name); Response.Write(Passport.Name); Response.Write(Passport.GetObject(“MemberName”);Response.Write(Passport.GetObject(“MemberName”);

Associate Passport identity with current context

Use GetObject forAdditional attributes

Signed messagesBackground

Integrity protection of messages without SSL burden

Uses CAPICOM(generates PKCS#7 standard messages)

Message verification implies message was sent by the corresponding sender

Pros/ConsRequires distribution of certs

No server authentication possible

Requires IE

CAPICOM

Set oStore = CreateObject("CAPICOM.Store")Set oStore = CreateObject("CAPICOM.Store")oStore.Open CAPICOM_CURRENT_USER_STORE, oStore.Open CAPICOM_CURRENT_USER_STORE, CAPICOM_MY_STORE, CAPICOM_MY_STORE, CAPICOM_STORE_OPEN_READ_ONLY CAPICOM_STORE_OPEN_READ_ONLY Or CAPICOM_STORE_OPEN_EXISTING_ONLYOr CAPICOM_STORE_OPEN_EXISTING_ONLY

set oSelectedCerts = oCerts.Select()set oSelectedCerts = oCerts.Select()Set oSignerCert = oSelectedCerts (1)Set oSignerCert = oSelectedCerts (1)Set oSigner = CreateObject("CAPICOM.Signer")Set oSigner = CreateObject("CAPICOM.Signer")oSigner.Certificate = oSignerCertoSigner.Certificate = oSignerCertSet oSigned = CreateObject("CAPICOM.SignedData")Set oSigned = CreateObject("CAPICOM.SignedData")oSigned.Content = strDataToSignoSigned.Content = strDataToSignSignedData = oSigned.Sign( oSigner )SignedData = oSigned.Sign( oSigner )

First open the store Then select the certificate

Sign the data

Protocol TransitionKerberos S4U2self extension

Background User: authenticates to service (e.g. using Passport)

Service: makes TGS-REQ for user (no password)

Gets service ticket to itself; PAC has user’s authorization data (user & groups SIDs)

Kerberos package builds tokenImpersonation token (service has TCB)

Identification token (no TCB)

RequirementsWin32 API = LsaLogonUser(user_UPN)

Windows Server 2003 host, Windows Server 2003 DCs

.NET Passport/AD Authentication

User registers with site while logged on to PassportAccount created in AD using the PUID as a mapping valueIIS VDIR configured to require or request Passport authenticationIIS invokes protocol transition with “UPN”=PUID@domain.comIf it succeeds, impersonate userUse Windows authentication provider (not Passport) in ASP.NET

Protocol transition in ASP.NET

using System.Security.Principal;using System.Security.Principal; WindowsIdentity Id = new WindowsIdentity Id = new WindowsIdentity(“TESTDOM\test”);WindowsIdentity(“TESTDOM\test”);

One line of code!One line of code!

Constrained DelegationKerberos S4U2proxy extension

BackgroundService: gets service ticket to itself

From Kerberos client or via S4U2self

Service does not get user’s TGT

Service: makes S4U2proxy TGS-REQDelegation evidence is ticket, not user’s TGT

Gets delegated service ticket to target server; PAC has user’s authorization data

RequirmentsInitializeSecurityContext(target_SPN)

Service needs impersonation token

Windows 2003 native mode

Constrained delegation in ASP.NET

using System.Security.Principal;using System.Security.Principal; WindowsIdentity Id = new WindowsIdentity(“TESTDOM\test”);WindowsIdentity Id = new WindowsIdentity(“TESTDOM\test”);WindowsImpersonationContext Ic = Id.Impersonate(); WindowsImpersonationContext Ic = Id.Impersonate();

// Make off-box request for protected data. // Make off-box request for protected data.

Ic.Undo();Ic.Undo();

Protocol transitionProtocol transition Impersonate

Agenda – Part I

MSFT Identity platform

Authentication mechanisms

Authorization mechanisms

Trust mechanisms

Multi-tier Application Scenarios Extranet

Intranet

Why Role Based Authorization?

DevelopersApp can manage its own groups

Predict if user request can succeed

High performance auditing

AdministratorsManage roles, not object ACLs

No more ACE ordering & ACL inheritance surprises

Simplify entitlement reporting & auditing

Resource ownersQuery groups capture business dynamics

Windows Authorization Manager

PolicyStorePolicyStore

Common RolesManagement UI

URL-BasedAuthorization

URLURL

Windows Windows Authorization APIAuthorization API

GranularAuthorization

Windows Windows Authorization APIAuthorization API

IISIIS

WebWebAppApp

ActiveActiveDirectoryDirectory

Web ExpenseApplication

Role={Tasks}, Task={Operations}

DatabaseOperation

WebOperation

DirectoryOperation

PaymentSystem

Operation

AdministratorApproverSubmitter

ChangeApprover

ApproveDeny

Payment

ApproveReject

Report

SubmitReport

CancelReport

CheckStatus

Programming ModelDevelopment

Implement Operations, Tasks, BizRule scriptsInstallation

Declare Policy definitionsOperations, Tasks (w/ BizRules), Roles

RuntimeStartup

AzInitializeAdminMgr, AzInitializeApplicationClient Connection

IAzInitializeContext (from NT token or UserName)Render UI: GetRolesForUser

Operation RequestAzClientContext.AccessCheck(Scope, Operations, BizRule parameters (optional))Biz Rules are automatically executed.

Agenda – Part I

MSFT Identity platform

Authentication mechanisms

Authorization mechanisms

Trust mechanisms

Multi-tier Application Scenarios Extranet

Intranet

Trust Mechanisms

NT4 TrustsPoor manageability for large numbers of domains

Windows 2000 ForestsBetter, but not quite there yetWhat to do if your organization has more then one forest?External trusts don’t enable Kerberos

Windows Server 2003 Forest TrustEnables key scenariosSelective authentication option allows control of who can use Forest Trust to authenticate

Agenda – Part I

MSFT Identity platform

Authentication mechanisms

Authorization mechanisms

Trust mechanisms

Multi-tier Application Scenarios Extranet

Intranet

Multi tier apps –Trusted Subsystem vs Impersonation/Delegation

Machine 2

Machine 2

Resource tierSQL/DB2/AS400

Bob

Machine 1

Bob

Authorization & business logic tierWebService/COM+

Bob

Bob

Bob

Authentication tierASP/ASP.NET

Bob

Delegation & ImpersonationModel

ProsDefense in depth through:

Auditing

Reduced exposure to server penetration

ConsPerformance

Platform compatibility (all tiers must support delegation & impersonation)

Building the Infrastructure

Back-endDataStore

Internet Internet

Extranet (DMZ) Internal Network

External forest Internal forest

Forest trust with selective authentication

AuthorizationManager

PolicyStore

AuthN tier

AuthenticationAuthentication

AuthZ tier

Authorization

Agenda – Part I

MSFT Identity platform

Authentication mechanisms

Authorization mechanisms

Trust mechanisms

Multi-tier Application Scenarios Extranet

Intranet

Customer Application Scenario

AuthN tier

Internet Internet

Extranet (DMZ)

AuthZ tier

Back-endDataStore

Internal Network

External forest Internal forest

One way forest trust with selective authentication

.NET Passport authentication

Map Passport to AD Account

AuthorizationPolicy

Employee Application Scenario

AuthN tier

Internet Internet

Extranet (DMZ)

AuthZ tier

Back-endDataStore

Internal Network

External forest Internal forest

Forest trust with selective authentication

SSL Client Cert authentication

Map Certificate to AD Account

AuthorizationPolicy

Certificate Services

Partner Application Scenario

AuthN tier

Internet Internet

Extranet (DMZ)

AuthZ tier

Back-endDataStore

Internal Network

External forest Internal forest

One way forest trust with selective authentication

Username/Pwd

AuthenticatePartner

AuthorizationPolicy

Agenda – Part I

MSFT Identity platform

Authentication mechanisms

Authorization mechanisms

Trust mechanisms

Multi-tier Application Scenarios Extranet

Intranet

Cross-Platform Intranet Access Scenario

contoso.com

Unix Serverw/ Apache

Windows user/IE

MIT realm

IIS

*NX Client/Mozilla

Authorization Tier

SQL backend Benefits:•Centralized ID Mgmt•Kerberos AuthN•SSO•Centralized AuthZ Policy

AzMan Web Service

Multi platform components

Kerberos software MIT, Heimdahl, Solaris, ISV

SPNEGO plugin Server side: Volution, Wedgetail

Client (Mozilla) side: On the way

Build your own

Azman Web Service Volution

SDK Sample - Build your own

LDAP authorization

Conclusion

Windows Identity Management Platform is a good foundation for secure applicationsAuthentication protocols to satisfy every scenarioRoles-based authorization built-in to platformFlexible trust mechanismsRedeploy applications for different scenarios with little code changeWatch out for MS Identity and Access Management Solution Accelerator coming soon to www.microsoft.com

Ask The ExpertsGet Your Questions Answered

I will be available in the ATE area during the following times to discuss this presentation or any security and I&AM issue:

2 July – 13:00-14:00

4 July – 10:00-12:00

Community Resources

Community Resourceshttp://www.microsoft.com/communities/default.mspx

Most Valuable Professional (MVP)http://www.mvp.support.microsoft.com/

NewsgroupsConverse online with Microsoft Newsgroups, including Worldwidehttp://www.microsoft.com/communities/newsgroups/default.mspx

User GroupsMeet and learn with your peershttp://www.microsoft.com/communities/usergroups/default.mspx

evaluationsevaluations

© 2003 Microsoft Corporation. All rights reserved.© 2003 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.