Transcript Presentation Title

Ins and Outs of
Authenticating Users
Requests to IIS 6.0 and
ASP.NET
Chris Adams
Program Manager
IIS Product Unit
Microsoft Corporation
Agenda
Introduction to Authentication
Diving into Authentication Types
Anonymous Access
Basic Authentication
Windows Authentication
Digest & Advanced Digest Authentication
ASP.NET Forms Authentication
Setup SPN for kerberos and constrained delegation
Mapping virtual directories to UNC shares
Introduction to Authentication
How authentication works in IIS
Request enters server core
Server core forwards to
anonymous provider.
Anonymous
Basic
Server
Kerberos
NTLM
Digest
Core
IIS builds path (w3svc/1/root)
and verifies if anonymous is
enabled.
Yes: Provide path and
Anon.users token to
authorization manager
No: IIS passes the path to each
provider to determine if path has
that provider enabled.
Each provider that is
enabled returns to Server
core the appropriate header.
Anonymous Authentication
Anonymous Account: Role of IUSR
Is automatically added during setup to the
systems Guests group
The IUSR account is intrinsically provided
Read access to all folders as a member of
the Guests group
Also used by MS FTP server for anonymous
authentication
IIS Sub-authentication
Avoids password synchronization problems
Anonymous Authentication (2)
Define IIS's Sub-authenticator
“Allow IIS to Control Password” = SubAuth is
being Used
What component is IIS SubAuth?
Why does it exist?
Avoids password synchronization problems
Security Concerns:
Must run in-process (Inetinfo)
Must run as LocalSystem
Default on IIS 4.0, 5.0, and 5.1
Not the default on IIS 6.0
Anonymous Authentication (3)
Is IIS Sub-Authentication enabled?
This checked enables IIS
Sub-Authentication in IIS
4, 5, and 5.1.
This does not exist in IIS 6.0 IIS
Manager. Must be done manually.
Anonymous Authentication (4)
Metabase Properties
Two Secure Properties:
Anonymoususername
anonymoususerpass
: (STRING) "IUSR_CA-MAIN“
: (STRING) "**********"
Token obtained at startup of w3svc service
for IUSR_MachineName
Both properties must contain correct information on
user account and password when sub-auth disabled
If not correct, a 401.1 results
Use Event Viewer Security log to track failures
Can be customize at the site or virtual directory
level
Watching IIS SubAuthentication in action
Chris Adams
Program Manager
IIS Product Unit
Basic Authentication
Limitations and Risks of Basic
“Clear Text Passwords” – Base64 Encoded
Advantages
RFC backed (RFC 2617)
Supports proxies
Wide browser support
Good authentication when combined with SSL
Disadvantages
Requires a Windows account
Very insecure if not protected with Secure Socket Layer
(SSL)
Password sent directly on the wire (encoded) allows
administrators to decrypt if desired (less secure)
Decoding Basic
Authentication
Chris Adams
Program Manager
IIS Product Unit
Introduction…
“Negotiate” is a wrapper for
these two protocols
“Negotiate”
Kerberos
NTLM
Introduction to Integrated
Authentication
MetaBase Property:
AuthNTLM
Internet Explorer prefers
Integrated over Basic
when each is enabled on
path
NTAuthenticationProvider
s has no UI support. Must
use adsutil or Metabase
Explorer.
Introduction to Integrated
Authentication
How the appropriate integrated authentication
is determined?
NTAuthenticationProviders
AuthNTLM
Yes
NO
401.3
Access
Denied
Negotiate
NTLM
Dynamics of NTLM
Connection Oriented
Same Connection always used per request
HTTP Keep-Alives Required
Understanding Auth Dialog Boxes
NTLM, by default, doesn’t prompt
NTLM may prompt if original request fails with 401.1
NTLM’s use of Domain\Username\Password
Domain and Username are always shared over the wire
between client and server
Password is never – Always uses Hash of password
Authentication Header includes:
Domain\Username\HashedPassword
Dynamics of NTLM: Security
Why is NTLM authentication secure?
Hash Algorithm of password is unknown when
hackers monitor the HTTP requests on the wire
If connections are broke, manipulated (by proxies),
then NTLM fails
Versions:
Lan Manager – Windows 95
NTLM v1 – NT 4.0
NTLM v2 – Windows 2000 / 2003
NTLM @ Work…
Get /Default.HTM
Client
Get /Default.HTM w/
AuthNTLM
Get /Default.HTM w/
AuthNTLM Hashed
Laptop
IIS Server
401 – Access Denied
Client
401 – WWW Auth: NTLM
200 - OK
Laptop
IIS Server
Dynamics of NTLM
NTLM at work… (previous slide)
1. IE Client requests a IIS resource (Anon)
2. IIS returns 401 with WWWAuthenticate Header saying
NTLM
3. IE submits new request for a IIS resource with NTLM
Authentication header (username)
4. IIS uses NT Authentication Header to build secret key and
sends 401 with key back to client
5. IE submits new request for a IIS resource with NTLM
Authentication header (username\password\hash of
password)
6. IIS checks username\password\hash and matches, return
200 OK –or- 401.1 Login failed (IE prompts)
Dynamics of Kerberos
Why create another authentication
protocol?
NTLM limitations
NTLM Tokens cannot be delegated
NTLM is proprietary and only supported by Windows
platform
NTLM has limited support out of the box... (other
browsers)
Is Negotiate a new protocol?
No, it is just a wrapper that allows either
Kerberos or NTLM authentication based on
client request
Dynamics of Kerberos
Key Terms of Negotiate
Client: Internet Explorer
Server: IIS Server that is member of Active
Directory Domain
Active Directory:
Key Distribution Center (KDC) for all clients
Ticket Granting Service: Issues all tickets (aka
tokens)
Dynamics of Negotiate
Client
Laptop
IIS Server
The IIS server is
started and when the
server authenticates to
domain (aka KDC) it
receives it ticket.
Domain
Controller (KDC)
Ticket Granting Services
Negotiate @ Work…
Domain
Controller (KDC)
Initial Client request
for IIS resource
anonymously
The Server esponse
is 401 – WWWAuth
Header for Negotiate
I need a ticket for
The following service
(aka HTTP\HOST)
If Service located in
KDC, Secret Key
shared with Client
Client
Shared
Laptop
Using key provided,
Client creates hash
(key) and sends IIS
IIS uses secret key
and verifies that
password matches
IIS Server
Deciphering Kerberos vs.
Integrated Authentication
Name
Title
Group
Digest Authentication
What is digest authentication?
Limitation and Risks of Digest
Requirement of Digest
IIS Sub-Auth (iissuba - LocalSystem)
Active Directory
Password stored in AD with Reversible
Encryption
Platforms available
Windows 2000
Windows 2003
Advanced Digest
What is advanced digest authentication?
Requirements of Adv. Digest
2003 Active Directory Forest required
Hash Pre-Compiled at User Creation
Strictly RFC Compliant
Platforms available
Determining which digest is being used?
More details on Digest and Adv. Digest
Authentication:
http://www.microsoft.com/windowsserver2003/iis/supp
ort/webcasts.mspx
ASP.NET Forms
Authentication
Developer Driven Authentication. Does not
use windows authentication.
Advantage: You can easily support your
existing user base. i.e. Novell, AS400
ASP.NET Forms Authentication
Setup:
ASP.NET uses IIS’s
authentication token
when the
authentication is set
to “Windows”
ASP.NET
____ _
______________
implements
forms
_____ ____ ___
authentication
when
______________
selected
and uses
__ ___
the
provider
__ ______
specified
Setup SPN Service
Registration
Services running as Local System
Automatically registered at installation time
Services running with customized account
Manually registered by administrator
Mapping virtual directories to
UNC shares
Can use a static
username /
password
Mapping virtual directories to
UNC shares
Can pass
authenticated
users credentials
through
Session Summary
There are a lot of variables that go into
authentication in IIS
Understanding how IIS Sub-Authentication
works is key to two authentication types:
Anonymous and Digest
Basic authentication is commonly supported
by browsers, but is insecure without
encryption technology
Integrated authentication is complex and
difficult to troubleshoot without knowing key
metabase properties such as
NTAuthenticationProviders
© 2005 Microsoft Corporation. All rights reserved.
This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.