Transcript Understanding Digest and Advanced Digest Authentication in IIS 6.0 Chris Adams
Understanding Digest and Advanced Digest Authentication in IIS 6.0
Chris Adams Web Platform Supportability Lead Microsoft Corporation
Agenda
Introduction to Authentication Defining Digest Authentication Digest vs. Advanced Digest Digging deeply into Digest Auth Digging deeply into Advanced Digest Summary
Introduction to Authentication
What is authentication?
What is authorization?
Authentication vs. Authorization 401.1 versus 401.3
Introduction to Authentication
How authentication works in Microsoft ® Information Services (IIS) Internet
Anonymous Basic Kerberos NTLM Digest Passport Server Core 1.
2.
Request enters server core Server core forwards to anonymous provider. IIS builds path (w3svc/1/root) and verifies if anonymous is enabled.
Yes: Provide path and Anonymous users token to authorization manager No: IIS passes the path to each provider to determine if path has that provider enabled.
Each provider that is enabled returns to Server core the appropriate header.
Introduction to Authentication
How authentication works in IIS
Digest Adv. Digest Server Core
WWW-Authenticate Digest
Defining Digest Authentication
Digest Authentication is an industry standard per Requests for Comments (RFC) 2617 For IIS administrators and developers, Digest is available on these platforms: Microsoft ® Windows ® 2000 and IIS 5.0
Microsoft ® Windows Server™ 2003 and IIS 6.0
Why interest in Digest?
Password is protected, not sent on wire in “clear text” Digest is optimized for Windows ® domains
Digest vs. Advanced Digest
Digest, available on Windows 2000 Server and Windows Server 2003, requires the following: Relies on worker process to run as Local System Uses the IIS Sub-Authenticator (iissuba.dll) In Windows Server 2003, UseDigestSSP must be set to “false” Requires Microsoft ® Windows ® Active Directory ® User’s password must be stored with Reversible Encryption enabled Calculates hash on the fly and transmit over the wire
Digest vs. Advanced Digest (2)
Advanced Digest Not available on Windows 2000 Implemented in core authentication provider in LSASS (not relying on IIS Sub-Authenticator) Hash is stored as property of user in Windows Server 2003 Active Directory Is default Digest Authentication on clean installs of Windows Server 2003 Metabase property UseDigestSSP must be set to “true”
Digest vs. Advanced Digest (3)
How it clients are authenticated using Digest
IIS Sends Hash to Domain Controllers Key 200 OK Status 401.1 Login Failed with a WWW Authenticate header Active Directory IIS 401.2 with WWW-Authenticate: Digest:Realm User Hash (Username, Password, Realm)
Digest vs. Advanced Digest (4)
How it clients are authenticated using Digest
IIS Sends Hash to Domain Controllers Key 200 OK Status 401.1 Login Failed with a WWW Authenticate header Active Directory Hash pre computed and stored in Active Directory IIS 401.2 with WWW-Authenticate: Digest:Realm User Hash (Username, Password, Realm)
Digging Deeply Into Digest
Digest Authentication has unique characteristics that provide customers with challenges Local System: Non-issue on Windows 2000 because it uses iissuba.dll and it runs in Inetinfo Reversible Encryption: Users password must be stored with less security in Active Directory
Digging Deeply Into Digest
How is IIS Sub-Authenticator enabled?
Open a Command-Prompt, type: rundll32 systemroot\system32\iissuba.dll,RegisterIISSUBA (Case Sensitive) Ensure Local System Default for Windows 2000
Running as Local System is a Bad Security Practice Windows Server 2003
Demonstration One
Enabling Digest Authentication in Windows Server 2003
The goal is to demonstrate how administrators and developers can successfully enable Digest
Digging Into Advanced Digest
Advanced Digest is ONLY available in Windows Server 2003 and IIS 6.0
Advanced Digest is implemented in LSASS where all other authentication types are performed Advanced Digest is compliant with the Digest RFC There is no UI for Advanced Digest it’s enabled using a command-line Property = UseDigestSSP
Digging Into Advanced Digest (2)
Advanced Digest relies on a pre-computed MD5 hash stored in Active Directory Stored in the same place as Kerberos hashes MD5 hash is stored as multiple entries: User@Domain - Ex: user@contoso Domain\User – Ex: contoso\user User@domain (UPN) – Ex: [email protected]
Is this property secure in Active Directory?
Yes, no user including Domain Admins have access to where the hash is stored Only Local Security Authority (LSA) has access to this hash information It is stored on the DC and never is sent off the DC
Digging Into Advanced Digest (3)
Limitations of Advanced Digest to date Microsoft ® Internet Explorer 6.0 SP1 does not handle advanced digest requests properly For each request per connection, Internet Explorer prompts the user for credentials 2004-09-16 12:06:21 127.0.0.1 GET /iisstart.htm - 80 WS03EE\Administrator 127.0.0.1 200 0 0 2004-09-16 12:06:22 127.0.0.1 GET /pagerror.gif - 80 WS03EE\Administrator 127.0.0.1 200 0 0
Same Connection – Prompt for each Get
This is being fixed in Windows Server 2003 Service Pack 1
Demonstration Two
Enabling Advanced Digest Authentication in Windows Server 2003
The goal is to demonstrate how administrators and developers can successfully enable Advanced Digest
Session Summary
Digest follows the RFC standard 2617 Windows 2000 offers Digest authentication only Windows Server 2003 offers Digest and Advanced Digest authentication Clients receive in WWW-Authenticate header “Digest” and Realm for both Digest and Advanced Digest Digest requires the IIS Sub-Authenticator Advanced digest stores all information in Active Directory for each user and is implemented in LSASS
References and Resources
IIS 6.0 Help: Digest: http://www.microsoft.com/resources/documentation/iis/6/all/ proddocs/en-us/sec_auth_digestauth.mspx
Adv. Digest: http://www.microsoft.com/resources/documentation/iis/6/all/ proddocs/en-us/sec_auth_advdigestauth.mspx
KB Articles: IIS 6.0 Resource Kit IIS Forum: http://www.asp.net/forums IIS Answers: http://www.iisanswers.com
IIS Frequently Asked Questions (FAQ): http://www.iisfaq.com
IIS Resources: http://www.iis-resources.com
Get Up to Speed on .NET
Get Trained on Microsoft Developer Technologies Register for upcoming webcasts at http://msdn.microsoft.com/webcasts All times are Pacific Standard Time Friday, October 08, 2004 Friday, October 08, 2004 Monday, October 11, 2004 Tuesday, October 12, 2004 11:00 AM-12:30 PM 1:00 PM-2:30 PM 9:00 AM-10:30 AM 9:00 AM-10:30 AM Wednesday, October 13, 2004 9:00 AM-10:30 AM Wednesday, October 13, 2004 11:00 AM-12:30 PM MSDN Webcast: Session 6: User Interface Beauty Tips for Windows Forms Applications MSDN Webcast: Mathematics Based Software Construction Models (Part 5 of 6): Solid Prototyping—Level 200 MSDN Webcast: Visual Studio® Tools for Office - Nuts and Bolts (Part Two) MSDN Webcast: User Roles in InfoPath® 2003 MSDN Webcast: Geek Speak: WSE 2.0 Introduction MSDN Webcast: Digital Media and DirectX on Windows CE
Attend MSDN Events
• Who Your Local Microsoft Developer Community Champion • • • • What Why Object Oriented Programming Fundamentals in VB.NET
Programming with MapPoint Web Services Optimizing ASP.NET 1.1 Web Applications ASP.NET 2.0 Membership and Personalization • Gain valuable developer knowledge, network with peers, and get VS 2005 Beta 1 Refresh and VS 2005 Express Betas on our content-rich special event DVD • When October through December, on Tuesdays and Thursdays from 1-5PM local time • Where Cities across the United States • How Visit MSDN Events at http://www.msdnevents.com
to find out more!
MSDN Webcast Resources
Visit our blog http://blogs.msdn.com/msdnwebcasts for an rss feed of upcoming MSDN Webcasts Submit text questions during the live webcast using the “Ask a Question” button For recordings of past MSDN Webcasts: www.microsoft.com/usa/webcasts/ondemand Got webcast content ideas? Send use e-mail at: [email protected]
More webcasts at http://msdn.microsoft.com/webcasts Don’t forget to fill out the survey.
https://msevents.microsoft.com/cu i/WelcomePage.aspx?EventID=...
[PlaceWare Web Page. Use PlaceWare > Edit Slide Properties... to edit.]