Understanding Digest and Advanced Digest Authentication in IIS 6.0

Chris Adams Web Platform Supportability Lead Microsoft Corporation

Agenda

Introduction to Authentication Defining Digest Authentication Digest vs. Advanced Digest Digging deeply into Digest Auth Digging deeply into Advanced Digest Summary

Introduction to Authentication

What is authentication?

What is authorization?

Authentication vs. Authorization 401.1 versus 401.3

Introduction to Authentication

How authentication works in Microsoft ® Information Services (IIS) Internet

Anonymous Basic Kerberos NTLM Digest Passport Server Core 1.

2.

Request enters server core Server core forwards to anonymous provider. IIS builds path (w3svc/1/root) and verifies if anonymous is enabled.

Yes: Provide path and Anonymous users token to authorization manager No: IIS passes the path to each provider to determine if path has that provider enabled.

Each provider that is enabled returns to Server core the appropriate header.

Introduction to Authentication

How authentication works in IIS

Digest Adv. Digest Server Core

WWW-Authenticate Digest

Defining Digest Authentication

Digest Authentication is an industry standard per Requests for Comments (RFC) 2617 For IIS administrators and developers, Digest is available on these platforms: Microsoft ® Windows ® 2000 and IIS 5.0

Microsoft ® Windows Server™ 2003 and IIS 6.0

Why interest in Digest?

Password is protected, not sent on wire in “clear text” Digest is optimized for Windows ® domains

Digest vs. Advanced Digest

Digest, available on Windows 2000 Server and Windows Server 2003, requires the following: Relies on worker process to run as Local System Uses the IIS Sub-Authenticator (iissuba.dll) In Windows Server 2003, UseDigestSSP must be set to “false” Requires Microsoft ® Windows ® Active Directory ® User’s password must be stored with Reversible Encryption enabled Calculates hash on the fly and transmit over the wire

Digest vs. Advanced Digest (2)

Advanced Digest Not available on Windows 2000 Implemented in core authentication provider in LSASS (not relying on IIS Sub-Authenticator) Hash is stored as property of user in Windows Server 2003 Active Directory Is default Digest Authentication on clean installs of Windows Server 2003 Metabase property UseDigestSSP must be set to “true”

Digest vs. Advanced Digest (3)

How it clients are authenticated using Digest

IIS Sends Hash to Domain Controllers Key 200 OK Status 401.1 Login Failed with a WWW Authenticate header Active Directory IIS 401.2 with WWW-Authenticate: Digest:Realm User Hash (Username, Password, Realm)

Digest vs. Advanced Digest (4)

How it clients are authenticated using Digest

IIS Sends Hash to Domain Controllers Key 200 OK Status 401.1 Login Failed with a WWW Authenticate header Active Directory Hash pre computed and stored in Active Directory IIS 401.2 with WWW-Authenticate: Digest:Realm User Hash (Username, Password, Realm)

Digging Deeply Into Digest

Digest Authentication has unique characteristics that provide customers with challenges Local System: Non-issue on Windows 2000 because it uses iissuba.dll and it runs in Inetinfo Reversible Encryption: Users password must be stored with less security in Active Directory

Digging Deeply Into Digest

How is IIS Sub-Authenticator enabled?

 Open a Command-Prompt, type: rundll32 systemroot\system32\iissuba.dll,RegisterIISSUBA (Case Sensitive) Ensure Local System Default for Windows 2000

Running as Local System is a Bad Security Practice Windows Server 2003

Demonstration One

Enabling Digest Authentication in Windows Server 2003

The goal is to demonstrate how administrators and developers can successfully enable Digest

Digging Into Advanced Digest

Advanced Digest is ONLY available in Windows Server 2003 and IIS 6.0

Advanced Digest is implemented in LSASS where all other authentication types are performed Advanced Digest is compliant with the Digest RFC There is no UI for Advanced Digest it’s enabled using a command-line Property = UseDigestSSP

Digging Into Advanced Digest (2)

Advanced Digest relies on a pre-computed MD5 hash stored in Active Directory Stored in the same place as Kerberos hashes MD5 hash is stored as multiple entries: User@Domain - Ex: user@contoso Domain\User – Ex: contoso\user User@domain (UPN) – Ex: [email protected]

Is this property secure in Active Directory?

Yes, no user including Domain Admins have access to where the hash is stored Only Local Security Authority (LSA) has access to this hash information It is stored on the DC and never is sent off the DC

Digging Into Advanced Digest (3)

Limitations of Advanced Digest to date Microsoft ® Internet Explorer 6.0 SP1 does not handle advanced digest requests properly For each request per connection, Internet Explorer prompts the user for credentials 2004-09-16 12:06:21 127.0.0.1 GET /iisstart.htm - 80 WS03EE\Administrator 127.0.0.1 200 0 0 2004-09-16 12:06:22 127.0.0.1 GET /pagerror.gif - 80 WS03EE\Administrator 127.0.0.1 200 0 0

Same Connection – Prompt for each Get

This is being fixed in Windows Server 2003 Service Pack 1

Demonstration Two

Enabling Advanced Digest Authentication in Windows Server 2003

The goal is to demonstrate how administrators and developers can successfully enable Advanced Digest

Session Summary

Digest follows the RFC standard 2617 Windows 2000 offers Digest authentication only Windows Server 2003 offers Digest and Advanced Digest authentication Clients receive in WWW-Authenticate header “Digest” and Realm for both Digest and Advanced Digest Digest requires the IIS Sub-Authenticator Advanced digest stores all information in Active Directory for each user and is implemented in LSASS

References and Resources

IIS 6.0 Help: Digest: http://www.microsoft.com/resources/documentation/iis/6/all/ proddocs/en-us/sec_auth_digestauth.mspx

Adv. Digest: http://www.microsoft.com/resources/documentation/iis/6/all/ proddocs/en-us/sec_auth_advdigestauth.mspx

KB Articles: IIS 6.0 Resource Kit IIS Forum: http://www.asp.net/forums IIS Answers: http://www.iisanswers.com

IIS Frequently Asked Questions (FAQ): http://www.iisfaq.com

IIS Resources: http://www.iis-resources.com

Get Up to Speed on .NET

Get Trained on Microsoft Developer Technologies Register for upcoming webcasts at http://msdn.microsoft.com/webcasts All times are Pacific Standard Time Friday, October 08, 2004 Friday, October 08, 2004 Monday, October 11, 2004 Tuesday, October 12, 2004 11:00 AM-12:30 PM 1:00 PM-2:30 PM 9:00 AM-10:30 AM 9:00 AM-10:30 AM Wednesday, October 13, 2004 9:00 AM-10:30 AM Wednesday, October 13, 2004 11:00 AM-12:30 PM MSDN Webcast: Session 6: User Interface Beauty Tips for Windows Forms Applications MSDN Webcast: Mathematics Based Software Construction Models (Part 5 of 6): Solid Prototyping—Level 200 MSDN Webcast: Visual Studio® Tools for Office - Nuts and Bolts (Part Two) MSDN Webcast: User Roles in InfoPath® 2003 MSDN Webcast: Geek Speak: WSE 2.0 Introduction MSDN Webcast: Digital Media and DirectX on Windows CE

Attend MSDN Events

• Who Your Local Microsoft Developer Community Champion • • • • What Why Object Oriented Programming Fundamentals in VB.NET

Programming with MapPoint Web Services Optimizing ASP.NET 1.1 Web Applications ASP.NET 2.0 Membership and Personalization • Gain valuable developer knowledge, network with peers, and get VS 2005 Beta 1 Refresh and VS 2005 Express Betas on our content-rich special event DVD • When October through December, on Tuesdays and Thursdays from 1-5PM local time • Where Cities across the United States • How Visit MSDN Events at http://www.msdnevents.com

to find out more!

MSDN Webcast Resources

Visit our blog http://blogs.msdn.com/msdnwebcasts for an rss feed of upcoming MSDN Webcasts Submit text questions during the live webcast using the “Ask a Question” button For recordings of past MSDN Webcasts: www.microsoft.com/usa/webcasts/ondemand Got webcast content ideas? Send use e-mail at: [email protected]

More webcasts at http://msdn.microsoft.com/webcasts Don’t forget to fill out the survey.

https://msevents.microsoft.com/cu i/WelcomePage.aspx?EventID=...

[PlaceWare Web Page. Use PlaceWare > Edit Slide Properties... to edit.]