Agenda Introduction Security flow for a request Authentication

Slides:



Advertisements
Similar presentations
Forms Authentication, Users, Roles, Membership Ventsislav Popov Crossroad Ltd.
Advertisements

ASP.Net Security Chapter 10 Jeff Prosise’s Book. Authentication To ascertain the caller’s identity –Windows authentication –Forms authentication –Passport.
ASP.NET Web Application Security Hannes Preishuber ppedv AG
Authenticating Users in an ASP.NET Application. Web Site Administration Tool From VS 2008, click Website/ ASP.Net Configuration to open Web Site Administration.
Microsoft ASP.NET Security Venkat Chilakala Support Professional Microsoft Corporation.
Building ASP.NET Applications 2 Lecture 3,4 T. Ahlam Algharasi 4 th Level.
ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.
Chapter 13 – Site Security. Internet Information Server ASP.NET Applications.NET Framework Windows NT/2000 Operating System Forms Passport Windows Certificates.
Managing Identity and Permissions
Internet Information Server (IIS)
Building Applications using ASP.NET and C# / Session 14 / 1 of 18 Session 14.
Jonas Thomsen, Ph.d. student Computer Science University of Aarhus Best Practices and Techniques for Building Secure Microsoft.
Microsoft Windows XP Remote Desktop Alvin Loh Program Manager Terminal Services Group.
Role based Security in.NET By By Aasia Riasat Aasia RiasatCS-795.
Developing an ASP.NET Application and using the Mobile Internet Toolkit Bart Vande Ghinste Developer Consultant Microsoft Belux.
Internet Information Server 6.0. Overview  What’s New in IIS 6.0?  Built-in Accounts and IIS 6.0  IIS Pass-Through Authentication  Securing Web Traffic.
Delivering Excellence in Software Engineering ® EPAM Systems. All rights reserved. ASP.NET Authentication.
1 ASP.NET SECURITY Presenter: Van Nguyen. 2 Introduction Security is an integral part of any Web-based application. Understanding ASP.NET security will.
Edwin Sarmiento Microsoft MVP – Windows Server System Senior Systems Engineer/Database Administrator Fujitsu Asia Pte Ltd
Understanding Integrated Authentication in IIS Chris Adams IIS Supportability Lead Microsoft Corp.
Session 11: Security with ASP.NET
Forms Authentication, Users, Roles, Membership Svetlin Nakov Telerik Corporation
Author: Bill Buchanan. Work Schedule Author: Bill Buchanan.
Understanding Digest and Advanced Digest Authentication in IIS 6.0
State Management. What is State management Why State management ViewState QueryString Cookies.
Philadelphia Area SharePoint User Group Building Customer/Partner Extranets Designing a Secure Extranet with Sharepoint 2007 Russ Basiura RJB Technical.
© FPT SOFTWARE – TRAINING MATERIAL – Internal use 04e-BM/NS/HDCV/FSOFT v2/3 Securing a Microsoft ASP.NET Web Application.
1 Web services and security ---discuss different ways to enforce security Presenter: Han, Xue.
Microsoft Exchange 2000 Service Pack 2 Features Mark Barringer Support Professional Enterprise Messaging Support Microsoft Corporation.
.Net and Web Services Security CS795. Web Services A web application Does not have a user interface (as a traditional web application); instead, it exposes.
Module 5 Configuring Authentication. Module Overview Lesson 1: Understanding Classic SharePoint Authentication Providers Lesson 2: Understanding Federated.
Home Networking and Internet Connection Sharing in Microsoft Windows XP Curtis Koenig Support Engineer Professional Platform Support Microsoft Corporation.
Dr. Mustafa Cem Kasapbaşı Security in ASP.NET. Determining Security Requirements Restricted File Types.
Effective Security in ASP.Net Applications Jatin Sharma: Summer 2005.
The.NET Runtime and IIS Presented by Chris Dickey – cdickey.net consulting
Using Encryption with Microsoft SQL Server 2000 Kevin McDonnell Technical Lead SQL Server Support Microsoft Corporation.
1 CS 3870/CS 5870: Note 07 Lab 3 Lab 4 Test 1: Two Tables.
Module 11: Securing a Microsoft ASP.NET Web Application.
Slide 1 ASP Authentication There are basically three authentication modes Windows Passport Forms There are others through WCF You choose an authentication.
Module 7: Creating a Microsoft ASP.NET Web Application.
DEV301 Building Secure ASP.NET Applications Scott Guthrie ASP.NET Team.
CS795.Net Impersonation… why & How? Presented by: Vijay Reddy Mara.
Ins and Outs of Authenticating Users Requests to IIS 6.0 and ASP.NET Chris Adams Program Manager IIS Product Unit Microsoft Corporation.
MEMBERSHIP AND IDENTITY Active server pages (ASP.NET) 1 Chapter-4.
GUDURU PRAVEEN REDDY.NET IMPERSONATION. Contents Introduction Impersonation Enabled Impersonation Disabled Impersonation Class Libraries Impersonation.
IIS and.Net security -Vasudha Bhat. What is IIS? Why do we need IIS? Internet Information Services (IIS) is a Web server, its primary job is to accept.
Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®
Impersonation Bharat Kadia CS-795. What is Impersonation ? Dictionary-: To assume the character or appearance of someone ASP.NET-: Impersonation is the.
1 CS 3870/CS 5870: Note 12 Authentication and Authorization Membership Provider.
Security E-Learning Chapter 08. Security Control access to your web site –3 Techinques for Identifying users Giving users access to your site Securing.
Configuring and Deploying Web Applications Lesson 7.
Designing a Secure Extranet with Sharepoint Russ Basiura Principal Consultant RJB Technical Consulting
Securing Web Applications Lesson 4B / Slide 1 of 34 J2EE Web Components Pre-assessment Questions 1. Identify the correct return type returned by the doStartTag()
Security. Agenda ASP.NET security basics AuthenticationAuthorization Security principals Forms authentication Membership service Login controls Role Management.
Introduction to Web Services Srinath Vasireddy Support Professional Developer Support Microsoft Corporation.
Secured Services Best Practices on ArcGIS for Server Patrick Jackson & Thomas Noble.
Authentication and Authorization
XML and Web Services ASP.NET and Its Security Lesson 8
Unit 7 Learning Objectives
Authentication and Authorisation in ASP.Net
ASP .NET MVC Authorization Training Videos
Security Basics and ASP.NET Support
Jim Fawcett CSE686 – Internet Programming Summer 2005
Security mechanisms and vulnerabilities in .NET
ASP.NET Application Framework
Authentication in ASP.NET
Introduction to .net Impersonation
Created by : Asst. Prof. Ashish Shah
Security - Forms Authentication
Presentation transcript:

Microsoft ASP.NET Security Venkat Chilakala Support Professional Microsoft Corporation

Agenda Introduction Security flow for a request Authentication Authorization Role-based security Impersonation FAQ Questions and answers

Security Flow for a Request (ASP)

Security Flow for a Request (ASP.NET)

Authentication Defined Authentication in ASP Authentication in ASP.NET IIS authentication ASP.NET authentication ASP.NET authentication providers Forms, Windows, Passport, Default, and Custom

Forms Authentication Uses cookie to authenticate Enables SSL for logon page Often used for personalization

Forms Authentication Flow

Forms Authentication Configuration Enable anonymous access in IIS Configure <authentication> section Set mode to “Forms” Add the <forms> section Configure <authorization> section Deny access to anonymous user Create logon page Validate the user Provide authentication cookie Redirect the user to the requested page

<forms> Section Attributes loginUrl: unauthenticated request are redirected to this page name: name of the authentication cookie path: path of the authentication cookie protection: All | None | Encryption | Validation timeout: authentication cookie expiration time in minutes <authentication mode="Forms"> <forms name=".ASPXAUTH" loginUrl="login.aspx" protection="All" timeout="30" path="/" /> </authentication>

Forms Authentication Code If FormsAuthentication.Authenticate(txtUserName.Value,txtUserPass.value) Then FormsAuthentication.RedirectFromLoginPage(txtUserName.Value, _ chkPersistCookie.Checked) Else Response.Redirect("logon.aspx", false) End If

Windows Authentication Can be used in combination with Basic, NTLM, Digest, Kerberos, and so forth User is authenticated by IIS Easiest of all Request flow Client makes request IIS authenticates request, forwards to ASP.NET Impersonation turned on? ASP.NET returns response to client

Windows Authentication Configuration Set mode to “Windows” Configure <authorization> section Example <authentication mode=" Windows" /> <authorization> <deny users="?" /> <allow users= "*" /> </authorization>

Passport Authentication Single sign-in across member sites Includes user profiles services Integrated into ASP.NET authentication Scenarios Don’t want to maintain a database of users Provide personalized content Need to provide single-sign in capabilities More details at http://www.passport.com/

Passport Authentication Configuration What you need: Install Passport SDK Register with Microsoft Passport Set mode to “Passport” Configure <passport> section Example <authentication mode="Passport"> <passport redirectUrl="internal|url" /> </authentication>

Default and Custom Authentication Why use default authentication? Increases performance Allows you to perform custom authentication Configuration: Set mode to “None” Example <authentication mode="None" />

Custom Authentication Handle AuthenticateRequest event Application level (global.asax) HTTP module (implement IHttpModule) Scenarios Custom authentication using munged URLs for Web applications Customize forms authentication

Authorization Process of determining whether a user is allowed to perform a requested action File-based authorization Performed by FileAuthorizationModule Performs checks against Windows ACLs Custom – handle AuthorizeRequest event Application level (global.asax) HTTP module (implement IHttpModule) URL-based authorization Performed by UrlAuthorizationModule Positive and negative assertions Can selectively allow or deny access to URI namespaces

URL Authorization Configuration Add <authorization> section Add <allow> and <deny> sections Example - allow “Admins” or “WebUsers” and deny all others: <authorization> <allow roles="Admins" /> <allow roles="WebUsers" /> <deny users="*" /> </authorization>

Role-Based Security What is this? Do not get confused with MTS and COM+ role-based security How does this work? With Microsoft® Windows® users With non-Windows users

Windows Users(Check Roles) If User.IsInRole("BUILTIN\Administrators") then Response.Write("You are an Admin") Else If User.IsInRole("BUILTIN\Users") then Response.Write("You are a User") Else Response.Write("Invalid user") End if

Non-Windows Users (Attach Roles) Handle AuthenticateRequest event Create GenericPrincipal Attach roles to Identity Assign new Principal to User Sample Sub Application_AuthenticateRequest(s As Object, e As EventArgs) If Not (User Is Nothing) Then If User.Identity.AuthenticationType = "Forms" Then Dim Roles(1) As String Roles(0) = "Admin" User = new GenericPrincipal(User.Identity,Roles) End If End Sub

Non-Windows Users (Check Roles) if User.IsInRole("Admin") then Response.Write ("You are an Administrator") Else Response.Write ("You do not have any role assigned") End if

Impersonation Defined Request gets impersonated automatically in ASP In ASP.NET, developer has more control over this You can set to automatically impersonate You can set to not impersonate (that is, use Process Identity) Different ways to impersonate in ASP.NET <identity> tag Code-based impersonation

Impersonation Configuration <identity impersonate = “false” /> <identity impersonate = “true” /> <identity impersonate = “true” userName = “username” password = “password” />

Code Impersonation Call LogonUser API Call ImpersonateLoggedOnUser API Run the code in the security context of the impersonated user Call RevertToSelf

Frequently Asked Questions Q: Request.ServerVariables(“Logon_User”) returns an empty string A: <authorization> <deny users=“?” /><!--deny access to anonymous user --> <allow users=“*” /> <!--allow all users --> </authorization>

Frequently Asked Questions (2) Q: Access denied to “NT Authority\System” or access denied to “NT Authority\Anonymous Logon” when you try to access resources on a remote machine. (for example, Remote SQL Server, remote file system, and so forth) A: This may occur because your application is running into a delegation scenario. The solution is to ensure that you have a primary security token when requesting these resources. There are many ways to resolve this issue based on your requirement. One of them is to use Basic Authentication for your Application.

Frequently Asked Questions (3) Q: Using Forms Authentication for a Web application, how do I allow anonymous access to default.aspx page but not other pages in the same directory? A: The answer is to use the <location> section of the web.config file to allow anonymous access to default.aspx page only and deny anonymous access to all the other pages. Example: <configuration> ....................... <location path="default.aspx"> <system.web> <authorization> <allow users ="*" /> </authorization> </system.web> </location> </configuration>

Resources Knowledge Base article “BETA-INFO: ASP.NET Security Overview” http://support.microsoft.com/support/misc/kblookup.asp?id=Q306590 MSDN article “Authentication in ASP.NET: .NET Security Guidance” http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnbda/html/authaspdotnet.asp

Thank you for joining us for today’s Microsoft Support WebCast. For information about all upcoming Support WebCasts and access to the archived content (streaming media files, PowerPoint® slides, and transcripts), please visit: http://support.microsoft.com/webcasts/ We sincerely appreciate your feedback. Please send any comments or suggestions regarding the Support WebCasts to feedback@microsoft.com and include “Support WebCasts” in the subject line.