Microsoft ASP.NET Security Venkat Chilakala Support Professional Microsoft Corporation

Agenda Introduction Security flow for a request Authentication Authorization Role-based security Impersonation FAQ Questions and answers

Security Flow for a Request (ASP)

Security Flow for a Request (ASP.NET)

Authentication Defined Authentication in ASP Authentication in ASP.NET IIS authentication ASP.NET authentication ASP.NET authentication providers Forms, Windows, Passport, Default, and Custom

Forms Authentication Uses cookie to authenticate Enables SSL for logon page Often used for personalization

Forms Authentication Flow

Forms Authentication Configuration Enable anonymous access in IIS Configure <authentication> section Set mode to “Forms” Add the <forms> section Configure <authorization> section Deny access to anonymous user Create logon page Validate the user Provide authentication cookie Redirect the user to the requested page

<forms> Section Attributes loginUrl: unauthenticated request are redirected to this page name: name of the authentication cookie path: path of the authentication cookie protection: All | None | Encryption | Validation timeout: authentication cookie expiration time in minutes <authentication mode="Forms"> <forms name=".ASPXAUTH" loginUrl="login.aspx" protection="All" timeout="30" path="/" /> </authentication>

Forms Authentication Code If FormsAuthentication.Authenticate(txtUserName.Value,txtUserPass.value) Then FormsAuthentication.RedirectFromLoginPage(txtUserName.Value, _ chkPersistCookie.Checked) Else Response.Redirect("logon.aspx", false) End If

Windows Authentication Can be used in combination with Basic, NTLM, Digest, Kerberos, and so forth User is authenticated by IIS Easiest of all Request flow Client makes request IIS authenticates request, forwards to ASP.NET Impersonation turned on? ASP.NET returns response to client

Windows Authentication Configuration Set mode to “Windows” Configure <authorization> section Example <authentication mode=" Windows" /> <authorization> <deny users="?" /> <allow users= "*" /> </authorization>

Passport Authentication Single sign-in across member sites Includes user profiles services Integrated into ASP.NET authentication Scenarios Don’t want to maintain a database of users Provide personalized content Need to provide single-sign in capabilities More details at http://www.passport.com/

Passport Authentication Configuration What you need: Install Passport SDK Register with Microsoft Passport Set mode to “Passport” Configure <passport> section Example <authentication mode="Passport"> <passport redirectUrl="internal|url" /> </authentication>

Default and Custom Authentication Why use default authentication? Increases performance Allows you to perform custom authentication Configuration: Set mode to “None” Example <authentication mode="None" />

Custom Authentication Handle AuthenticateRequest event Application level (global.asax) HTTP module (implement IHttpModule) Scenarios Custom authentication using munged URLs for Web applications Customize forms authentication

Authorization Process of determining whether a user is allowed to perform a requested action File-based authorization Performed by FileAuthorizationModule Performs checks against Windows ACLs Custom – handle AuthorizeRequest event Application level (global.asax) HTTP module (implement IHttpModule) URL-based authorization Performed by UrlAuthorizationModule Positive and negative assertions Can selectively allow or deny access to URI namespaces

URL Authorization Configuration Add <authorization> section Add <allow> and <deny> sections Example - allow “Admins” or “WebUsers” and deny all others: <authorization> <allow roles="Admins" /> <allow roles="WebUsers" /> <deny users="*" /> </authorization>

Role-Based Security What is this? Do not get confused with MTS and COM+ role-based security How does this work? With Microsoft® Windows® users With non-Windows users

Windows Users(Check Roles) If User.IsInRole("BUILTIN\Administrators") then Response.Write("You are an Admin") Else If User.IsInRole("BUILTIN\Users") then Response.Write("You are a User") Else Response.Write("Invalid user") End if

Non-Windows Users (Attach Roles) Handle AuthenticateRequest event Create GenericPrincipal Attach roles to Identity Assign new Principal to User Sample Sub Application_AuthenticateRequest(s As Object, e As EventArgs) If Not (User Is Nothing) Then If User.Identity.AuthenticationType = "Forms" Then Dim Roles(1) As String Roles(0) = "Admin" User = new GenericPrincipal(User.Identity,Roles) End If End Sub

Non-Windows Users (Check Roles) if User.IsInRole("Admin") then Response.Write ("You are an Administrator") Else Response.Write ("You do not have any role assigned") End if

Impersonation Defined Request gets impersonated automatically in ASP In ASP.NET, developer has more control over this You can set to automatically impersonate You can set to not impersonate (that is, use Process Identity) Different ways to impersonate in ASP.NET <identity> tag Code-based impersonation

Impersonation Configuration <identity impersonate = “false” /> <identity impersonate = “true” /> <identity impersonate = “true” userName = “username” password = “password” />

Code Impersonation Call LogonUser API Call ImpersonateLoggedOnUser API Run the code in the security context of the impersonated user Call RevertToSelf

Frequently Asked Questions Q: Request.ServerVariables(“Logon_User”) returns an empty string A: <authorization> <deny users=“?” /><!--deny access to anonymous user --> <allow users=“*” /> <!--allow all users --> </authorization>

Frequently Asked Questions (2) Q: Access denied to “NT Authority\System” or access denied to “NT Authority\Anonymous Logon” when you try to access resources on a remote machine. (for example, Remote SQL Server, remote file system, and so forth) A: This may occur because your application is running into a delegation scenario. The solution is to ensure that you have a primary security token when requesting these resources. There are many ways to resolve this issue based on your requirement. One of them is to use Basic Authentication for your Application.

Frequently Asked Questions (3) Q: Using Forms Authentication for a Web application, how do I allow anonymous access to default.aspx page but not other pages in the same directory? A: The answer is to use the <location> section of the web.config file to allow anonymous access to default.aspx page only and deny anonymous access to all the other pages. Example: <configuration> ....................... <location path="default.aspx"> <system.web> <authorization> <allow users ="*" /> </authorization> </system.web> </location> </configuration>

Resources Knowledge Base article “BETA-INFO: ASP.NET Security Overview” http://support.microsoft.com/support/misc/kblookup.asp?id=Q306590 MSDN article “Authentication in ASP.NET: .NET Security Guidance” http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnbda/html/authaspdotnet.asp

Thank you for joining us for today’s Microsoft Support WebCast. For information about all upcoming Support WebCasts and access to the archived content (streaming media files, PowerPoint® slides, and transcripts), please visit: http://support.microsoft.com/webcasts/ We sincerely appreciate your feedback. Please send any comments or suggestions regarding the Support WebCasts to feedback@microsoft.com and include “Support WebCasts” in the subject line.