Delivering Excellence in Software Engineering ® 2006. EPAM Systems. All rights reserved. ASP.NET Authentication.

Slides:



Advertisements
Similar presentations
Managing User, Computer and Group Accounts
Advertisements

Forms Authentication, Users, Roles, Membership Ventsislav Popov Crossroad Ltd.
Module 6: Configuring Windows XP Professional to Operate in a Microsoft Network.
DESIGNING A PUBLIC KEY INFRASTRUCTURE
16.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.
ASP.NET Security MacDonald Ch. 18 MIS 424 MIS 424 Professor Sandvig Professor Sandvig.
Authenticating Users in an ASP.NET Application. Web Site Administration Tool From VS 2008, click Website/ ASP.Net Configuration to open Web Site Administration.
An Authorization Service using.NET Passport ™ as underlying Authentication Scheme Bar-Hen Ron Hochberger Daniel Winter 2002 Technion – Israel Institute.
Microsoft ASP.NET Security Venkat Chilakala Support Professional Microsoft Corporation.
(Remote Access Security) AAA. 2 Authentication User named "flannery" dials into an access server that is configured with CHAP. The access server will.
Security in.NET Framework Sergey Baidachni MCT, MCSD, MCDBA.
ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.
Chapter 13 – Site Security. Internet Information Server ASP.NET Applications.NET Framework Windows NT/2000 Operating System Forms Passport Windows Certificates.
Managing Identity and Permissions
Internet Information Server (IIS)
Access Control in IIS 6.0 Windows 2003 Server Prepared by- Shamima Rahman School of Science and Computer Engineering University of Houston - Clear Lake.
Jonas Thomsen, Ph.d. student Computer Science University of Aarhus Best Practices and Techniques for Building Secure Microsoft.
Role based Security in.NET By By Aasia Riasat Aasia RiasatCS-795.
Understanding Security Lesson 6. Objective Domain Matrix Skills/ConceptsMTA Exam Objectives Understanding the System.Security Namespace Understand the.
Windows Server 2008 Chapter 8 Last Update
Hands-On Microsoft Windows Server 2008 Chapter 8 Managing Windows Server 2008 Network Services.
Internet Information Server 6.0. Overview  What’s New in IIS 6.0?  Built-in Accounts and IIS 6.0  IIS Pass-Through Authentication  Securing Web Traffic.
1 ASP.NET SECURITY Presenter: Van Nguyen. 2 Introduction Security is an integral part of any Web-based application. Understanding ASP.NET security will.
Edwin Sarmiento Microsoft MVP – Windows Server System Senior Systems Engineer/Database Administrator Fujitsu Asia Pte Ltd
Session 11: Security with ASP.NET
Authentication and Authorization CS795/895. How.Net Security Works Users who log in to the application are granted a principal and an identity, based.
Forms Authentication, Users, Roles, Membership Svetlin Nakov Telerik Corporation
MCSE Guide to Microsoft Exchange Server 2003 Administration Chapter Four Configuring Outlook and Outlook Web Access.
Author: Bill Buchanan. Work Schedule Author: Bill Buchanan.
ASP.NET 2.0 Chapter 5 Advanced Web Controls. ASP.NET 2.0, Third Edition2 Objectives.
Copyright 2000 eMation SECURITY - Controlling Data Access with
Course ILT Internet/intranet support Unit objectives Use the Internet Information Services snap-in to manage IIS, Web sites, virtual directories, and WebDAV.
© FPT SOFTWARE – TRAINING MATERIAL – Internal use 04e-BM/NS/HDCV/FSOFT v2/3 Securing a Microsoft ASP.NET Web Application.
1 Web services and security ---discuss different ways to enforce security Presenter: Han, Xue.
Module 9 Authenticating and Authorizing Users. Module Overview Authenticating Connections to SQL Server Authorizing Logins to Access Databases Authorization.
.Net and Web Services Security CS795. Web Services A web application Does not have a user interface (as a traditional web application); instead, it exposes.
Module 5 Configuring Authentication. Module Overview Lesson 1: Understanding Classic SharePoint Authentication Providers Lesson 2: Understanding Federated.
Dr. Mustafa Cem Kasapbaşı Security in ASP.NET. Determining Security Requirements Restricted File Types.
Effective Security in ASP.Net Applications Jatin Sharma: Summer 2005.
Securing Your ASP.NET Application Presented by: Rob Bagby Developer Evangelist Microsoft ( )
SECURITY ISSUES. Introduction The.NET Framework includes a comprehensive set of security tools –Low-level classes and an overall framework –Managing code.
The.NET Runtime and IIS Presented by Chris Dickey – cdickey.net consulting
Hands-On Microsoft Windows Server Implementing Microsoft Internet Information Services Microsoft Internet Information Services (IIS) –Software included.
Module 11: Securing a Microsoft ASP.NET Web Application.
Slide 1 ASP Authentication There are basically three authentication modes Windows Passport Forms There are others through WCF You choose an authentication.
NT SECURITY Introduction Security features of an operating system revolve around the principles of “Availability,” “Integrity,” and Confidentiality. For.
MCDST : Supporting Users and Troubleshooting a Microsoft Windows XP Operating System Chapter 11: Managing Access to File System Resources.
MEMBERSHIP AND IDENTITY Active server pages (ASP.NET) 1 Chapter-4.
Permissions Lesson 13. Skills Matrix Security Modes Maintaining data integrity involves creating users, controlling their access and limiting their ability.
GUDURU PRAVEEN REDDY.NET IMPERSONATION. Contents Introduction Impersonation Enabled Impersonation Disabled Impersonation Class Libraries Impersonation.
IIS and.Net security -Vasudha Bhat. What is IIS? Why do we need IIS? Internet Information Services (IIS) is a Web server, its primary job is to accept.
Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®
Impersonation Bharat Kadia CS-795. What is Impersonation ? Dictionary-: To assume the character or appearance of someone ASP.NET-: Impersonation is the.
Security E-Learning Chapter 08. Security Control access to your web site –3 Techinques for Identifying users Giving users access to your site Securing.
Configuring and Deploying Web Applications Lesson 7.
Understanding Security
Securing Web Applications Lesson 4B / Slide 1 of 34 J2EE Web Components Pre-assessment Questions 1. Identify the correct return type returned by the doStartTag()
Security. Agenda ASP.NET security basics AuthenticationAuthorization Security principals Forms authentication Membership service Login controls Role Management.
ASP.NET 2.0 Security Alex Mackman CM Group Ltd
19 Copyright © 2008, Oracle. All rights reserved. Security.
Agenda Introduction Security flow for a request Authentication
Configuring and Troubleshooting Routing and Remote Access
Jim Fawcett CSE686 – Internet Programming Summer 2005
Security mechanisms and vulnerabilities in .NET
Common Security Mistakes
Introduction to .net Impersonation
Created by : Asst. Prof. Ashish Shah
ASP.NET Module Subtitle.
Designing IIS Security (IIS – Internet Information Service)
Security - Forms Authentication
Presentation transcript:

Delivering Excellence in Software Engineering ® EPAM Systems. All rights reserved. ASP.NET Authentication

® EPAM Systems. All rights reserved. ASP.NET Authentication Authentication is the process of obtaining identification credentials such as name and password from a user and validating those credentials against some authority. If the credentials are valid, the entity that submitted the credentials is considered an authenticated identity. Once an identity has been authenticated, the authorization process determines whether that identity has access to a given resource. ASP.NET implements additional authentication schemes using authentication providers, which are separate from and apply only after the IIS authentication schemes. ASP.NET supports the following authentication providers: Windows (default) Forms Passport None

® EPAM Systems. All rights reserved. Authentication systems To enable an authentication provider for an ASP.NET application, you only need to create an entry for the application configuration file as follows. // Web.config file

® EPAM Systems. All rights reserved. Windows authentication provider The Windows authentication provider relies upon IIS to perform the required authentication of a client. After IIS authenticates a client, it passes a security token to ASP.NET. ASP.NET constructs and attaches an object of the WindowsPrincipal Class to the application context based on the security token it receives from IIS. Pro Authenticates using Windows accounts, so you do not need to write any custom authentication code. Con May require the use and management of individual Windows user accounts.

® EPAM Systems. All rights reserved. Passport authentication provider The Passport authentication provider is a centralized authentication service provided by Microsoft that offers a single logon and core profile services for member sites. Passport is a forms-based authentication service. When member sites register with Passport, the Passport service grants a site-specific key. The Passport logon server uses this key to encrypt and decrypt the query strings passed between the member site and the Passport logon server. Pros Supports single sign-in across multiple domains. Compatible with all browsers. Con Places an external dependency for the authentication process.

® EPAM Systems. All rights reserved. None (Custom Authentication) Specify "None" as the authentication provider when users are not authenticated at all or if you plan to develop custom authentication code. For example, you may want to develop your own authentication scheme using an ISAPI filter that authenticates users and manually creates an object of the GenericPrincipal Class. Pros Offers total control of the authentication process providing the greatest flexibility. Provides the highest performance if you do not implement an authentication method. Cons Custom-built authentication schemes are seldom as secure as those provided by the operating system. Requires extra work to custom-build an authentication scheme.

® EPAM Systems. All rights reserved. Forms authentication provider The Forms authentication provider is an authentication scheme that makes it possible for the application to collect credentials using an HTML form directly from the client. The client submits credentials directly to your application code for authentication. If your application authenticates the client, it issues a cookie to the client that the client presents on subsequent requests. If a request for a protected resource does not contain the cookie, the application redirects the client to the logon page. When authenticating credentials, the application can store credentials in a number of ways, such as a configuration file or a SQL Server database.

® EPAM Systems. All rights reserved. The forms authentication process

® EPAM Systems. All rights reserved. Why use forms authentication? Cookie authentication is an attractive option for developers for a number of reasons: –You have full control over the authentication code. –You have full control over the appearance of the login form. –It works with any browser. –It allows you to decide how to store user information.

® EPAM Systems. All rights reserved. Implementing forms authentication Basically, you need to complete the following steps to use forms authentication in your application: –Configure forms authentication in the web.config file. –Configure IIS to allow anonymous access to the virtual directory and configure ASP.NET to restrict anonymous access to the web application. –Create a custom login page that collects and validates a user name and password and then interacts with the forms authentication infrastructure for creating the ticket.

® EPAM Systems. All rights reserved. Complete set of options in configure forms authentication <forms name=“.ASPXAUTH" loginUrl=“login.aspx" timeout=“30" slidingExpiration=“false" cookieless=“AutoDetect" protection="All" requireSSL="false" enableCrossAppRedirects="false" defaultUrl="Default.aspx" domain=“ path="/" />

® EPAM Systems. All rights reserved. Credentials store in web.config <forms name="MyCookieName" loginUrl="MyLogin.aspx" timeout="20">

® EPAM Systems. All rights reserved. IIS and ASP.NET

® EPAM Systems. All rights reserved. FormsAuthentication-Module The most important part of the forms authentication framework is the FormsAuthentication-Module, which is an HttpModule class that detects existing forms authentication tickets in the request.

® EPAM Systems. All rights reserved. The forms authentication classes –System.Web.Security.FormsAuthentication –System.Web.Security.FormsAuthenticationEve ntArgs –System.Web.Security.FormsAuthenticationTick et –System.Web.Security.FormsIdentity –System.Web.Security.FormsAuthenticationMo dule

® EPAM Systems. All rights reserved. Authorization After authenticating a principal, the next step is to determine whether that principal has permission to access the resources it is requesting. This process is known as authorization. ASP.NET works in conjunction with its primary host environment, Internet Information Services (IIS), to provide authentication and authorization services to applications. There are several schemes to determine if an authenticated principal has authorization to access a particular resource. The security of an ASP.NET application is built upon the security infrastructure of IIS and Windows. Any communication between client and application must first pass through IIS and any process that runs on a Windows server does so in the context of an authenticated user account. When using the NTFS file system, Windows maintains an access control list (ACL) for every resource it controls, which serves as the ultimate authority for resource access permissions.

® EPAM Systems. All rights reserved. Items control authorization The following items control authorization in an ASP.NET application: –Windows Access Control Lists (ACLs) –Web Server Permissions –URL Authorization –.NET Principal Objects –Roles and Method-Level Security

® EPAM Systems. All rights reserved. ACLs and Web Server Permissions Windows Access Control Lists Using Windows ACLs, you can create file system permissions on specific application files. This solution works best if your application is authenticating users to Windows accounts. To use Windows ACLs, you must use the Windows NTFS file system. Web Server Permissions You can configure IIS to specify the following permissions on Web site directories, such as read access and directory browsing.

® EPAM Systems. All rights reserved. URL Authorization The UrlAuthorizationModule Class maps users and roles to elements within the URI namespace, which is defined by a URL. This module implements both positive and negative authorization assertions. The module can either be used to selectively permit or deny specific users access to arbitrary elements of the URI namespace. For example, you can base access on user role membership.

® EPAM Systems. All rights reserved..NET Principal Objects WindowsPrincipal Object The System.Security.Principal Namespace provides a WindowsPrincipal Class to represent the security context under which the code is running. This object is automatically created for you when you use Windows authentication in IIS. It allows you to check the Windows group membership of a Windows user account and restrict access accordingly. GenericPrincipal Object You can create an object from the GenericPrincipal Class based on your own custom roles. Use this when you have your own user/role database. You can populate the principal object in the OnAuthenticate event. You can have a custom table mapped to Windows accounts that you access in this event. Using that information, you can create a custom principal object for the authenticated user. For returning authenticated users, you can use a cookie to recreate the principal object.

® EPAM Systems. All rights reserved. Roles and Method-Level Security If you are using Windows accounts, create roles for your users by creating Windows groups. Because the processing thread is impersonating the client and a WindowsPrincipal object is available, use the following approaches: –Create NTFS ACLs on protected resources accessed by the ASP.NET thread. –Call the WindowsPrincipal.IsInRole method from each method to verify the caller has the appropriate permissions. You can also implement a logic statement in code that calls a particular subroutine based on the client's group membership. If you are using a GenericPrincipal object created from users and roles contained in a custom database: –You can programmatically check role membership by calling the GenericPrincipal.IsInRole method in the same fashion as with the WindowsPrincipal object.

® EPAM Systems. All rights reserved. Roles and Method-Level Security If you are not using a principal object, you have other options: –The role-based security model supports a permission object similar to the permission objects found in the code access security model. This object, PrincipalPermission, represents the identity and role that a particular principal class must have to run. You can use the PrincipalPermission class for both imperative and declarative security checks. –Accept user credentials as parameters to the method call and perform a look-up within the method. –Verify the existence of a cookie as the first operation of the method call. –Create a logon method that returns a custom key value. Subsequent methods accept the key value as a parameter. This is similar to using browser-supported cookies; however, you can use it in cases where the client does not support cookies.

® EPAM Systems. All rights reserved. ASP.NET Impersonation Another important security feature is the ability to control the identity under which code is executed. Impersonation is when ASP.NET executes code in the context of an authenticated and authorized client. By default, ASP.NET does not use impersonation and instead executes all code using the same user account as the ASP.NET process, which is typically the ASPNET account. This is contrary to the default behavior of ASP, which uses impersonation by default. In Internet Information Services (IIS) 6, the default identity is the NetworkService account.

® EPAM Systems. All rights reserved. Impersonation options If you enable impersonation, ASP.NET can either impersonate the authenticated identity received from IIS or one specified in the application's Web.config file. You have the following three options when configuring impersonation: Impersonation is disabled. Impersonation enabled. Impersonation enabled, with a specific impersonation identity specified.

® EPAM Systems. All rights reserved. Attention!!! You should exercise care when using impersonation because it makes it possible for an application to potentially process code using permissions not anticipated by the application designer. For example, if your application impersonates an authenticated intranet user, that application possesses administrative privileges when impersonating a user with those privileges. Likewise, if the impersonated user possesses more restrictive permissions than anticipated, the user may not be able to use the application.

Delivering Excellence in Software Engineering ® EPAM Systems. All rights reserved. For more information, please contact: Uladzimir Tsikhon Software Engineering Manager, Belarus Recourse Development Department EPAM Systems, Inc. Belarus, Minsk Phone: +375(17) ext 1756 Fax: +375(17)