© FPT SOFTWARE – TRAINING MATERIAL – Internal use 04e-BM/NS/HDCV/FSOFT v2/3 Securing a Microsoft ASP.NET Web Application.

Slides:



Advertisements
Similar presentations
Enabling Secure Internet Access with ISA Server
Advertisements

Forms Authentication, Users, Roles, Membership Ventsislav Popov Crossroad Ltd.
ASP.Net Security Chapter 10 Jeff Prosise’s Book. Authentication To ascertain the caller’s identity –Windows authentication –Forms authentication –Passport.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 13: Administering Web Resources.
16.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 13: Administering Web Resources.
Authenticating Users in an ASP.NET Application. Web Site Administration Tool From VS 2008, click Website/ ASP.Net Configuration to open Web Site Administration.
Microsoft ASP.NET Security Venkat Chilakala Support Professional Microsoft Corporation.
Building ASP.NET Applications 2 Lecture 3,4 T. Ahlam Algharasi 4 th Level.
Using Internet Information Server And Microsoft ® Internet Explorer To Implement Security On The Intranet HTTP.
ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.
Website Security ISYS 512. Cookies Data in Cookies System.Web Which web site set the cookie Expiration date –DateTime data type –TimeSpan data type One.
Access Control in IIS 6.0 Windows 2003 Server Prepared by- Shamima Rahman School of Science and Computer Engineering University of Houston - Clear Lake.
Role based Security in.NET By By Aasia Riasat Aasia RiasatCS-795.
Configuring Active Directory Certificate Services Lesson 13.
Managing Client Access
Module 4 Managing Client Access. Module Overview Configuring the Client Access Server Role Configuring Client Access Services for Outlook Clients Configuring.
Internet Information Server 6.0. Overview  What’s New in IIS 6.0?  Built-in Accounts and IIS 6.0  IIS Pass-Through Authentication  Securing Web Traffic.
Delivering Excellence in Software Engineering ® EPAM Systems. All rights reserved. ASP.NET Authentication.
1 ASP.NET SECURITY Presenter: Van Nguyen. 2 Introduction Security is an integral part of any Web-based application. Understanding ASP.NET security will.
Edwin Sarmiento Microsoft MVP – Windows Server System Senior Systems Engineer/Database Administrator Fujitsu Asia Pte Ltd
Ins and Outs of Authenticating Users Requests to IIS 6.0 and ASP.NET Chris Adams Program Manager IIS Product Unit Microsoft Corporation.
Understanding Integrated Authentication in IIS Chris Adams IIS Supportability Lead Microsoft Corp.
Internet Business Foundations © 2004 ProsoftTraining All rights reserved.
SYSTEM ADMINISTRATION Chapter 13 Security Protocols.
Session 11: Security with ASP.NET
Forms Authentication, Users, Roles, Membership Svetlin Nakov Telerik Corporation
MCSE Guide to Microsoft Exchange Server 2003 Administration Chapter Four Configuring Outlook and Outlook Web Access.
Implementing ISA Server Publishing. Introduction What Are Web Publishing Rules? ISA Server uses Web publishing rules to make Web sites on protected networks.
Chapter 13 – Network Security
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 13: Administering Web Resources.
15.47 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 15: Configuring a Windows.
Copyright 2000 eMation SECURITY - Controlling Data Access with
Course ILT Internet/intranet support Unit objectives Use the Internet Information Services snap-in to manage IIS, Web sites, virtual directories, and WebDAV.
Protecting Internet Communications: Encryption  Encryption: Process of transforming plain text or data into cipher text that cannot be read by anyone.
1 Web services and security ---discuss different ways to enforce security Presenter: Han, Xue.
SSL, Single Sign On, and External Authentication Presented By Jeff Kelley April 12, 2005.
.Net and Web Services Security CS795. Web Services A web application Does not have a user interface (as a traditional web application); instead, it exposes.
Module 5 Configuring Authentication. Module Overview Lesson 1: Understanding Classic SharePoint Authentication Providers Lesson 2: Understanding Federated.
Dr. Mustafa Cem Kasapbaşı Security in ASP.NET. Determining Security Requirements Restricted File Types.
Effective Security in ASP.Net Applications Jatin Sharma: Summer 2005.
1 Chapter Overview Password Protection Security Models Firewalls Security Protocols.
Module 8: Designing Security for Authentication. Overview Creating a Security Plan for Authentication Creating a Design for Security of Authentication.
PROG Advanced Web Applications With.NET PROG Advanced Web Applications With.NET User Authentication & Authorization.
Module 11: Securing a Microsoft ASP.NET Web Application.
Slide 1 ASP Authentication There are basically three authentication modes Windows Passport Forms There are others through WCF You choose an authentication.
Module 7: Creating a Microsoft ASP.NET Web Application.
Ins and Outs of Authenticating Users Requests to IIS 6.0 and ASP.NET Chris Adams Program Manager IIS Product Unit Microsoft Corporation.
MEMBERSHIP AND IDENTITY Active server pages (ASP.NET) 1 Chapter-4.
IIS and.Net security -Vasudha Bhat. What is IIS? Why do we need IIS? Internet Information Services (IIS) is a Web server, its primary job is to accept.
Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®
1 Chapter Overview Creating Web Sites and FTP Sites Creating Virtual Directories Managing Site Security Troubleshooting IIS.
Security E-Learning Chapter 08. Security Control access to your web site –3 Techinques for Identifying users Giving users access to your site Securing.
© Copyright 2009 SSLPost 01. © Copyright 2009 SSLPost 02 a recipient is sent an encrypted that contains data specific to that recipient the data.
Configuring and Deploying Web Applications Lesson 7.
Internet Information Server 6.0 & new management features.
Securing Web Applications Lesson 4B / Slide 1 of 34 J2EE Web Components Pre-assessment Questions 1. Identify the correct return type returned by the doStartTag()
1 SUBMITTED BY- PATEL KUMAR C.S.E(8 th - sem). SUBMITTED TO- Mr. DESHRAJ AHIRWAR.
ASP.NET Essentials State management, authentication, and Web Services Daniele Pagano Arizona State University.
Agenda Introduction Security flow for a request Authentication
Security Basics and ASP.NET Support
Chapter 8 Building the Transaction Database
Jim Fawcett CSE686 – Internet Programming Summer 2005
Radius, LDAP, Radius used in Authenticating Users
Module 8: Securing Network Traffic by Using IPSec and Certificates
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 13: Administering Web Resources.
Created by : Asst. Prof. Ashish Shah
Module 8: Securing Network Traffic by Using IPSec and Certificates
Electronic Payment Security Technologies
Presentation transcript:

© FPT SOFTWARE – TRAINING MATERIAL – Internal use 04e-BM/NS/HDCV/FSOFT v2/3 Securing a Microsoft ASP.NET Web Application

© FPT SOFTWARE – TRAINING MATERIAL – Internal use 04e-BM/NS/HDCV/FSOFT v2/3 Overview  Web Application Security Overview  Working with Windows-Based Authentication  Working with Forms-Based Authentication  Overview of Microsoft Passport Authentication

© FPT SOFTWARE – TRAINING MATERIAL – Internal use 04e-BM/NS/HDCV/FSOFT v2/3 Lesson: Web Application Security Overview  Authentication vs. Authorization  What Are ASP.NET Authentication Methods?  Multimedia: ASP.NET Authentication Methods  Comparing the ASP.NET Authentication Methods  What Are the IIS Authentication Mechanisms?  Demonstration: Using IIS Authentication Mechanisms  What Is Secure Sockets Layer?

© FPT SOFTWARE – TRAINING MATERIAL – Internal use 04e-BM/NS/HDCV/FSOFT v2/3 Authentication vs. Authorization  Authentication Accepts credentials from a user Validates the credentials  Authorization Given the authentication credentials supplied, determines the right to access a resource Can be assigned by user name or by role

© FPT SOFTWARE – TRAINING MATERIAL – Internal use 04e-BM/NS/HDCV/FSOFT v2/3 What Are ASP.NET Authentication Methods?  Windows-based authentication Relies on the Windows operating system and IIS User requests a secure Web page and the request goes through IIS After credentials are verified by IIS, the secure Web page is returned  Forms-based authentication Unauthenticated requests are redirected to an HTML form User provides credentials and submits the HTML form After credentials are verified, an authentication cookie is issued  Microsoft Passport authentication Centralized authentication service that offers a single logon option Microsoft Passport is an XML Web service

© FPT SOFTWARE – TRAINING MATERIAL – Internal use 04e-BM/NS/HDCV/FSOFT v2/3 Multimedia: ASP.NET Authentication Methods

© FPT SOFTWARE – TRAINING MATERIAL – Internal use 04e-BM/NS/HDCV/FSOFT v2/3 Comparing the ASP.NET Authentication Methods MethodAdvantagesDisadvantages Windows-based Authentication  Uses existing Windows infrastructure  Controls access to sensitive information  Not appropriate for most Internet applications Forms-based Authentication  Good for Internet applications  Supports all client types  Based on cookies Microsoft Passport Authentication  Single sign in for many Internet sites  No need to maintain a database to store user information  Allows developers to customize the appearance of the registration page  Based on cookies  Fees involved

© FPT SOFTWARE – TRAINING MATERIAL – Internal use 04e-BM/NS/HDCV/FSOFT v2/3 What Are the IIS Authentication Mechanisms? Mechanisms Security Level Description Anonymous None  No authentication occurs Basic Low (Medium with SSL)  Client sends username and password as clear text  Can be encrypted by using SSL  Part of the HTTP specification and supported by most browsers Digest Medium  Sends information as encoded hash  Requires Internet Explorer 5 or later  Requires Active Directory Integrated Windows High  Uses either NTLM or Kerberos  Generally good for intranets, not Internet  Does not work through most firewalls

© FPT SOFTWARE – TRAINING MATERIAL – Internal use 04e-BM/NS/HDCV/FSOFT v2/3 Demonstration: Using IIS Authentication Mechanisms  Right-click Mod16 and then click Properties  Click Directory Security tab  Click Edit  Show the authentication methods

© FPT SOFTWARE – TRAINING MATERIAL – Internal use 04e-BM/NS/HDCV/FSOFT v2/3 What Is Secure Sockets Layer?  SSL is a protocol used for transmitting data securely across a network. SSL secures data through: Data encryption  -Ensures that the data sent is read only by a secure target server Server authentication  -Ensures that data is sent to the correct server  -Uses the server and client certificates Data integrity  -Protects the integrity of the data  -Includes a message authentication code that detects whether a message is altered  Uses Hypertext Transfer Protocol Secure to retrieve an ASP.NET Web page

© FPT SOFTWARE – TRAINING MATERIAL – Internal use 04e-BM/NS/HDCV/FSOFT v2/3 Lesson: Working with Windows-Based Authentication  How to Enable Windows-Based Authentication  Reading User Information  Demonstration: Using Windows-Based Authentication

© FPT SOFTWARE – TRAINING MATERIAL – Internal use 04e-BM/NS/HDCV/FSOFT v2/3 How to Enable Windows-Based Authentication  Configure IIS to use one or more of the following authentication mechanisms: Basic Digest Integrated Windows security  Set Windows-based authentication in Web.config 11 22

© FPT SOFTWARE – TRAINING MATERIAL – Internal use 04e-BM/NS/HDCV/FSOFT v2/3 How to Enable Windows-Based Authentication (continued)  Set up authorization in Web.config  When users access the Web Form, IIS requests logon information 44 33

© FPT SOFTWARE – TRAINING MATERIAL – Internal use 04e-BM/NS/HDCV/FSOFT v2/3 Reading User Information  After authentication, the Web server can read the user identity lblAuthUser.Text = User.Identity.Name lblAuthType.Text = User.Identity.AuthenticationType lblIsAuth.Text = User.Identity.IsAuthenticated lblAuthUser.Text = User.Identity.Name lblAuthType.Text = User.Identity.AuthenticationType lblIsAuth.Text = User.Identity.IsAuthenticated lblAuthUser.Text = User.Identity.Name; lblAuthType.Text = User.Identity.AuthenticationType; lblIsAuth.Text = User.Identity.IsAuthenticated; lblAuthUser.Text = User.Identity.Name; lblAuthType.Text = User.Identity.AuthenticationType; lblIsAuth.Text = User.Identity.IsAuthenticated;

© FPT SOFTWARE – TRAINING MATERIAL – Internal use 04e-BM/NS/HDCV/FSOFT v2/3 Demonstration: Using Windows-Based Authentication  Open IIS and configure with Anonymous authentication only  Create a new user on the local machine  Open Web.config and configure it for authentication and authorization  Run the secure ASP.NET Web application Students can access the secure ASP.NET Web application on the Instructor machine

© FPT SOFTWARE – TRAINING MATERIAL – Internal use 04e-BM/NS/HDCV/FSOFT v2/3 Lesson: Working with Forms-Based Authentication  Overview of Forms-Based Authentication  Multimedia: Forms-Based Authentication  How to Enable Forms-Based Authentication  Creating a Logon Page  Demonstration: Using Forms-Based Authentication

© FPT SOFTWARE – TRAINING MATERIAL – Internal use 04e-BM/NS/HDCV/FSOFT v2/3 Overview of Forms-Based Authentication Client requests page Authorize d ASP.NET Forms Authentication Not Authenticated Authenticated Logon Page (Users enter their credentials) Authenticated Authenticatio n Cookie Authorize d Not Authenticated Access Denied Requested Secure Page  IIS Userna me Password Someon e ********* ** Submit

© FPT SOFTWARE – TRAINING MATERIAL – Internal use 04e-BM/NS/HDCV/FSOFT v2/3 Multimedia: Forms-Based Authentication

© FPT SOFTWARE – TRAINING MATERIAL – Internal use 04e-BM/NS/HDCV/FSOFT v2/3 How to Enable Forms-Based Authentication  Configure IIS to use Anonymous authentication  Set Forms-based authentication in Web.config  Set up authorization  Build a Logon Web Form < forms name=".namesuffix" loginUrl="login.aspx" /> < forms name=".namesuffix" loginUrl="login.aspx" />

© FPT SOFTWARE – TRAINING MATERIAL – Internal use 04e-BM/NS/HDCV/FSOFT v2/3  Reference System.Web.Security  Logon page verifies and checks the credentials of a user  Reading user credentials from a cookie User.Identity.Name returns the value saved by FormsAuthentication.RedirectFromLoginPage Creating a Logon Page Sub cmdLogin_Click(s As Object, e As eventArgs) If (login(txt .Text, txtPassword.Text)) FormsAuthentication.RedirectFromLoginPage(txt .Text, False) End If End Sub Sub cmdLogin_Click(s As Object, e As eventArgs) If (login(txt .Text, txtPassword.Text)) FormsAuthentication.RedirectFromLoginPage(txt .Text, False) End If End Sub private void cmdLogin_Click(object sender, EventArgs e) { if (login(txt .Text, txtPassword.Text)) FormsAuthentication.RedirectFromLoginPage(txt .Text, false); } private void cmdLogin_Click(object sender, EventArgs e) { if (login(txt .Text, txtPassword.Text)) FormsAuthentication.RedirectFromLoginPage(txt .Text, false); }

© FPT SOFTWARE – TRAINING MATERIAL – Internal use 04e-BM/NS/HDCV/FSOFT v2/3 Demonstration: Using Forms-Based Authentication  Open IIS and configure for Anonymous authentication  Open Web.config and configure for authentication and authorization  Open logon page and show code  Run the ASP.NET Web application Students can access the secure ASP.NET Web application on the Instructor machine

© FPT SOFTWARE – TRAINING MATERIAL – Internal use 04e-BM/NS/HDCV/FSOFT v2/3 Lesson: Overview of Microsoft Passport Authentication  How Microsoft Passport Works  Other Microsoft Passport Resources

© FPT SOFTWARE – TRAINING MATERIAL – Internal use 04e-BM/NS/HDCV/FSOFT v2/3 How Microsoft Passport Works Website.msft Client Passport.com The client requests a page from the host The site redirects the client to Passport.com The client is redirected and logs on to Passport.com Passport returns a cookie with the ticket information 66 The client accesses the host, this time with ticket information The host returns a Web Form and possibly a new cookie that it can read and write

© FPT SOFTWARE – TRAINING MATERIAL – Internal use 04e-BM/NS/HDCV/FSOFT v2/3 DEMO  Run in IE Lesson04.2_Authentiaction.swf Lesson04.2_form base authentication demo.swf

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.