The.NET Runtime and IIS Presented by Chris Dickey – cdickey.net consulting

Topics Installing the.NET runtime Installing the.NET runtime The role of IIS as the application server The role of IIS as the application server.NET Remoting and Web Services.NET Remoting and Web Services How the.NET runtime works with IIS 5.0 How the.NET runtime works with IIS 5.0 Significance of the HTTP Pipeline Significance of the HTTP Pipeline Security Security Whats coming with IIS 6.0 Whats coming with IIS 6.0

Installing the.NET Runtime ownloads/default.asp ownloads/default.asp ownloads/default.asp ownloads/default.asp Windows Update Service Windows Update Service.NET Runtime.NET Runtime.NET SDK + Runtime.NET SDK + Runtime Visual Studio.NET Visual Studio.NET

IIS is the Application Server Static Pages Static Pages ISAPI ISAPI ASP ASP ASP.NET ASP.NET Web Services Web Services Remoting Remoting Connection Point to SQL Server Connection Point to SQL Server

ASP.NET Web Pages What most people think of as ASP.NET What most people think of as ASP.NET Compiled web pages Compiled web pages Huge advance over previous ASP version Huge advance over previous ASP version Lots of well known features Lots of well known features

Web Services Communication between diverse systems Communication between diverse systems SOAP packets transported using HTTP and SMTP protocols SOAP packets transported using HTTP and SMTP protocols Application connectivity protocol Application connectivity protocol IIS is the client connection point IIS is the client connection point Takes advantage of the HTTP Runtime Takes advantage of the HTTP Runtime

.NET Remoting Replacement for DCOM Replacement for DCOM tailored for.NET-to-.NET communications tailored for.NET-to-.NET communications Can be hosted by ASP.NET runtime Can be hosted by ASP.NET runtime Takes advantage of the HTTP Runtime Takes advantage of the HTTP Runtime

.NET compatibility and interoperability ASP.NET coexists with IIS 5.0 and ASP ASP.NET coexists with IIS 5.0 and ASP Runs in a separate process Runs in a separate process Doesn’t use the registry Doesn’t use the registry Routed through IIS ISAPI Routed through IIS ISAPI Can’t share sessions – 2 separate systems Can’t share sessions – 2 separate systems

IIS 5.0 and ASP.NET Runtime

HTTP Pipeline general-purpose framework for server-side HTTP programming general-purpose framework for server-side HTTP programming foundation for ASP.NET pages, Web Services, Remoting foundation for ASP.NET pages, Web Services, Remoting HTTPModules HTTPModules HTTPHAndlers HTTPHAndlers HTTPContext, HTTPContext.User HTTPContext, HTTPContext.User ISAPI: HTTP_FILTER_CONTEXT ISAPI: HTTP_FILTER_CONTEXT

ASP.NET Request Processing Native Code.NET Code Application Host (IIS) ASP.NETPage ASP.NET Runtime ASP.NETServiceHTTPHandler HTTP Module Global.asax Http Context

Configuration Files / Accounts XML configuration files – case sensitive XML configuration files – case sensitive Can be read by all authenticated users Can be read by all authenticated users machine.config machine.config web.config web.config machine, site, application, folder levels machine, site, application, folder levels SYSTEM, ASPNET, IUSR_, IWAM_ SYSTEM, ASPNET, IUSR_, IWAM_

Demo Run.net app – HTTPHandler Run.net app – HTTPHandler Show IIS 5.0 config Show IIS 5.0 config Show aspnet_wp.exe process – only 1 Show aspnet_wp.exe process – only 1 *.config files *.config files

Security Services ASP.NET support for authentication and authorization ASP.NET support for authentication and authorization Extensible and customizable Extensible and customizable Authentication scheme transparency Authentication scheme transparency Simple deployment model Simple deployment model Support for granular declarative and imperative authorizations Support for granular declarative and imperative authorizations Uses CLR Evidence-Based Security Uses CLR Evidence-Based Security Supports application layer security Supports application layer security

Flow of Security

Process Identity Windows ® 2000: Default is ASPNET Windows ® 2000: Default is ASPNET Can also run with SYSTEM account or configured account using Can also run with SYSTEM account or configured account using Windows.NET Server Windows.NET Server Uses IIS 6 process model Uses IIS 6 process model Default is NetworkService Default is NetworkService App Pools are configurable, identity is configurable App Pools are configurable, identity is configurable

HTTP Pipeline

Authentication ASP.NET is an ISAPI extension ASP.NET is an ISAPI extension Only receives requests for mapped content Only receives requests for mapped content Windows Authentication (via IIS) Windows Authentication (via IIS) Basic, Digest, NTLM, Kerberos, IIS Certificate Support Basic, Digest, NTLM, Kerberos, IIS Certificate Support Forms-based (Cookie) Authentication Forms-based (Cookie) Authentication Application credential verification Application credential verification Supports Microsoft ® Passport Authentication Supports Microsoft ® Passport Authentication Custom Authentication Custom Authentication

Forms-Based Auth Easy to implement Easy to implement ASP.NET provides redirection ASP.NET provides redirection Steps Steps Configure IIS to allow anonymous users (typically) Configure IIS to allow anonymous users (typically) Use SSL! Use SSL! Configure ASP.NET cookie authentication Configure ASP.NET cookie authentication Write your login page Write your login page

How It Works: Forms Authentication Web Browser 1 1.GET default.aspx HTTP/ Redirect Location: login.aspx 3 3. POST default.aspx HTTP/ POST default.aspx HTTP/ OK Set-Cookie:.ASPXAUTH Auth Ticket 6 6. GET default.aspx HTTP/1.1 Cookie:.ASPXAUTH Auth Ticket 4 4. App authentication IIS/ASP.NET SQL/AD

Custom Web Authentication Handle AuthenticateRequest event Handle AuthenticateRequest event Application level (global.asax) or Application level (global.asax) or Http Module (implement IHttpModule) Http Module (implement IHttpModule) Scenarios: Scenarios: Custom SOAP authentication Custom SOAP authentication E.g., application defined scheme based on SOAP headers E.g., application defined scheme based on SOAP headers Forms authentication for mobile devices without cookies Forms authentication for mobile devices without cookies Customize forms authentication Customize forms authentication

Authorization Strategies Windows Security and ACLs Windows Security and ACLs ACLs checked for Windows auth ACLs checked for Windows auth Independent of impersonation Independent of impersonation COM+ Roles COM+ Roles URL Authorization URL Authorization Custom Authorization Custom Authorization Windows.NET AuthZ Framework Windows.NET AuthZ Framework Explicit imperative/declarative checks Explicit imperative/declarative checks

Web Apps: Custom Roles Handle authentication event Handle authentication event Replace HttpContext.User with custom IPrincipal or GenericPrincipal Replace HttpContext.User with custom IPrincipal or GenericPrincipal public void WindowsAuthentication_OnAuthenticate( Object src, WindowsAuthenticationEvent e) { // replace HttpContext Principal // replace HttpContext Principal e.Context.User = new MyPrincipal(e.Identity); e.Context.User = new MyPrincipal(e.Identity);}

Use Custom Roles Application defines roles Application defines roles Strategies: Strategies: Define Windows/AD groups and use WindowsPrincipal Define Windows/AD groups and use WindowsPrincipal Use GenericPrincipal or IPrincipal Use GenericPrincipal or IPrincipal //System.Security.Principal.IPrincipal public interface IPrincipal { IIdentity {get;} bool IsInRole(string role); }

Custom Web Authorization Handle AuthorizeRequest event Handle AuthorizeRequest event Application level (global.asax) or Application level (global.asax) or Http Module (implement IHttpModule) Http Module (implement IHttpModule) Scenarios: Scenarios: Implement per-request billing system Implement per-request billing system Restrict access based on business rules Restrict access based on business rules Restrict access based on dynamic behaviors (e.g., implement a per-day access limit, etc). Restrict access based on dynamic behaviors (e.g., implement a per-day access limit, etc).

Internet Information Services 6 Complete rearchitecture Complete rearchitecture Kernel-mode HTTP Kernel-mode HTTP Web server security lockdown wizard Web server security lockdown wizard Worker process application pools Worker process application pools

IIS 6.0 Architecture

IIS 6.0 Application Pools

IIS 6.0 Process Recycling

References MSDN Magazine - September 2002 MSDN Magazine - September Keith Brown - portals.devx.com/SummitDays/Article/6666 Keith Brown - portals.devx.com/SummitDays/Article/6666portals.devx.com/SummitDays/Article/6666 Tim Ewald - msdn.microsoft.com/msdnmag/issues/02/09/HTTPPipeline s/default.aspx Tim Ewald - msdn.microsoft.com/msdnmag/issues/02/09/HTTPPipeline s/default.aspx msdn.microsoft.com/msdnmag/issues/02/09/HTTPPipeline s/default.aspx msdn.microsoft.com/msdnmag/issues/02/09/HTTPPipeline s/default.aspx Technical Overview of IIS s.mspx Technical Overview of IIS s.mspx s.mspx s.mspx Windows.NET Server Devcon - Windows.NET Server Devcon -