Ins and Outs of Authenticating Users Requests to IIS 6.0 and ASP.NET Chris Adams Program Manager IIS Product Unit Microsoft Corporation
Agenda Introduction to Authentication Diving into Authentication Types Anonymous Access Basic Authentication Windows Authentication Digest & Advanced Digest Authentication ASP.NET 2.0 Forms Authentication
Introduction to Authentication How authentication works in IIS Anonymous Basic Digest Kerberos NTLM Server Core Request enters server core Server core forwards to anonymous provider. IIS builds path (w3svc/1/root) and verifies if anonymous is enabled. Yes: Provide path and Anon.users token to authorization manager No: IIS passes the path to each provider to determine if path has that provider enabled. Each provider that is enabled returns to Server core the appropriate header.
Anonymous Authentication Anonymous Account: Role of IUSR Is automatically added during setup to the systems Guests group The IUSR account is intrinsically provided Read access to all folders as a member of the Guests group Also used by MS FTP server for anonymous authentication IIS Sub-authentication Avoids password synchronization problems
Anonymous Authentication (2) Define IIS's Sub-authenticator “Allow IIS to Control Password” = SubAuth is being Used What component is IIS SubAuth? Why does it exist? Avoids password synchronization problems Security Concerns: Must run in-process (Inetinfo) Must run as LocalSystem Default on IIS 4.0, 5.0, and 5.1 Not the default on IIS 6.0
Anonymous Authentication (3) Is IIS Sub-Authentication enabled? This checked enables IIS Sub-Authentication in IIS 4, 5, and 5.1. This does not exist in IIS 6.0 IIS Manager. Must be done manually.
Anonymous Authentication (4) Metabase Properties Two Secure Properties: Anonymoususername : (STRING) "IUSR_CA-MAIN“ anonymoususerpass : (STRING) "**********" Token obtained at startup of w3svc service for IUSR_MachineName Both properties must contain correct information on user account and password when sub-auth disabled If not correct, a results Use Event Viewer Security log to track failures Can be customize at the site or virtual directory level
Watching IIS Sub- Authentication in action Chris Adams Program Manager IIS Product Unit
Basic Authentication Limitations and Risks of Basic “Clear Text Passwords” – Base64 Encoded Advantages RFC backed (RFC 2617) Supports proxies Wide browser support Good authentication when combined with SSL Disadvantages Requires a Windows account Very insecure if not protected with Secure Socket Layer (SSL) Password sent directly on the wire (encoded) allows administrators to decrypt if desired (less secure)
Decoding Basic Authentication Chris Adams Program Manager IIS Product Unit
Introduction… “Negotiate” Kerberos NTLM “Negotiate” is a wrapper for these two protocols
Introduction to Integrated Authentication MetaBase Property: AuthNTLM Internet Explorer prefers Integrated over Basic when each is enabled on path NTAuthenticationProvider s has no UI support. Must use adsutil or Metabase Explorer.
Introduction to Integrated Authentication How the appropriate integrated authentication is determined? AuthNTLM NO Yes NTAuthenticationProviders NegotiateNTLM Access Denied
Dynamics of NTLM Connection Oriented Same Connection always used per request HTTP Keep-Alives Required Understanding Auth Dialog Boxes NTLM, by default, doesn’t prompt NTLM may prompt if original request fails with NTLM’s use of Domain\Username\Password Domain and Username are always shared over the wire between client and server Password is never – Always uses Hash of password Authentication Header includes: Domain\Username\HashedPassword
Dynamics of NTLM: Security Why is NTLM authentication secure? Hash Algorithm of password is unknown when hackers monitor the HTTP requests on the wire If connections are broke, manipulated (by proxies), then NTLM fails Versions: Lan Manager – Windows 95 NTLM v1 – NT 4.0 NTLM v2 – Windows 2000 / 2003
Work… Get /Default.HTM Get /Default.HTM w/ AuthNTLM Get /Default.HTM w/ AuthNTLM Hashed 401 – WWW Auth: NTLM OK 401 – Access Denied Client IIS Server
Dynamics of NTLM NTLM at work… (previous slide) 1.IE Client requests a IIS resource (Anon) 2.IIS returns 401 with WWWAuthenticate Header saying NTLM 3.IE submits new request for a IIS resource with NTLM Authentication header (username) 4.IIS uses NT Authentication Header to build secret key and sends 401 with key back to client 5.IE submits new request for a IIS resource with NTLM Authentication header (username\password\hash of password) 6.IIS checks username\password\hash and matches, return 200 OK –or Login failed (IE prompts)
Dynamics of Kerberos Why create another authentication protocol? NTLM limitations NTLM Tokens cannot be delegated NTLM is proprietary and only supported by Windows platform NTLM has limited support out of the box... (other browsers) Is Negotiate a new protocol? No, it is just a wrapper that allows either Kerberos or NTLM authentication based on client request
Dynamics of Kerberos Key Terms of Negotiate Client: Internet Explorer Server: IIS Server that is member of Active Directory Domain Active Directory: Key Distribution Center (KDC) for all clients Ticket Granting Service: Issues all tickets (aka tokens)
Dynamics of Negotiate The IIS server is started and when the server authenticates to domain (aka KDC) it receives it ticket. Ticket Granting Services Domain Controller (KDC) Client IIS Server
Work… I need a ticket for The following service (aka HTTP\HOST) If Service located in KDC, Secret Key shared with Client Initial Client request for IIS resource anonymously The Server esponse is 401 – WWWAuth Header for Negotiate Using key provided, Client creates hash (key) and sends IIS IIS uses secret key and verifies that password matches Shared Client Domain Controller (KDC) IIS Server
Modifying Integrated & Locking down NTLM Chris Adams Program Manager IIS
Digest Authentication What is digest authentication? Limitation and Risks of Digest Requirement of Digest IIS Sub-Auth (iissuba - LocalSystem) Active Directory Password stored in AD with Reversible Encryption Platforms available Windows 2000 Windows 2003
Advanced Digest What is advanced digest authentication? Requirements of Adv. Digest 2003 Active Directory Forest required Hash Pre-Compiled at User Creation Strictly RFC Compliant Platforms available Determining which digest is being used? More details on Digest and Adv. Digest Authentication: ort/webcasts.mspx ort/webcasts.mspx
ASP.NET Forms Authentication Developer Driven Authentication. Does not use windows authentication. Advantage: You can easily support your existing user base. i.e. Novell, AS400
ASP.NET uses IIS’s authentication token when the authentication is set to “Windows” ASP.NET Forms Authentication Setup: ASP.NET implements forms authentication when selected and uses the provider specified
Session Summary There are a lot of variables that go into authentication in IIS Understanding how IIS Sub-Authentication works is key to two authentication types: Anonymous and Digest Basic authentication is commonly supported by browsers, but is insecure without encryption technology Integrated authentication is complex and difficult to troubleshoot without knowing key metabase properties such as NTAuthenticationProviders
© 2005 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.