Presentation is loading. Please wait.

Presentation is loading. Please wait.

Agenda Introduction Security flow for a request Authentication

Published byJudith Webb Modified over 6 years ago

Similar presentations

Presentation on theme: "Agenda Introduction Security flow for a request Authentication"— Presentation transcript:

1 Microsoft ASP.NET Security Venkat Chilakala Support Professional Microsoft Corporation

2 Agenda Introduction Security flow for a request Authentication
Authorization Role-based security Impersonation FAQ Questions and answers

3 Security Flow for a Request (ASP)

4 Security Flow for a Request (ASP.NET)

5 Authentication Defined Authentication in ASP Authentication in ASP.NET
IIS authentication ASP.NET authentication ASP.NET authentication providers Forms, Windows, Passport, Default, and Custom

6 Forms Authentication Uses cookie to authenticate
Enables SSL for logon page Often used for personalization

7 Forms Authentication Flow

8 Forms Authentication Configuration
Enable anonymous access in IIS Configure <authentication> section Set mode to “Forms” Add the <forms> section Configure <authorization> section Deny access to anonymous user Create logon page Validate the user Provide authentication cookie Redirect the user to the requested page

9 <forms> Section Attributes
loginUrl: unauthenticated request are redirected to this page name: name of the authentication cookie path: path of the authentication cookie protection: All | None | Encryption | Validation timeout: authentication cookie expiration time in minutes <authentication mode="Forms"> <forms name=".ASPXAUTH" loginUrl="login.aspx" protection="All" timeout="30" path="/" /> </authentication>

10 Forms Authentication Code
If FormsAuthentication.Authenticate(txtUserName.Value,txtUserPass.value) Then FormsAuthentication.RedirectFromLoginPage(txtUserName.Value, _ chkPersistCookie.Checked) Else Response.Redirect("logon.aspx", false) End If

11 Windows Authentication
Can be used in combination with Basic, NTLM, Digest, Kerberos, and so forth User is authenticated by IIS Easiest of all Request flow Client makes request IIS authenticates request, forwards to ASP.NET Impersonation turned on? ASP.NET returns response to client

12 Windows Authentication Configuration
Set mode to “Windows” Configure <authorization> section Example <authentication mode=" Windows" /> <authorization> <deny users="?" /> <allow users= "*" /> </authorization>

13 Passport Authentication
Single sign-in across member sites Includes user profiles services Integrated into ASP.NET authentication Scenarios Don’t want to maintain a database of users Provide personalized content Need to provide single-sign in capabilities More details at

14 Passport Authentication Configuration
What you need: Install Passport SDK Register with Microsoft Passport Set mode to “Passport” Configure <passport> section Example <authentication mode="Passport"> <passport redirectUrl="internal|url" /> </authentication>

15 Default and Custom Authentication
Why use default authentication? Increases performance Allows you to perform custom authentication Configuration: Set mode to “None” Example <authentication mode="None" />

16 Custom Authentication
Handle AuthenticateRequest event Application level (global.asax) HTTP module (implement IHttpModule) Scenarios Custom authentication using munged URLs for Web applications Customize forms authentication

17 Authorization Process of determining whether a user is allowed to perform a requested action File-based authorization Performed by FileAuthorizationModule Performs checks against Windows ACLs Custom – handle AuthorizeRequest event Application level (global.asax) HTTP module (implement IHttpModule) URL-based authorization Performed by UrlAuthorizationModule Positive and negative assertions Can selectively allow or deny access to URI namespaces

18 URL Authorization Configuration
Add <authorization> section Add <allow> and <deny> sections Example - allow “Admins” or “WebUsers” and deny all others: <authorization> <allow roles="Admins" /> <allow roles="WebUsers" /> <deny users="*" /> </authorization>

19 Role-Based Security What is this?
Do not get confused with MTS and COM+ role-based security How does this work? With Microsoft® Windows® users With non-Windows users

20 Windows Users(Check Roles)
If User.IsInRole("BUILTIN\Administrators") then Response.Write("You are an Admin") Else If User.IsInRole("BUILTIN\Users") then Response.Write("You are a User") Else Response.Write("Invalid user") End if

21 Non-Windows Users (Attach Roles)
Handle AuthenticateRequest event Create GenericPrincipal Attach roles to Identity Assign new Principal to User Sample Sub Application_AuthenticateRequest(s As Object, e As EventArgs) If Not (User Is Nothing) Then If User.Identity.AuthenticationType = "Forms" Then Dim Roles(1) As String Roles(0) = "Admin" User = new GenericPrincipal(User.Identity,Roles) End If End Sub

22 Non-Windows Users (Check Roles)
if User.IsInRole("Admin") then Response.Write ("You are an Administrator") Else Response.Write ("You do not have any role assigned") End if

23 Impersonation Defined Request gets impersonated automatically in ASP
In ASP.NET, developer has more control over this You can set to automatically impersonate You can set to not impersonate (that is, use Process Identity) Different ways to impersonate in ASP.NET <identity> tag Code-based impersonation

24 Impersonation Configuration
<identity impersonate = “false” /> <identity impersonate = “true” /> <identity impersonate = “true” userName = “username” password = “password” />

25 Code Impersonation Call LogonUser API Call ImpersonateLoggedOnUser API
Run the code in the security context of the impersonated user Call RevertToSelf

26 Frequently Asked Questions
Q: Request.ServerVariables(“Logon_User”) returns an empty string A: <authorization> <deny users=“?” /><!--deny access to anonymous user --> <allow users=“*” /> <!--allow all users --> </authorization>

27 Frequently Asked Questions (2)
Q: Access denied to “NT Authority\System” or access denied to “NT Authority\Anonymous Logon” when you try to access resources on a remote machine. (for example, Remote SQL Server, remote file system, and so forth) A: This may occur because your application is running into a delegation scenario. The solution is to ensure that you have a primary security token when requesting these resources. There are many ways to resolve this issue based on your requirement. One of them is to use Basic Authentication for your Application.

28 Frequently Asked Questions (3)
Q: Using Forms Authentication for a Web application, how do I allow anonymous access to default.aspx page but not other pages in the same directory? A: The answer is to use the <location> section of the web.config file to allow anonymous access to default.aspx page only and deny anonymous access to all the other pages. Example: <configuration> <location path="default.aspx"> <system.web> <authorization> <allow users ="*" /> </authorization> </system.web> </location> </configuration>

29 Resources Knowledge Base article “BETA-INFO: ASP.NET Security Overview” MSDN article “Authentication in ASP.NET: .NET Security Guidance”

30 Thank you for joining us for today’s Microsoft Support
WebCast. For information about all upcoming Support WebCasts and access to the archived content (streaming media files, PowerPoint® slides, and transcripts), please visit: We sincerely appreciate your feedback. Please send any comments or suggestions regarding the Support WebCasts to and include “Support WebCasts” in the subject line.

Download ppt "Agenda Introduction Security flow for a request Authentication"

Similar presentations

Forms Authentication, Users, Roles, Membership Ventsislav Popov Crossroad Ltd.

Forms Authentication, Users, Roles, Membership Ventsislav Popov Crossroad Ltd.
ASP.Net Security Chapter 10 Jeff Prosise’s Book. Authentication To ascertain the caller’s identity –Windows authentication –Forms authentication –Passport.

ASP.Net Security Chapter 10 Jeff Prosise’s Book. Authentication To ascertain the caller’s identity –Windows authentication –Forms authentication –Passport.
ASP.NET Web Application Security Hannes Preishuber ppedv AG

ASP.NET Web Application Security Hannes Preishuber ppedv AG
Authenticating Users in an ASP.NET Application. Web Site Administration Tool From VS 2008, click Website/ ASP.Net Configuration to open Web Site Administration.

Authenticating Users in an ASP.NET Application. Web Site Administration Tool From VS 2008, click Website/ ASP.Net Configuration to open Web Site Administration.
Microsoft ASP.NET Security Venkat Chilakala Support Professional Microsoft Corporation.

Microsoft ASP.NET Security Venkat Chilakala Support Professional Microsoft Corporation.
Building ASP.NET Applications 2 Lecture 3,4 T. Ahlam Algharasi 4 th Level.

Building ASP.NET Applications 2 Lecture 3,4 T. Ahlam Algharasi 4 th Level.
ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.

ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.
Chapter 13 – Site Security. Internet Information Server ASP.NET Applications.NET Framework Windows NT/2000 Operating System Forms Passport Windows Certificates.

Chapter 13 – Site Security. Internet Information Server ASP.NET Applications.NET Framework Windows NT/2000 Operating System Forms Passport Windows Certificates.
Managing Identity and Permissions

Managing Identity and Permissions
Internet Information Server (IIS)

Internet Information Server (IIS)
Building Applications using ASP.NET and C# / Session 14 / 1 of 18 Session 14.

Building Applications using ASP.NET and C# / Session 14 / 1 of 18 Session 14.
Jonas Thomsen, Ph.d. student Computer Science University of Aarhus Best Practices and Techniques for Building Secure Microsoft.

Jonas Thomsen, Ph.d. student Computer Science University of Aarhus Best Practices and Techniques for Building Secure Microsoft.
Microsoft Windows XP Remote Desktop Alvin Loh Program Manager Terminal Services Group.

Microsoft Windows XP Remote Desktop Alvin Loh Program Manager Terminal Services Group.
Role based Security in.NET By By Aasia Riasat Aasia RiasatCS-795.

Role based Security in.NET By By Aasia Riasat Aasia RiasatCS-795.
Developing an ASP.NET Application and using the Mobile Internet Toolkit Bart Vande Ghinste Developer Consultant Microsoft Belux.

Developing an ASP.NET Application and using the Mobile Internet Toolkit Bart Vande Ghinste Developer Consultant Microsoft Belux.
Internet Information Server 6.0. Overview  What’s New in IIS 6.0?  Built-in Accounts and IIS 6.0  IIS Pass-Through Authentication  Securing Web Traffic.

Internet Information Server 6.0. Overview  What’s New in IIS 6.0?  Built-in Accounts and IIS 6.0  IIS Pass-Through Authentication  Securing Web Traffic.
Delivering Excellence in Software Engineering ® 2006. EPAM Systems. All rights reserved. ASP.NET Authentication.

Delivering Excellence in Software Engineering ® EPAM Systems. All rights reserved. ASP.NET Authentication.
1 ASP.NET SECURITY Presenter: Van Nguyen. 2 Introduction Security is an integral part of any Web-based application. Understanding ASP.NET security will.

1 ASP.NET SECURITY Presenter: Van Nguyen. 2 Introduction Security is an integral part of any Web-based application. Understanding ASP.NET security will.
Edwin Sarmiento Microsoft MVP – Windows Server System Senior Systems Engineer/Database Administrator Fujitsu Asia Pte Ltd

Edwin Sarmiento Microsoft MVP – Windows Server System Senior Systems Engineer/Database Administrator Fujitsu Asia Pte Ltd
Understanding Integrated Authentication in IIS Chris Adams IIS Supportability Lead Microsoft Corp.

Understanding Integrated Authentication in IIS Chris Adams IIS Supportability Lead Microsoft Corp.

Similar presentations

Ads by Google