Ins and Outs of Ins and Outs of Authenticating Users Authenticating Users Requests to IIS 6.0 and Requests to IIS 6.0 and ASP.NETASP.NET

Chris AdamsChris AdamsProgram ManagerProgram ManagerIIS Product UnitIIS Product UnitMicrosoft CorporationMicrosoft Corporation

AgendaAgenda

Introduction to AuthenticationIntroduction to AuthenticationDiving into Authentication TypesDiving into Authentication Types

Anonymous AccessAnonymous AccessBasic AuthenticationBasic AuthenticationWindows AuthenticationWindows AuthenticationDigest & Advanced Digest AuthenticationDigest & Advanced Digest Authentication

ASP.NET Forms AuthenticationASP.NET Forms AuthenticationSetup SPN for kerberos and constrained delegationSetup SPN for kerberos and constrained delegationMapping virtual directories to UNC sharesMapping virtual directories to UNC shares

Introduction to AuthenticationIntroduction to Authentication

How authentication works in IISHow authentication works in IIS

Anonymous

Basic

Digest

Kerberos

NTLM

Server

Core

Request enters server coreServer core forwards to anonymous provider.

IIS builds path (w3svc/1/root) and verifies if anonymous is enabled.Yes: Provide path and Anon.users token to authorization managerNo: IIS passes the path to each provider to determine if path has that provider enabled.

Each provider that is enabled returns to Server core the appropriate header.

Anonymous AuthenticationAnonymous Authentication

Anonymous Account: Role of IUSRAnonymous Account: Role of IUSRIs automatically added during setup to the Is automatically added during setup to the systems Guests group systems Guests group

The IUSR account is intrinsically provided The IUSR account is intrinsically provided Read access to all folders as a member of Read access to all folders as a member of the Guests groupthe Guests group

Also used by MS FTP server for anonymous Also used by MS FTP server for anonymous authenticationauthentication

IIS Sub-authenticationIIS Sub-authenticationAvoids password synchronization problemsAvoids password synchronization problems

Anonymous Authentication (2)Anonymous Authentication (2)

Define IIS's Sub-authenticatorDefine IIS's Sub-authenticator““Allow IIS to Control Password” = SubAuth is Allow IIS to Control Password” = SubAuth is being Usedbeing UsedWhat component is IIS SubAuth?What component is IIS SubAuth?Why does it exist?Why does it exist?

Avoids password synchronization problemsAvoids password synchronization problems

Security Concerns:Security Concerns:Must run in-process (Inetinfo)Must run in-process (Inetinfo)Must run as LocalSystemMust run as LocalSystemDefault on IIS 4.0, 5.0, and 5.1Default on IIS 4.0, 5.0, and 5.1Not the default on IIS 6.0Not the default on IIS 6.0

Anonymous Authentication (3)Anonymous Authentication (3)Is IIS Sub-Authentication enabled?Is IIS Sub-Authentication enabled?

This checked enables IIS Sub-Authentication in IIS 4, 5, and 5.1.

This does not exist in IIS 6.0 IIS Manager. Must be done manually.

Anonymous Authentication (4)Anonymous Authentication (4)

Metabase PropertiesMetabase PropertiesTwo Secure Properties:Two Secure Properties:

Anonymoususername : (STRING) "IUSR_CA-MAIN“

anonymoususerpass : (STRING) "**********"

Token obtained at startup of w3svc serviceToken obtained at startup of w3svc service

for IUSR_MachineNamefor IUSR_MachineName

Both properties must contain correct information on Both properties must contain correct information on user account and password when sub-auth disableduser account and password when sub-auth disabled

If not correct, a 401.1 resultsIf not correct, a 401.1 results

Use Event Viewer Security log to track failuresUse Event Viewer Security log to track failures

Can be customize at the site or virtual directory Can be customize at the site or virtual directory levellevel

Watching IIS Sub-Watching IIS Sub-Authentication in actionAuthentication in action

Chris AdamsChris AdamsProgram ManagerProgram ManagerIIS Product UnitIIS Product Unit

Basic AuthenticationBasic AuthenticationLimitations and Risks of BasicLimitations and Risks of Basic

““Clear Text Passwords” – Base64 EncodedClear Text Passwords” – Base64 Encoded

AdvantagesAdvantagesRFC backed (RFC 2617)RFC backed (RFC 2617)

Supports proxiesSupports proxies

Wide browser supportWide browser support

Good authentication when combined with SSLGood authentication when combined with SSL

DisadvantagesDisadvantagesRequires a Windows accountRequires a Windows account

Very insecure if not protected with Secure Socket Layer Very insecure if not protected with Secure Socket Layer (SSL)(SSL)

Password sent directly on the wire (encoded) allows Password sent directly on the wire (encoded) allows administrators to decrypt if desired (less secure)administrators to decrypt if desired (less secure)

Decoding Basic Decoding Basic AuthenticationAuthentication

Chris AdamsChris AdamsProgram ManagerProgram ManagerIIS Product UnitIIS Product Unit

Introduction…Introduction…

“Negotiate”

Kerberos NTLM

““Negotiate” is a wrapper for Negotiate” is a wrapper for these two protocolsthese two protocols

Introduction to Integrated Introduction to Integrated AuthenticationAuthentication

MetaBase Property: MetaBase Property: AuthNTLMAuthNTLM

Internet Explorer prefers Internet Explorer prefers Integrated over Basic Integrated over Basic when each is enabled on when each is enabled on pathpath

NTAuthenticationProviderNTAuthenticationProviders has no UI support. Must s has no UI support. Must use adsutil or Metabase use adsutil or Metabase Explorer.Explorer.

Introduction to Integrated Introduction to Integrated AuthenticationAuthenticationHow the appropriate integrated authentication How the appropriate integrated authentication is determined?is determined?

AuthNTLM

NO

Yes

NTAuthenticationProviders

Negotiate NTLM401.3

Access

Denied

Dynamics of NTLMDynamics of NTLMConnection OrientedConnection Oriented

Same Connection always used per requestSame Connection always used per requestHTTP Keep-Alives RequiredHTTP Keep-Alives Required

Understanding Auth Dialog BoxesUnderstanding Auth Dialog BoxesNTLM, by default, doesn’t promptNTLM, by default, doesn’t promptNTLM may prompt if original request fails with 401.1NTLM may prompt if original request fails with 401.1

NTLM’s use of Domain\Username\PasswordNTLM’s use of Domain\Username\PasswordDomain and Username are always shared over the wire Domain and Username are always shared over the wire between client and serverbetween client and serverPassword is never – Always uses Hash of passwordPassword is never – Always uses Hash of passwordAuthentication Header includes: Authentication Header includes:

Domain\Username\HashedPasswordDomain\Username\HashedPassword

Dynamics of NTLM: SecurityDynamics of NTLM: Security

Why is NTLM authentication secure?Why is NTLM authentication secure?Hash Algorithm of password is unknown when Hash Algorithm of password is unknown when hackers monitor the HTTP requests on the wirehackers monitor the HTTP requests on the wire

If connections are broke, manipulated (by proxies), If connections are broke, manipulated (by proxies), then NTLM failsthen NTLM fails

Versions:Versions:

Lan Manager – Windows 95Lan Manager – Windows 95

NTLM v1 – NT 4.0NTLM v1 – NT 4.0

NTLM v2 – Windows 2000 / 2003NTLM v2 – Windows 2000 / 2003

NTLM @ Work…NTLM @ Work…

Get /Default.HTM

Get /Default.HTM w/ AuthNTLM

Get /Default.HTM w/ AuthNTLM Hashed

401 – WWW Auth: NTLM

200 - OK

401 – Access Denied

Laptop

Laptop

Client

Client

IIS Server

IIS Server

Dynamics of NTLMDynamics of NTLMNTLM at work… (previous slide)NTLM at work… (previous slide)

1.1. IE Client requests a IIS resource (Anon)IE Client requests a IIS resource (Anon)2.2. IIS returns 401 with WWWAuthenticate Header saying IIS returns 401 with WWWAuthenticate Header saying

NTLMNTLM3.3. IE submits new request for a IIS resource with NTLM IE submits new request for a IIS resource with NTLM

Authentication header (username)Authentication header (username)4.4. IIS uses NT Authentication Header to build secret key and IIS uses NT Authentication Header to build secret key and

sends 401 with key back to clientsends 401 with key back to client5.5. IE submits new request for a IIS resource with NTLM IE submits new request for a IIS resource with NTLM

Authentication header (username\password\hash of Authentication header (username\password\hash of password)password)

6.6. IIS checks username\password\hash and matches, return IIS checks username\password\hash and matches, return 200 OK –or- 401.1 Login failed (IE prompts)200 OK –or- 401.1 Login failed (IE prompts)

Dynamics of KerberosDynamics of Kerberos

Why create another authentication Why create another authentication protocol?protocol?

NTLM limitationsNTLM limitationsNTLM Tokens cannot be delegatedNTLM Tokens cannot be delegatedNTLM is proprietary and only supported by Windows NTLM is proprietary and only supported by Windows platformplatformNTLM has limited support out of the box... (other NTLM has limited support out of the box... (other browsers)browsers)

Is Negotiate a new protocol?Is Negotiate a new protocol?No, it is just a wrapper that allows either No, it is just a wrapper that allows either Kerberos or NTLM authentication based on Kerberos or NTLM authentication based on client requestclient request

Dynamics of KerberosDynamics of Kerberos

Key Terms of NegotiateKey Terms of Negotiate

Client: Internet ExplorerClient: Internet Explorer

Server: IIS Server that is member of Active Server: IIS Server that is member of Active Directory DomainDirectory Domain

Active Directory:Active Directory:Key Distribution Center (KDC) for all clientsKey Distribution Center (KDC) for all clients

Ticket Granting Service: Issues all tickets (aka Ticket Granting Service: Issues all tickets (aka tokens)tokens)

Dynamics of NegotiateDynamics of Negotiate

The IIS server isstarted and when the server authenticates todomain (aka KDC) itreceives it ticket.

Ticket Granting Services

Domain Controller (KDC)

Laptop

Client

IIS Server

Negotiate @ Work…Negotiate @ Work…

I need a ticket for The following service(aka HTTP\HOST)

If Service located in KDC, Secret Key shared with Client

Initial Client request for IIS resource anonymously

The Server esponse is 401 – WWWAuth Header for Negotiate

Using key provided, Client creates hash (key) and sends IIS

IIS uses secret key and verifies that password matches

Shared

Laptop

Client

Domain Controller (KDC)

IIS Server

Deciphering Kerberos vs. Deciphering Kerberos vs. Integrated AuthenticationIntegrated Authentication

NameNameTitleTitleGroupGroup

Digest AuthenticationDigest Authentication

What is digest authentication?What is digest authentication?Limitation and Risks of DigestLimitation and Risks of Digest

Requirement of Digest Requirement of Digest IIS Sub-Auth (iissuba - LocalSystem)IIS Sub-Auth (iissuba - LocalSystem)

Active DirectoryActive Directory

Password stored in AD with Reversible Password stored in AD with Reversible EncryptionEncryption

Platforms availablePlatforms availableWindows 2000Windows 2000

Windows 2003Windows 2003

Advanced DigestAdvanced DigestWhat is advanced digest authentication?What is advanced digest authentication?

Requirements of Adv. DigestRequirements of Adv. Digest2003 Active Directory Forest required2003 Active Directory Forest requiredHash Pre-Compiled at User CreationHash Pre-Compiled at User Creation

Strictly RFC CompliantStrictly RFC CompliantPlatforms availablePlatforms available

Determining which digest is being used?Determining which digest is being used?More details on Digest and Adv. Digest More details on Digest and Adv. Digest Authentication:Authentication:

http://www.microsoft.com/windowsserver2003/iis/supphttp://www.microsoft.com/windowsserver2003/iis/support/webcasts.mspxort/webcasts.mspx

ASP.NET Forms ASP.NET Forms AuthenticationAuthentication

Developer Driven Authentication. Does not Developer Driven Authentication. Does not use windows authentication.use windows authentication.

Advantage: You can easily support your Advantage: You can easily support your existing user base. i.e. Novell, AS400existing user base. i.e. Novell, AS400

ASP.NET uses IIS’s ASP.NET uses IIS’s authentication token authentication token when the when the authentication is set authentication is set to “Windows”to “Windows”

ASP.NET Forms AuthenticationASP.NET Forms AuthenticationSetup:Setup:

____ _ ____ _ ______________ ______________ _____ ____ ___ _____ ____ ___ ______________ ______________ __ ___ __ ______ __ ___ __ ______

ASP.NET ASP.NET implements forms implements forms authentication when authentication when selected and uses selected and uses the provider the provider specifiedspecified

Setup SPN Service Setup SPN Service RegistrationRegistration

Services running as Local SystemServices running as Local SystemAutomatically registered at installation timeAutomatically registered at installation time

Services running with customized accountServices running with customized accountManually registered by administratorManually registered by administrator

Mapping virtual directories to Mapping virtual directories to UNC sharesUNC shares

Can use a static Can use a static username / username / passwordpassword

Mapping virtual directories to Mapping virtual directories to UNC sharesUNC shares

Can pass Can pass authenticated authenticated users credentials users credentials throughthrough

Session SummarySession SummaryThere are a lot of variables that go into There are a lot of variables that go into authentication in IISauthentication in IISUnderstanding how IIS Sub-Authentication Understanding how IIS Sub-Authentication works is key to two authentication types: works is key to two authentication types: Anonymous and DigestAnonymous and DigestBasic authentication is commonly supported Basic authentication is commonly supported by browsers, but is insecure without by browsers, but is insecure without encryption technologyencryption technologyIntegrated authentication is complex and Integrated authentication is complex and difficult to troubleshoot without knowing key difficult to troubleshoot without knowing key metabase properties such as metabase properties such as NTAuthenticationProvidersNTAuthenticationProviders

© 2005 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.