Understanding Digest Understanding Digest and Advanced Digest and Advanced Digest Authentication in IIS Authentication in IIS 6.06.0

Chris AdamsChris AdamsWeb Platform Supportability LeadWeb Platform Supportability LeadMicrosoft CorporationMicrosoft Corporation

AgendaAgenda

Introduction to AuthenticationIntroduction to AuthenticationDefining Digest AuthenticationDefining Digest AuthenticationDigest vs. Advanced DigestDigest vs. Advanced DigestDigging deeply into Digest AuthDigging deeply into Digest AuthDigging deeply into Advanced DigestDigging deeply into Advanced DigestSummarySummary

Introduction to AuthenticationIntroduction to Authentication

What is authentication?What is authentication?

What is authorization?What is authorization?

Authentication vs. AuthorizationAuthentication vs. Authorization401.1 versus 401.3401.1 versus 401.3

Introduction to AuthenticationIntroduction to Authentication

How authentication works in MicrosoftHow authentication works in Microsoft®® Internet Information Services (IIS)Internet Information Services (IIS)

1.1. Request enters server coreRequest enters server core2.2. Server core forwards toServer core forwards to

anonymous provider. IIS buildsanonymous provider. IIS buildspath (w3svc/1/root) and verifiespath (w3svc/1/root) and verifiesif if anonymous is enabledanonymous is enabled..Yes: Provide path and AnonymousYes: Provide path and Anonymous

users token to authorizationusers token to authorization managermanager

No: IIS passes the path to eachNo: IIS passes the path to eachprovider to determine if provider to determine if path has that provider enabled.path has that provider enabled.

Each provider that is enabled returns toEach provider that is enabled returns toServer core the appropriate header.Server core the appropriate header.

AnonymousAnonymous

BasicBasic

KerberosKerberos

NTLMNTLM

DigestDigest

PassportPassport

ServerServer

CoreCore

ServerServer

CoreCore

Introduction to AuthenticationIntroduction to Authentication

How authentication works in IISHow authentication works in IIS

WWW-AuthenticateWWW-Authenticate

DigestDigest

Digest Adv. Digest Adv. DigestDigest

Defining Digest AuthenticationDefining Digest Authentication

Digest Authentication is an industry Digest Authentication is an industry standard per Requests for Comments standard per Requests for Comments (RFC) 2617(RFC) 2617For IIS administrators and developers, For IIS administrators and developers, Digest is available on these platforms:Digest is available on these platforms:

MicrosoftMicrosoft® ® WindowsWindows®® 2000 and IIS 5.0 2000 and IIS 5.0MicrosoftMicrosoft® ® Windows Server™ 2003 and IIS Windows Server™ 2003 and IIS 6.06.0

Why interest in Digest?Why interest in Digest?Password is protected, not sent on wire in Password is protected, not sent on wire in “clear text”“clear text”Digest is optimized for WindowsDigest is optimized for Windows®® domains domains

Digest vs. Advanced DigestDigest vs. Advanced Digest

Digest, available on Windows 2000 Digest, available on Windows 2000 Server and Windows Server 2003, Server and Windows Server 2003, requires the following:requires the following:

Relies on worker process to run as Local Relies on worker process to run as Local SystemSystemUses the IIS Sub-Authenticator (iissuba.dll)Uses the IIS Sub-Authenticator (iissuba.dll)In Windows Server 2003, UseDigestSSP In Windows Server 2003, UseDigestSSP must be set to “false”must be set to “false”Requires MicrosoftRequires Microsoft® ® WindowsWindows®® Active Active DirectoryDirectory®®

User’s password must be stored with Reversible User’s password must be stored with Reversible Encryption enabledEncryption enabled

Calculates hash on the fly and transmit Calculates hash on the fly and transmit over the wireover the wire

Digest vs. Advanced Digest (2)Digest vs. Advanced Digest (2)

Advanced DigestAdvanced DigestNot available on Windows 2000Not available on Windows 2000

Implemented in core authentication Implemented in core authentication provider in LSASS (not relying on IIS Sub-provider in LSASS (not relying on IIS Sub-Authenticator)Authenticator)

Hash is stored as property of user in Hash is stored as property of user in Windows Server 2003 Active DirectoryWindows Server 2003 Active Directory

Is default Digest Authentication on clean Is default Digest Authentication on clean installs of Windows Server 2003installs of Windows Server 2003

Metabase property UseDigestSSP must be Metabase property UseDigestSSP must be set to “true”set to “true”

Digest vs. Advanced Digest (3)Digest vs. Advanced Digest (3)How it clients are How it clients are authenticated using authenticated using DigestDigest

IISIIS

Active DirectoryActive Directory

401.2 with WWW-Authenticate: Digest:Realm401.2 with WWW-Authenticate: Digest:Realm

200 OK Status200 OK Status

401.1 Login Failed401.1 Login Failedwith awith aWWW AuthenticateWWW Authenticateheaderheader

KeyKey

User HashUser Hash(Username, Password, Realm)(Username, Password, Realm)

IIS Sends IIS Sends Hash to Hash to Domain Domain

ControllersControllers

Digest vs. Advanced Digest (4)Digest vs. Advanced Digest (4)How it clients are How it clients are authenticated using authenticated using DigestDigest

IISIIS

Active DirectoryActive Directory

401.2 with WWW-Authenticate: Digest:Realm401.2 with WWW-Authenticate: Digest:Realm

200 OK Status200 OK Status

401.1 Login Failed401.1 Login Failedwith awith aWWW AuthenticateWWW Authenticateheaderheader

KeyKey

User HashUser Hash(Username, Password, Realm)(Username, Password, Realm)

IIS Sends IIS Sends Hash to Hash to Domain Domain

ControllersControllers

Hash pre-computed and

stored in Active Directory

Digging Deeply Into DigestDigging Deeply Into Digest

Digest Authentication has unique Digest Authentication has unique characteristics that provide customers characteristics that provide customers with challengeswith challenges

Local System: Non-issue on Windows Local System: Non-issue on Windows 2000 because it uses iissuba.dll and it 2000 because it uses iissuba.dll and it runs in Inetinforuns in Inetinfo

Reversible Encryption: Users password Reversible Encryption: Users password must be stored with less security in Active must be stored with less security in Active DirectoryDirectory

Digging Deeply Into DigestDigging Deeply Into DigestHow is IIS Sub-Authenticator enabled?How is IIS Sub-Authenticator enabled?

Open a Command-Prompt, type:Open a Command-Prompt, type:rundll32 systemroot\system32\iissuba.dll,RegisterIISSUBArundll32 systemroot\system32\iissuba.dll,RegisterIISSUBA

(Case Sensitive)(Case Sensitive)

Ensure Local System Ensure Local System Default for Windows 2000Default for Windows 2000

Running as Local System

is a Bad Security Practice

Windows Windows Server 2003Server 2003

Demonstration OneDemonstration One

Enabling Digest Enabling Digest Authentication in Authentication in Windows Server 2003Windows Server 2003

The goal is to demonstrate how The goal is to demonstrate how administrators and developers can administrators and developers can

successfully enable Digestsuccessfully enable Digest

Digging Into Advanced DigestDigging Into Advanced Digest

Advanced Digest is ONLY available in Advanced Digest is ONLY available in Windows Server 2003 and IIS 6.0Windows Server 2003 and IIS 6.0Advanced Digest is implemented in Advanced Digest is implemented in LSASS where all other authentication LSASS where all other authentication types are performedtypes are performedAdvanced Digest is compliant with the Advanced Digest is compliant with the Digest RFCDigest RFCThere is no UI for Advanced Digest it’s There is no UI for Advanced Digest it’s enabled using a command-lineenabled using a command-line

Property = UseDigestSSPProperty = UseDigestSSP

Digging Into Advanced Digest Digging Into Advanced Digest (2)(2)

Advanced Digest relies on a pre-computed Advanced Digest relies on a pre-computed MD5 hash stored in Active DirectoryMD5 hash stored in Active Directory

Stored in the same place as Kerberos hashesStored in the same place as Kerberos hashesMD5 hash is stored as multiple entries:MD5 hash is stored as multiple entries:

User@Domain - Ex: user@contosoUser@Domain - Ex: user@contosoDomain\User – Ex: contoso\userDomain\User – Ex: contoso\userUser@domain (UPN) – User@domain (UPN) – Ex: Ex: user@contoso.local

Is this property secure in Active Directory?Is this property secure in Active Directory?Yes, no user including Domain Admins have access Yes, no user including Domain Admins have access to where the hash is storedto where the hash is storedOnly Local Security Authority (LSA) has access to Only Local Security Authority (LSA) has access to this hash informationthis hash informationIt is stored on the DC and never is sent off the DCIt is stored on the DC and never is sent off the DC

Digging Into Advanced Digest Digging Into Advanced Digest (3)(3)

Limitations of Advanced Digest to dateLimitations of Advanced Digest to dateMicrosoftMicrosoft®® Internet Explorer 6.0 SP1 Internet Explorer 6.0 SP1 does not handle advanced digest does not handle advanced digest requests properlyrequests properly

For each request per connection, Internet For each request per connection, Internet Explorer prompts the user for credentialsExplorer prompts the user for credentials

This is being fixed in Windows Server This is being fixed in Windows Server 2003 Service Pack 12003 Service Pack 1

Same Connection – Prompt for each GetSame Connection – Prompt for each Get

2004-09-16 12:06:21 127.0.0.1 GET /iisstart.htm - 80 WS03EE\Administrator 127.0.0.1 200 0 02004-09-16 12:06:22 127.0.0.1 GET /pagerror.gif - 80 WS03EE\Administrator 127.0.0.1 200 0 0

Demonstration TwoDemonstration Two

Enabling Advanced Digest Enabling Advanced Digest Authentication in Windows Authentication in Windows Server 2003Server 2003

The goal is to demonstrate how The goal is to demonstrate how administrators and developers can administrators and developers can

successfully enable Advanced Digestsuccessfully enable Advanced Digest

Session SummarySession Summary

Digest follows the RFC standard 2617Digest follows the RFC standard 2617

Windows 2000 offers Digest authentication Windows 2000 offers Digest authentication onlyonly

Windows Server 2003 offers Digest and Windows Server 2003 offers Digest and Advanced Digest authenticationAdvanced Digest authentication

Clients receive in WWW-Authenticate header Clients receive in WWW-Authenticate header “Digest” and Realm for both Digest and “Digest” and Realm for both Digest and Advanced DigestAdvanced Digest

Digest requires the IIS Sub-AuthenticatorDigest requires the IIS Sub-Authenticator

Advanced digest stores all information in Advanced digest stores all information in Active Directory for each user and is Active Directory for each user and is implemented in LSASSimplemented in LSASS

References and ResourcesReferences and Resources

IIS 6.0 Help: IIS 6.0 Help:

Digest: Digest: http://www.microsoft.com/resources/documentation/iis/6/all/proddocs/en-us/sec_auth_digestauth.mspx Adv. Digest:Adv. Digest:

http://www.microsoft.com/resources/documentation/iis/6/all/proddocs/en-us/sec_auth_advdigestauth.mspx KB Articles:KB Articles:

IIS 6.0 Resource KitIIS 6.0 Resource KitIIS Forum: http://www.asp.net/forumsIIS Forum: http://www.asp.net/forums

IIS Answers: http://www.iisanswers.comIIS Answers: http://www.iisanswers.com

IIS Frequently Asked Questions (FAQ): IIS Frequently Asked Questions (FAQ): http://www.iisfaq.comhttp://www.iisfaq.com

IIS Resources: http://www.iis-resources.comIIS Resources: http://www.iis-resources.com

Get Up to Speed on .NETGet Up to Speed on .NETGet Trained on Microsoft Developer Get Trained on Microsoft Developer

TechnologiesTechnologiesRegister for upcoming webcasts at Register for upcoming webcasts at http://msdn.microsoft.com/webcasts http://msdn.microsoft.com/webcasts

All times are Pacific Standard TimeAll times are Pacific Standard Time

Friday, October 08, 2004Friday, October 08, 200411:00 AM-12:30 11:00 AM-12:30 PMPM

MSDN Webcast: Session 6: User MSDN Webcast: Session 6: User Interface Beauty Tips for Windows Interface Beauty Tips for Windows Forms Applications Forms Applications

Friday, October 08, 2004Friday, October 08, 20041:00 PM-2:30 1:00 PM-2:30 PMPM

MSDN Webcast: Mathematics Based MSDN Webcast: Mathematics Based Software Construction Models (Part 5 Software Construction Models (Part 5 of 6): Solid Prototyping—Level 200of 6): Solid Prototyping—Level 200

Monday, October 11, Monday, October 11, 20042004

9:00 AM-10:30 9:00 AM-10:30 AMAM

MSDN Webcast: Visual Studio® Tools MSDN Webcast: Visual Studio® Tools for Office - Nuts and Bolts (Part Two)for Office - Nuts and Bolts (Part Two)

Tuesday, October 12, Tuesday, October 12, 20042004

9:00 AM-10:30 9:00 AM-10:30 AMAM

MSDN Webcast: User Roles in MSDN Webcast: User Roles in InfoPath® 2003InfoPath® 2003

Wednesday, October 13, Wednesday, October 13, 20042004

9:00 AM-10:30 9:00 AM-10:30 AMAM

MSDN Webcast: Geek Speak: WSE 2.0 MSDN Webcast: Geek Speak: WSE 2.0 IntroductionIntroduction

Wednesday, October 13, Wednesday, October 13, 20042004

11:00 AM-12:30 11:00 AM-12:30 PMPM

MSDN Webcast: Digital Media and MSDN Webcast: Digital Media and DirectX on Windows CEDirectX on Windows CE

Attend MSDN EventsAttend MSDN Events

WhoWho• Your Local Microsoft Developer Community ChampionYour Local Microsoft Developer Community Champion

WhatWhat• Object Oriented Programming Fundamentals in VB.NETObject Oriented Programming Fundamentals in VB.NET • Programming with MapPoint Web ServicesProgramming with MapPoint Web Services• Optimizing ASP.NET 1.1 Web ApplicationsOptimizing ASP.NET 1.1 Web Applications• ASP.NET 2.0 Membership and PersonalizationASP.NET 2.0 Membership and Personalization

WhyWhy• Gain valuable developer knowledge, network with peers, Gain valuable developer knowledge, network with peers,

and get VS 2005 Beta 1 Refresh and VS 2005 Express and get VS 2005 Beta 1 Refresh and VS 2005 Express Betas on our content-rich special event DVDBetas on our content-rich special event DVD

WhenWhen• October through December, on Tuesdays and Thursdays October through December, on Tuesdays and Thursdays

from 1-5PM local timefrom 1-5PM local time

WhereWhere• Cities across the United StatesCities across the United States

HowHow• Visit MSDN Events at http://www.msdnevents.com to find Visit MSDN Events at http://www.msdnevents.com to find

out more!out more!

MSDN Webcast ResourcesMSDN Webcast Resources

Visit our blog Visit our blog http://blogs.msdn.com/msdnwebcasts for an http://blogs.msdn.com/msdnwebcasts for an rss feed of upcoming MSDN Webcastsrss feed of upcoming MSDN Webcasts

Submit text questions during the live webcast Submit text questions during the live webcast using the “Ask a Question” buttonusing the “Ask a Question” button

For recordings of past MSDN Webcasts: For recordings of past MSDN Webcasts: www.microsoft.com/usa/webcasts/ondemandwww.microsoft.com/usa/webcasts/ondemand

Got webcast content ideas? Send use e-mail Got webcast content ideas? Send use e-mail at: webcasts@microsoft.com at: webcasts@microsoft.com

More webcasts at More webcasts at http://msdn.microsoft.com/webcasts http://msdn.microsoft.com/webcasts

Don’t forget to fill out the survey.Don’t forget to fill out the survey.

https://https://msevents.microsoft.com/cui/msevents.microsoft.com/cui/WelcomePage.aspx?WelcomePage.aspx?EventID=...EventID=...

[PlaceWare Web Page. Use [PlaceWare Web Page. Use PlaceWarePlaceWare > > Edit Slide Edit Slide

Properties...Properties... to edit.] to edit.]