Authaspdotnet Authentication in ASP

8/2/2019 Authaspdotnet Authentication in ASP

1/46

Authentication in ASP.NET

23 January 2003

Ronen Ashkenazi

Solutions Development Architect

Microsoft Israel

[email protected]


2/46

2

Agenda

Security Considerations

Relationship Between IIS and ASP.NET

Authentication Methods

Security for Web Services

Code Access Security


3/46

3

Security Considerations

Consider the following when designing an application:

Impersonation

Delegation

Operating system security

Securing physical access

Code access security

Security goals

Security risks

Authentication

Authorization

Securing data transmission


4/46

4

ASP.NET

Security Relationship Between IIS and ASP.NET

IIS

Web clients

Launch ASP.NET

application

Access denied

ASP.NET application

assumes client identity

Access granted

IP address and domain

permitted?

User authenticated?

No

Yes

Yes

No

Yes

ASP.NET impersonation

enabled?

NoAccess check OK?

(e.g. NTFS)

No

ASP.NET application

runs with local

machine identity

Yes


5/46

5

ASP.NET Authentication Providers and IIS Security

ASP.NET supports three authentication providers: Forms Authentication Relies on a logon form and cookies

Passport Authentication Centralized authentication service

provided by Microsoft

Windows Authentication IIS handles authentication

Provider is specified in the Web.config file


6/46

6

IIS Authentication

Method

ASP.NET Authentication

Providers

ASP.NET and IIS Security Settings Matrix

Forms

Windows

Passport

None (Custom)

Basic

Integrated

Digest

Certificate Mapping

Anonymous


7/467

Authentication Using Windows Accounts

Authenticate users with Windows user accounts bycombining IIS authentication and the Windows

authentication provider for ASP.NET

No authentication-specific code needs to be written with this

approach ASP.NET constructs and attaches a WindowsPrincipal

object to the application context


8/468

Authentication Using Non-Windows Accounts

Configure IIS for Anonymous authentication and use one ofthe following .NET authentication modules:

None custom or no authentication

Forms provide a logon page

Passport use the Passport service


9/469

Impersonation and Delegation

Impersonation allows ASP.NET applications to execute with

a client's identity Delegation enhances impersonation by allowing remote

resources to be accessed while acting as the client

Impersonation is configured in the Web.config file


10/4610

ASP Thread Token for ASP and IIS Configurations

ASP.NETimpersonation

IIS is usingAnonymous

IIS is not usingAnonymous

Applicationresides on UNC

share

Disabled Process account Process account IIS UNC token

Enabled IUSR_ SERVER Authenticated user IIS UNC token

Enabled with aspecified user

"Jeff"

"Jeff" "Jeff" "Jeff"


11/4611

Application Identities

ASP.NET application worker process (aspnet_wp.exe)

executes under ASPNET account ASPNET account has minimal privileges

Configure account name in element of

machine.config file

"SYSTEM" (System account)

"MACHINE" (ASPNET)

Custom user account


12/4612


Factors in Choosing an Authentication Method

Determining an Authentication Method


13/46

13

Factors in Choosing an Authentication Method

Server and client operating systems

Client browser type

Number of users, location and type of user name and password

database

Deployment considerations (Internet vs. intranet and firewalls) Application type (interactive Web site or non-interactive Web service)

Sensitivity of data being protected

Performance and scalability factors

Application authorization requirements (all users, or restricted areas)


14/46

14


Anonymous and cookies

Anonymous and passport

No

Yes

Anonymous

No

Yes

Yes

(Continued next

slide)

No

Yes

No

Certificates

No

Yes

Forms over SSL

Certificates

Yes

NoForms

PassportUsers in

Passport?

Userslog on?

Users in

Windowsaccounts?

Personalization

required?

Interactive

user logon?

Secure

logon?


15/46

15


No

Yes

NoBasic

Forms

Digest

Basic/SSL

Digest/SSL

Forms/SSL

Certificates

Yes

No

No

BasicNTLM

Certificates

Yes

Custom Credential Mapping

Basic

Kerberos

Yes

Basic

Digest

NTLM

Kerberos

Certificates

App runs onInternet?

Secure

logon?

Delegationrequired?

Servers

and clients

Win2K?

Yes, users are in

Windows accounts


16/46

16


Anonymous Authentication

Basic Authentication

Digest Authentication

Integrated Windows Authentication Certificate Authentication

Passport Authentication

Forms Authentication Using Cookies


17/46

17

Overview of Anonymous Authentication

No authentication occurs in either IIS or ASP.NET Good choice for publicly available Web site not requiring the

identity of the caller

No browser restrictions


18/46

18


Consider Anonymous authentication when: Caller name and/or password is not required for logon or business

logic components

The information you are protecting is considered "public"

Do not use Anonymous authentication when:

You require a logon name and password

Typical usage scenarios


19/46

19


Good choice for sites containing personalized content only For example, a news site only interested in user's zip code

Impersonation cannot be used

Appropriate permissions need configuring for anonymous useraccount

Gives highest performance, but lowest security

Other considerations


20/46


21/46

21

Overview of Basic Authentication

IIS instructs the browser to send the user's credentials over

HTTP

Browser prompts the user with a dialog box

User names and passwords are sent using Base64 encoding,

which is NOT secure Most browsers support Basic authentication


22/46

22


Consider Basic authentication when you require: Users to have Windows NT Domain or Active Directory accounts

Support for multiple browsers

Support for authentication over the Internet

Access to the clear text password in your application code Delegation

Do not use Basic authentication when you require:

Secure logon while not using a secure channel, such as Secure

Sockets Layer (SSL) Storage of information in a custom database

A customized form presented to the user as a logon page



23/46

23


Delegation is possible using Basic authentication

Combine Basic authentication with SSL to prevent

passwords from being deciphered



24/46

24


Configure IIS for Basic authentication

Configure user accounts to have "log on locally" enabled on

Web server

Configure the ASP.NET Web.config file

Implementation


25/46

25

Overview of Digest Authentication

New to Windows 2000 and IIS 5.0

Encrypts the user's password using MD5

Dependent on browser and server capabilities

Cannot perform delegation


26/46

26


Consider Digest authentication when: The Web server is running Windows 2000 and users have

Windows accounts stored in Active Directory

All clients use either the .NET platform or Internet Explorer 5.0 orlater

Password encryption above that of Basic authentication is required

Support of authentication over the Internet is required

Do not use Digest authentication when:

Some clients use platforms other than .NET or Internet Explorer5.0 or later

Users do not have Windows accounts stored in Active Directory

Delegation is required



27/46

27


Security Digest authentication is more secure than Basic authentication

alone

Less secure than Basic authentication with SSL

Can also be combined with SSL

Platform requirements for Digest authentication

Clients .NET or Internet Explorer 5.0 (or later)

Server running Active Directory with user accounts configuredfor Digest authentication



28/46

28


Configure IIS for Digest authentication


Implementation


29/46

29

Overview of Integrated Windows Authentication

Uses either NTLM challenge/response or Kerberos to

authenticate users with a Windows NT Domain or Active

Directory account

No password is sent across the network

Best suited to an intranet environment

Works with Internet Explorer 3.01 or later


30/46

30

Integrated Windows Authentication

Consider Integrated Windows authentication when: Users have Windows NT Domain or Active Directory accounts

Your application runs on an intranet (behind a firewall)

All clients are running Internet Explorer 3.01 or later

Delegation is required (requires Kerberos)

Seamless logon procedure for domain users is required(e.g. without pop-up logon dialog boxes)

Do not use Integrated Windows authentication when:

User accounts are stored in an external database

Authentication over the Internet is required

Clients are using non-Microsoft browsers

You need the client's clear text password



31/46

31


NTLM and Kerberos are considered highly secure NTLM does not support delegation; Kerberos does

Neither NTLM or Kerberos are commonly used over the

Internet

Kerberos is faster than NTLM, but neither is as fast as

Basic authentication



32/46

32


Clients and servers must be running Windows 2000 in aWindows 2000 domain

User and service accounts must be enabled for delegation

Configure IIS for Integrated Windows authentication


Implementation


33/46

33

Overview of Certificate Authentication

A certificate is a digital "key" installed on a computer

Certificates can be mapped to user accounts

Web Server

Domain

Controller

Client

Request: Welcome.aspx

Response: Certificate request

Response: Welcome.aspx

Request: Login.aspx + Certificate

Certificate

Validation


34/46

34

Certificate Authentication

Consider Certificate authentication when: Data is considered very sensitive and you require a very secure

solution

Mutual authentication is required

Third parties will manage the relationship between the server andthe certificate holder

Client interaction must be seamless; for example, automated B2Bexchanges

Do not use Certificate authentication when:

The cost of issuing and managing client certificates outweighs thevalue of the added security



35/46

35


Client certificates must be deployed to the clientworkstations

Map certificates to:

Individual user accounts (one-to-one mapping)

Any user from a single company (many-to-one mapping)



36/46

36


Configure IIS for Certificate authentication Configure the ASP.NET Web.config file

Implementation


37/46

37

Overview of Passport Authentication

A centralized authentication service provided by Microsoft

Web Server

Microsoft

Passport

ClientRequest: Welcome.aspx

Response: Passport Sign In

Request: Login.aspx + Cookie

Response: Welcome.aspx

Passport authentication

Creates authentication cookies


38/46

38


Consider Passport authentication when: Your site will interact with other Passport-enabled sites

Single sign-on capability is required

External maintenance of user names and passwords is useful

Do not use Passport authentication when:

You want to use user names and passwords already stored in

your own database or Active Directory

Clients are other applications that access the siteprogrammatically



39/46

39


Requires registration with the Passport service andinstallation of the Passport SDK on the server

Delegation is not possible on Windows 2000

Passport User ID (PUID) is an identity only

Implement code to map PUID to users in Active Directory or

custom database

Passport uses encrypted cookies making system secure

Combine Passport with SSL to prevent replay attacks for highestlevel of security



40/46

40


Install Passport SDK on server Register with Passport service

Configure IIS for Anonymous authentication


Implementation


41/46

41

Overview of Forms Authentication

A custom user interface accepts user credentials

Authentication is performed against a database using custom code

Web ServerClient Request: Welcome.aspx

Response: Login.aspx

Request: Login.aspx + dataResponse: Welcome.aspx + Cookie

Authenticate

user

Web.config

or

User database


42/46

42

Forms Authentication

Consider Forms authentication when: User names and passwords are stored somewhere other than

Windows accounts

Your application runs over the Internet

Support for all browsers and client operating systems is required

A custom logon page is needed

Do not use Forms authentication when:

Applications are deployed on a corporate intranet and can takeadvantage of Integrated Windows authentication

You cannot programmatically verify the user name and password



43/46

43


Use SSL to secure passwords submitted via the logon page Set cookie expiration to avoid cookie theft and misuse

SSL degrades performance, so consider separating logon

and content servers

Checking for the cookie is automatic in ASP.NET

applications

Use Forms authentication with Windows accounts as an

alternative to Basic or Digest authentication



44/46

44


Create a logon page Create your custom account information lookup code

Configure IIS for Anonymous authentication

Configure the ASP.NET Web.config file, including theredirect URL for unauthenticated clients

Implementation

Additi l R


45/46

45

Additional Resources

Patterns & practices are Microsofts recommendations for

architects, software developers, and IT professionals

responsible for delivering and managing enterprise systems

on the Microsoft Platform

To explore the available patterns & practices, visit: http://

msdn.microsoft.com/practices
http://msdn.microsoft.com/practiceshttp://msdn.microsoft.com/practiceshttp://msdn.microsoft.com/practiceshttp://msdn.microsoft.com/practiceshttp://msdn.microsoft.com/practices


46/46

Date post:	06-Apr-2018
Category:	Documents
Upload:	chlnmurthy273
View:	217 times
Download:	0 times

Authaspdotnet Authentication in ASP

Documents