Date post: | 06-Apr-2018 |
Category: |
Documents |
Upload: | chlnmurthy273 |
View: | 217 times |
Download: | 0 times |
of 46
8/2/2019 Authaspdotnet Authentication in ASP
1/46
Authentication in ASP.NET
23 January 2003
Ronen Ashkenazi
Solutions Development Architect
Microsoft Israel
8/2/2019 Authaspdotnet Authentication in ASP
2/46
2
Agenda
Security Considerations
Relationship Between IIS and ASP.NET
Authentication Methods
Security for Web Services
Code Access Security
8/2/2019 Authaspdotnet Authentication in ASP
3/46
3
Security Considerations
Consider the following when designing an application:
Impersonation
Delegation
Operating system security
Securing physical access
Code access security
Security goals
Security risks
Authentication
Authorization
Securing data transmission
8/2/2019 Authaspdotnet Authentication in ASP
4/46
4
ASP.NET
Security Relationship Between IIS and ASP.NET
IIS
Web clients
Launch ASP.NET
application
Access denied
ASP.NET application
assumes client identity
Access granted
IP address and domain
permitted?
User authenticated?
No
Yes
Yes
No
Yes
ASP.NET impersonation
enabled?
NoAccess check OK?
(e.g. NTFS)
No
ASP.NET application
runs with local
machine identity
Yes
8/2/2019 Authaspdotnet Authentication in ASP
5/46
5
ASP.NET Authentication Providers and IIS Security
ASP.NET supports three authentication providers: Forms Authentication Relies on a logon form and cookies
Passport Authentication Centralized authentication service
provided by Microsoft
Windows Authentication IIS handles authentication
Provider is specified in the Web.config file
8/2/2019 Authaspdotnet Authentication in ASP
6/46
6
IIS Authentication
Method
ASP.NET Authentication
Providers
ASP.NET and IIS Security Settings Matrix
Forms
Windows
Passport
None (Custom)
Basic
Integrated
Digest
Certificate Mapping
Anonymous
8/2/2019 Authaspdotnet Authentication in ASP
7/467
Authentication Using Windows Accounts
Authenticate users with Windows user accounts bycombining IIS authentication and the Windows
authentication provider for ASP.NET
No authentication-specific code needs to be written with this
approach ASP.NET constructs and attaches a WindowsPrincipal
object to the application context
8/2/2019 Authaspdotnet Authentication in ASP
8/468
Authentication Using Non-Windows Accounts
Configure IIS for Anonymous authentication and use one ofthe following .NET authentication modules:
None custom or no authentication
Forms provide a logon page
Passport use the Passport service
8/2/2019 Authaspdotnet Authentication in ASP
9/469
Impersonation and Delegation
Impersonation allows ASP.NET applications to execute with
a client's identity Delegation enhances impersonation by allowing remote
resources to be accessed while acting as the client
Impersonation is configured in the Web.config file
8/2/2019 Authaspdotnet Authentication in ASP
10/4610
ASP Thread Token for ASP and IIS Configurations
ASP.NETimpersonation
IIS is usingAnonymous
IIS is not usingAnonymous
Applicationresides on UNC
share
Disabled Process account Process account IIS UNC token
Enabled IUSR_ SERVER Authenticated user IIS UNC token
Enabled with aspecified user
"Jeff"
"Jeff" "Jeff" "Jeff"
8/2/2019 Authaspdotnet Authentication in ASP
11/4611
Application Identities
ASP.NET application worker process (aspnet_wp.exe)
executes under ASPNET account ASPNET account has minimal privileges
Configure account name in element of
machine.config file
"SYSTEM" (System account)
"MACHINE" (ASPNET)
Custom user account
8/2/2019 Authaspdotnet Authentication in ASP
12/4612
Authentication Methods
Factors in Choosing an Authentication Method
Determining an Authentication Method
8/2/2019 Authaspdotnet Authentication in ASP
13/46
13
Factors in Choosing an Authentication Method
Server and client operating systems
Client browser type
Number of users, location and type of user name and password
database
Deployment considerations (Internet vs. intranet and firewalls) Application type (interactive Web site or non-interactive Web service)
Sensitivity of data being protected
Performance and scalability factors
Application authorization requirements (all users, or restricted areas)
8/2/2019 Authaspdotnet Authentication in ASP
14/46
14
Determining an Authentication Method
Anonymous and cookies
Anonymous and passport
No
Yes
Anonymous
No
Yes
Yes
(Continued next
slide)
No
Yes
No
Certificates
No
Yes
Forms over SSL
Certificates
Yes
NoForms
PassportUsers in
Passport?
Userslog on?
Users in
Windowsaccounts?
Personalization
required?
Interactive
user logon?
Secure
logon?
8/2/2019 Authaspdotnet Authentication in ASP
15/46
15
Determining an Authentication Method
No
Yes
NoBasic
Forms
Digest
Basic/SSL
Digest/SSL
Forms/SSL
Certificates
Yes
No
No
BasicNTLM
Certificates
Yes
Custom Credential Mapping
Basic
Kerberos
Yes
Basic
Digest
NTLM
Kerberos
Certificates
App runs onInternet?
Secure
logon?
Delegationrequired?
Servers
and clients
Win2K?
Yes, users are in
Windows accounts
8/2/2019 Authaspdotnet Authentication in ASP
16/46
16
Authentication Methods
Anonymous Authentication
Basic Authentication
Digest Authentication
Integrated Windows Authentication Certificate Authentication
Passport Authentication
Forms Authentication Using Cookies
8/2/2019 Authaspdotnet Authentication in ASP
17/46
17
Overview of Anonymous Authentication
No authentication occurs in either IIS or ASP.NET Good choice for publicly available Web site not requiring the
identity of the caller
No browser restrictions
8/2/2019 Authaspdotnet Authentication in ASP
18/46
18
Anonymous Authentication
Consider Anonymous authentication when: Caller name and/or password is not required for logon or business
logic components
The information you are protecting is considered "public"
Do not use Anonymous authentication when:
You require a logon name and password
Typical usage scenarios
8/2/2019 Authaspdotnet Authentication in ASP
19/46
19
Anonymous Authentication
Good choice for sites containing personalized content only For example, a news site only interested in user's zip code
Impersonation cannot be used
Appropriate permissions need configuring for anonymous useraccount
Gives highest performance, but lowest security
Other considerations
8/2/2019 Authaspdotnet Authentication in ASP
20/46
8/2/2019 Authaspdotnet Authentication in ASP
21/46
21
Overview of Basic Authentication
IIS instructs the browser to send the user's credentials over
HTTP
Browser prompts the user with a dialog box
User names and passwords are sent using Base64 encoding,
which is NOT secure Most browsers support Basic authentication
8/2/2019 Authaspdotnet Authentication in ASP
22/46
22
Basic Authentication
Consider Basic authentication when you require: Users to have Windows NT Domain or Active Directory accounts
Support for multiple browsers
Support for authentication over the Internet
Access to the clear text password in your application code Delegation
Do not use Basic authentication when you require:
Secure logon while not using a secure channel, such as Secure
Sockets Layer (SSL) Storage of information in a custom database
A customized form presented to the user as a logon page
Typical usage scenarios
8/2/2019 Authaspdotnet Authentication in ASP
23/46
23
Basic Authentication
Delegation is possible using Basic authentication
Combine Basic authentication with SSL to prevent
passwords from being deciphered
Other considerations
8/2/2019 Authaspdotnet Authentication in ASP
24/46
24
Basic Authentication
Configure IIS for Basic authentication
Configure user accounts to have "log on locally" enabled on
Web server
Configure the ASP.NET Web.config file
Implementation
8/2/2019 Authaspdotnet Authentication in ASP
25/46
25
Overview of Digest Authentication
New to Windows 2000 and IIS 5.0
Encrypts the user's password using MD5
Dependent on browser and server capabilities
Cannot perform delegation
8/2/2019 Authaspdotnet Authentication in ASP
26/46
26
Digest Authentication
Consider Digest authentication when: The Web server is running Windows 2000 and users have
Windows accounts stored in Active Directory
All clients use either the .NET platform or Internet Explorer 5.0 orlater
Password encryption above that of Basic authentication is required
Support of authentication over the Internet is required
Do not use Digest authentication when:
Some clients use platforms other than .NET or Internet Explorer5.0 or later
Users do not have Windows accounts stored in Active Directory
Delegation is required
Typical usage scenarios
8/2/2019 Authaspdotnet Authentication in ASP
27/46
27
Digest Authentication
Security Digest authentication is more secure than Basic authentication
alone
Less secure than Basic authentication with SSL
Can also be combined with SSL
Platform requirements for Digest authentication
Clients .NET or Internet Explorer 5.0 (or later)
Server running Active Directory with user accounts configuredfor Digest authentication
Other considerations
8/2/2019 Authaspdotnet Authentication in ASP
28/46
28
Digest Authentication
Configure IIS for Digest authentication
Configure the ASP.NET Web.config file
Implementation
8/2/2019 Authaspdotnet Authentication in ASP
29/46
29
Overview of Integrated Windows Authentication
Uses either NTLM challenge/response or Kerberos to
authenticate users with a Windows NT Domain or Active
Directory account
No password is sent across the network
Best suited to an intranet environment
Works with Internet Explorer 3.01 or later
8/2/2019 Authaspdotnet Authentication in ASP
30/46
30
Integrated Windows Authentication
Consider Integrated Windows authentication when: Users have Windows NT Domain or Active Directory accounts
Your application runs on an intranet (behind a firewall)
All clients are running Internet Explorer 3.01 or later
Delegation is required (requires Kerberos)
Seamless logon procedure for domain users is required(e.g. without pop-up logon dialog boxes)
Do not use Integrated Windows authentication when:
User accounts are stored in an external database
Authentication over the Internet is required
Clients are using non-Microsoft browsers
You need the client's clear text password
Typical usage scenarios
8/2/2019 Authaspdotnet Authentication in ASP
31/46
31
Integrated Windows Authentication
NTLM and Kerberos are considered highly secure NTLM does not support delegation; Kerberos does
Neither NTLM or Kerberos are commonly used over the
Internet
Kerberos is faster than NTLM, but neither is as fast as
Basic authentication
Other considerations
8/2/2019 Authaspdotnet Authentication in ASP
32/46
32
Integrated Windows Authentication
Clients and servers must be running Windows 2000 in aWindows 2000 domain
User and service accounts must be enabled for delegation
Configure IIS for Integrated Windows authentication
Configure the ASP.NET Web.config file
Implementation
8/2/2019 Authaspdotnet Authentication in ASP
33/46
33
Overview of Certificate Authentication
A certificate is a digital "key" installed on a computer
Certificates can be mapped to user accounts
Web Server
Domain
Controller
Client
Request: Welcome.aspx
Response: Certificate request
Response: Welcome.aspx
Request: Login.aspx + Certificate
Certificate
Validation
8/2/2019 Authaspdotnet Authentication in ASP
34/46
34
Certificate Authentication
Consider Certificate authentication when: Data is considered very sensitive and you require a very secure
solution
Mutual authentication is required
Third parties will manage the relationship between the server andthe certificate holder
Client interaction must be seamless; for example, automated B2Bexchanges
Do not use Certificate authentication when:
The cost of issuing and managing client certificates outweighs thevalue of the added security
Typical usage scenarios
8/2/2019 Authaspdotnet Authentication in ASP
35/46
35
Certificate Authentication
Client certificates must be deployed to the clientworkstations
Map certificates to:
Individual user accounts (one-to-one mapping)
Any user from a single company (many-to-one mapping)
Other considerations
8/2/2019 Authaspdotnet Authentication in ASP
36/46
36
Certificate Authentication
Configure IIS for Certificate authentication Configure the ASP.NET Web.config file
Implementation
8/2/2019 Authaspdotnet Authentication in ASP
37/46
37
Overview of Passport Authentication
A centralized authentication service provided by Microsoft
Web Server
Microsoft
Passport
ClientRequest: Welcome.aspx
Response: Passport Sign In
Request: Login.aspx + Cookie
Response: Welcome.aspx
Passport authentication
Creates authentication cookies
8/2/2019 Authaspdotnet Authentication in ASP
38/46
38
Passport Authentication
Consider Passport authentication when: Your site will interact with other Passport-enabled sites
Single sign-on capability is required
External maintenance of user names and passwords is useful
Do not use Passport authentication when:
You want to use user names and passwords already stored in
your own database or Active Directory
Clients are other applications that access the siteprogrammatically
Typical usage scenarios
8/2/2019 Authaspdotnet Authentication in ASP
39/46
39
Passport Authentication
Requires registration with the Passport service andinstallation of the Passport SDK on the server
Delegation is not possible on Windows 2000
Passport User ID (PUID) is an identity only
Implement code to map PUID to users in Active Directory or
custom database
Passport uses encrypted cookies making system secure
Combine Passport with SSL to prevent replay attacks for highestlevel of security
Other considerations
8/2/2019 Authaspdotnet Authentication in ASP
40/46
40
Passport Authentication
Install Passport SDK on server Register with Passport service
Configure IIS for Anonymous authentication
Configure the ASP.NET Web.config file
Implementation
8/2/2019 Authaspdotnet Authentication in ASP
41/46
41
Overview of Forms Authentication
A custom user interface accepts user credentials
Authentication is performed against a database using custom code
Web ServerClient Request: Welcome.aspx
Response: Login.aspx
Request: Login.aspx + dataResponse: Welcome.aspx + Cookie
Authenticate
user
Web.config
or
User database
8/2/2019 Authaspdotnet Authentication in ASP
42/46
42
Forms Authentication
Consider Forms authentication when: User names and passwords are stored somewhere other than
Windows accounts
Your application runs over the Internet
Support for all browsers and client operating systems is required
A custom logon page is needed
Do not use Forms authentication when:
Applications are deployed on a corporate intranet and can takeadvantage of Integrated Windows authentication
You cannot programmatically verify the user name and password
Typical usage scenarios
8/2/2019 Authaspdotnet Authentication in ASP
43/46
43
Forms Authentication
Use SSL to secure passwords submitted via the logon page Set cookie expiration to avoid cookie theft and misuse
SSL degrades performance, so consider separating logon
and content servers
Checking for the cookie is automatic in ASP.NET
applications
Use Forms authentication with Windows accounts as an
alternative to Basic or Digest authentication
Other considerations
8/2/2019 Authaspdotnet Authentication in ASP
44/46
44
Forms Authentication
Create a logon page Create your custom account information lookup code
Configure IIS for Anonymous authentication
Configure the ASP.NET Web.config file, including theredirect URL for unauthenticated clients
Implementation
Additi l R
8/2/2019 Authaspdotnet Authentication in ASP
45/46
45
Additional Resources
Patterns & practices are Microsofts recommendations for
architects, software developers, and IT professionals
responsible for delivering and managing enterprise systems
on the Microsoft Platform
To explore the available patterns & practices, visit: http://
msdn.microsoft.com/practices
http://msdn.microsoft.com/practiceshttp://msdn.microsoft.com/practiceshttp://msdn.microsoft.com/practiceshttp://msdn.microsoft.com/practiceshttp://msdn.microsoft.com/practices8/2/2019 Authaspdotnet Authentication in ASP
46/46