Date post: | 19-Dec-2015 |
Category: |
Documents |
View: | 217 times |
Download: | 2 times |
SEC320Developing Identity-aware apps on Microsoft’s Identity Platform (Part 1)
David MowersProgram ManagerMicrosoft Security Solutions
Agenda – Part I
MSFT Identity platform
Authentication mechanisms
Authorization mechanisms
Trust mechanisms
Multi-tier Application Scenarios Extranet
Intranet
What is in Part – II?
Application ScenariosPersonalization
Application Configuration
Using LDAP based authentication and authorization
Accessing AD using .NET framework
Agenda – Part I
MSFT Identity platform
Authentication mechanisms
Authorization mechanisms
Trust mechanisms
Multi-tier Application Scenarios Extranet
Intranet
MSFT Identity platform
Windows Server 2003, Active Directory, ADAM, MMS 2003, BizTalk, EBiz Suite, .NET Passport
Interoperability through standardsLDAP, Kerberos, SSL, XML, many more
Roles-based Access Control with Authorization manager
Security, Auditing, and Usability
MSFT Identity Platform - Goals
Lower TCO by improving manageability
Increase ROI by enabling new business opportunities
Rapid application development cycle
Build secure applications easily
Provide SSO (where possible)
Agenda – Part I
MSFT Identity platform
Authentication mechanisms
Authorization mechanisms
Trust mechanisms
Multi-tier Application Scenarios Extranet
Intranet
Windows Integrated AuthN
BackgroundUses Negotiate protocol (RFC2478)Prefers Kerberos(RFC1510) but falls back to NTLM when not available
Pros/ConsLeverages existing AD and infrastructureSimple to enable – checkbox in IISBest user experience
RequirementsRequires IE 5.0 or higher on W2K or higherCode required - none
SSL authentication
BackgroundBoth Server and client authentication availableWidely used for server auth but also useful for client auth
Pros/ConsRequires widespread distribution and availability of certificatesOnce certs are distributed, easy to implement
RequirementsSupported by most browsers/web serversCode required - none
Basic/Digest authentication
BackgroundBasic and Digest are HTTP specific authentication methodsBasic sends clear passwords
Pros/ConsEasy to enable with IIS checkboxSSL encryption advised for both to protect password data
RequirementsNetscape only supports basicCode required - none
ASP.NET AuthenticationImplemented through authentication providers
Windows authentication providerKerberos, SSL, Digest, Basic, Passport/AD mapping
Forms authentication provider
Passport authentication provider
// Web.config file // Web.config file <authentication mode= "[Windows|Forms|Passport|None]"/><authentication mode= "[Windows|Forms|Passport|None]"/>
One line of code to change security contextto authenticated user
Windows Authentication Provider
WindowsImpersonationContext Ic = WindowsImpersonationContext Ic = WindowsIdentity.Impersonate(impersonateToken); WindowsIdentity.Impersonate(impersonateToken);
// Perform some action while impersonating. // Perform some action while impersonating.
Ic.Undo();Ic.Undo();
Forms Authentication
BackgroundUser types in name and password in app form
Cookie written back to browser
Pros/ConsEasy to develop with ASP.NET forms authentication
Non-trivial to add SSO between different ASP.NET applications
No SSO for non-ASP.NET applications
RequirementsSupports most browsers
One line of code logs user in to application
Forms Authentication
//Bind to AD to verify user creds//Bind to AD to verify user creds
FormsAuthentication.RedirectFromLoginPageFormsAuthentication.RedirectFromLoginPage(Username, Persist);(Username, Persist);
.NET Passport AuthenticationBackground
3rd party authentication service
No worries about managing user passwords
Other information can be stored locally
Pros/ConsSSO for users
Reduce customer password pain
No control over Passport account
RequirementsCode required – none for authentication
Write the Passport user name(this will be the PUID)
.NET Passport Authentication
using System.Security.Principal;using System.Security.Principal;
PassportIdentity Passport = Context.User.Identity;PassportIdentity Passport = Context.User.Identity;Response.Write(Passport.Name); Response.Write(Passport.Name); Response.Write(Passport.GetObject(“MemberName”);Response.Write(Passport.GetObject(“MemberName”);
Associate Passport identity with current context
Use GetObject forAdditional attributes
Signed messagesBackground
Integrity protection of messages without SSL burden
Uses CAPICOM(generates PKCS#7 standard messages)
Message verification implies message was sent by the corresponding sender
Pros/ConsRequires distribution of certs
No server authentication possible
Requires IE
CAPICOM
Set oStore = CreateObject("CAPICOM.Store")Set oStore = CreateObject("CAPICOM.Store")oStore.Open CAPICOM_CURRENT_USER_STORE, oStore.Open CAPICOM_CURRENT_USER_STORE, CAPICOM_MY_STORE, CAPICOM_MY_STORE, CAPICOM_STORE_OPEN_READ_ONLY CAPICOM_STORE_OPEN_READ_ONLY Or CAPICOM_STORE_OPEN_EXISTING_ONLYOr CAPICOM_STORE_OPEN_EXISTING_ONLY
set oSelectedCerts = oCerts.Select()set oSelectedCerts = oCerts.Select()Set oSignerCert = oSelectedCerts (1)Set oSignerCert = oSelectedCerts (1)Set oSigner = CreateObject("CAPICOM.Signer")Set oSigner = CreateObject("CAPICOM.Signer")oSigner.Certificate = oSignerCertoSigner.Certificate = oSignerCertSet oSigned = CreateObject("CAPICOM.SignedData")Set oSigned = CreateObject("CAPICOM.SignedData")oSigned.Content = strDataToSignoSigned.Content = strDataToSignSignedData = oSigned.Sign( oSigner )SignedData = oSigned.Sign( oSigner )
First open the store Then select the certificate
Sign the data
Protocol TransitionKerberos S4U2self extension
Background User: authenticates to service (e.g. using Passport)
Service: makes TGS-REQ for user (no password)
Gets service ticket to itself; PAC has user’s authorization data (user & groups SIDs)
Kerberos package builds tokenImpersonation token (service has TCB)
Identification token (no TCB)
RequirementsWin32 API = LsaLogonUser(user_UPN)
Windows Server 2003 host, Windows Server 2003 DCs
.NET Passport/AD Authentication
User registers with site while logged on to PassportAccount created in AD using the PUID as a mapping valueIIS VDIR configured to require or request Passport authenticationIIS invokes protocol transition with “UPN”[email protected] it succeeds, impersonate userUse Windows authentication provider (not Passport) in ASP.NET
Protocol transition in ASP.NET
using System.Security.Principal;using System.Security.Principal; WindowsIdentity Id = new WindowsIdentity Id = new WindowsIdentity(“TESTDOM\test”);WindowsIdentity(“TESTDOM\test”);
One line of code!One line of code!
Constrained DelegationKerberos S4U2proxy extension
BackgroundService: gets service ticket to itself
From Kerberos client or via S4U2self
Service does not get user’s TGT
Service: makes S4U2proxy TGS-REQDelegation evidence is ticket, not user’s TGT
Gets delegated service ticket to target server; PAC has user’s authorization data
RequirmentsInitializeSecurityContext(target_SPN)
Service needs impersonation token
Windows 2003 native mode
Constrained delegation in ASP.NET
using System.Security.Principal;using System.Security.Principal; WindowsIdentity Id = new WindowsIdentity(“TESTDOM\test”);WindowsIdentity Id = new WindowsIdentity(“TESTDOM\test”);WindowsImpersonationContext Ic = Id.Impersonate(); WindowsImpersonationContext Ic = Id.Impersonate();
// Make off-box request for protected data. // Make off-box request for protected data.
Ic.Undo();Ic.Undo();
Protocol transitionProtocol transition Impersonate
Agenda – Part I
MSFT Identity platform
Authentication mechanisms
Authorization mechanisms
Trust mechanisms
Multi-tier Application Scenarios Extranet
Intranet
Why Role Based Authorization?
DevelopersApp can manage its own groups
Predict if user request can succeed
High performance auditing
AdministratorsManage roles, not object ACLs
No more ACE ordering & ACL inheritance surprises
Simplify entitlement reporting & auditing
Resource ownersQuery groups capture business dynamics
Windows Authorization Manager
PolicyStorePolicyStore
Common RolesManagement UI
URL-BasedAuthorization
URLURL
Windows Windows Authorization APIAuthorization API
GranularAuthorization
Windows Windows Authorization APIAuthorization API
IISIIS
WebWebAppApp
ActiveActiveDirectoryDirectory
Web ExpenseApplication
Role={Tasks}, Task={Operations}
DatabaseOperation
WebOperation
DirectoryOperation
PaymentSystem
Operation
AdministratorApproverSubmitter
ChangeApprover
ApproveDeny
Payment
ApproveReject
Report
SubmitReport
CancelReport
CheckStatus
Programming ModelDevelopment
Implement Operations, Tasks, BizRule scriptsInstallation
Declare Policy definitionsOperations, Tasks (w/ BizRules), Roles
RuntimeStartup
AzInitializeAdminMgr, AzInitializeApplicationClient Connection
IAzInitializeContext (from NT token or UserName)Render UI: GetRolesForUser
Operation RequestAzClientContext.AccessCheck(Scope, Operations, BizRule parameters (optional))Biz Rules are automatically executed.
Agenda – Part I
MSFT Identity platform
Authentication mechanisms
Authorization mechanisms
Trust mechanisms
Multi-tier Application Scenarios Extranet
Intranet
Trust Mechanisms
NT4 TrustsPoor manageability for large numbers of domains
Windows 2000 ForestsBetter, but not quite there yetWhat to do if your organization has more then one forest?External trusts don’t enable Kerberos
Windows Server 2003 Forest TrustEnables key scenariosSelective authentication option allows control of who can use Forest Trust to authenticate
Agenda – Part I
MSFT Identity platform
Authentication mechanisms
Authorization mechanisms
Trust mechanisms
Multi-tier Application Scenarios Extranet
Intranet
Multi tier apps –Trusted Subsystem vs Impersonation/Delegation
Machine 2
Machine 2
Resource tierSQL/DB2/AS400
Bob
Machine 1
Bob
Authorization & business logic tierWebService/COM+
Bob
Bob
Bob
Authentication tierASP/ASP.NET
Bob
Delegation & ImpersonationModel
ProsDefense in depth through:
Auditing
Reduced exposure to server penetration
ConsPerformance
Platform compatibility (all tiers must support delegation & impersonation)
Building the Infrastructure
Back-endDataStore
Internet Internet
Extranet (DMZ) Internal Network
External forest Internal forest
Forest trust with selective authentication
AuthorizationManager
PolicyStore
AuthN tier
AuthenticationAuthentication
AuthZ tier
Authorization
Agenda – Part I
MSFT Identity platform
Authentication mechanisms
Authorization mechanisms
Trust mechanisms
Multi-tier Application Scenarios Extranet
Intranet
Customer Application Scenario
AuthN tier
Internet Internet
Extranet (DMZ)
AuthZ tier
Back-endDataStore
Internal Network
External forest Internal forest
One way forest trust with selective authentication
.NET Passport authentication
Map Passport to AD Account
AuthorizationPolicy
Employee Application Scenario
AuthN tier
Internet Internet
Extranet (DMZ)
AuthZ tier
Back-endDataStore
Internal Network
External forest Internal forest
Forest trust with selective authentication
SSL Client Cert authentication
Map Certificate to AD Account
AuthorizationPolicy
Certificate Services
Partner Application Scenario
AuthN tier
Internet Internet
Extranet (DMZ)
AuthZ tier
Back-endDataStore
Internal Network
External forest Internal forest
One way forest trust with selective authentication
Username/Pwd
AuthenticatePartner
AuthorizationPolicy
Agenda – Part I
MSFT Identity platform
Authentication mechanisms
Authorization mechanisms
Trust mechanisms
Multi-tier Application Scenarios Extranet
Intranet
Cross-Platform Intranet Access Scenario
contoso.com
Unix Serverw/ Apache
Windows user/IE
MIT realm
IIS
*NX Client/Mozilla
Authorization Tier
SQL backend Benefits:•Centralized ID Mgmt•Kerberos AuthN•SSO•Centralized AuthZ Policy
AzMan Web Service
Multi platform components
Kerberos software MIT, Heimdahl, Solaris, ISV
SPNEGO plugin Server side: Volution, Wedgetail
Client (Mozilla) side: On the way
Build your own
Azman Web Service Volution
SDK Sample - Build your own
LDAP authorization
Conclusion
Windows Identity Management Platform is a good foundation for secure applicationsAuthentication protocols to satisfy every scenarioRoles-based authorization built-in to platformFlexible trust mechanismsRedeploy applications for different scenarios with little code changeWatch out for MS Identity and Access Management Solution Accelerator coming soon to www.microsoft.com
Ask The ExpertsGet Your Questions Answered
I will be available in the ATE area during the following times to discuss this presentation or any security and I&AM issue:
2 July – 13:00-14:00
4 July – 10:00-12:00
Community Resources
Community Resourceshttp://www.microsoft.com/communities/default.mspx
Most Valuable Professional (MVP)http://www.mvp.support.microsoft.com/
NewsgroupsConverse online with Microsoft Newsgroups, including Worldwidehttp://www.microsoft.com/communities/newsgroups/default.mspx
User GroupsMeet and learn with your peershttp://www.microsoft.com/communities/usergroups/default.mspx
© 2003 Microsoft Corporation. All rights reserved.© 2003 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.