Date post: | 28-Dec-2015 |
Category: |
Documents |
Upload: | everett-dorsey |
View: | 224 times |
Download: | 2 times |
Understanding Digest Understanding Digest and Advanced Digest and Advanced Digest Authentication in IIS Authentication in IIS 6.06.0
Chris AdamsChris AdamsWeb Platform Supportability LeadWeb Platform Supportability LeadMicrosoft CorporationMicrosoft Corporation
AgendaAgenda
Introduction to AuthenticationIntroduction to AuthenticationDefining Digest AuthenticationDefining Digest AuthenticationDigest vs. Advanced DigestDigest vs. Advanced DigestDigging deeply into Digest AuthDigging deeply into Digest AuthDigging deeply into Advanced DigestDigging deeply into Advanced DigestSummarySummary
Introduction to AuthenticationIntroduction to Authentication
What is authentication?What is authentication?
What is authorization?What is authorization?
Authentication vs. AuthorizationAuthentication vs. Authorization401.1 versus 401.3401.1 versus 401.3
Introduction to AuthenticationIntroduction to Authentication
How authentication works in MicrosoftHow authentication works in Microsoft®® Internet Information Services (IIS)Internet Information Services (IIS)
1.1. Request enters server coreRequest enters server core2.2. Server core forwards toServer core forwards to
anonymous provider. IIS buildsanonymous provider. IIS buildspath (w3svc/1/root) and verifiespath (w3svc/1/root) and verifiesif if anonymous is enabledanonymous is enabled..Yes: Provide path and AnonymousYes: Provide path and Anonymous
users token to authorizationusers token to authorization managermanager
No: IIS passes the path to eachNo: IIS passes the path to eachprovider to determine if provider to determine if path has that provider enabled.path has that provider enabled.
Each provider that is enabled returns toEach provider that is enabled returns toServer core the appropriate header.Server core the appropriate header.
AnonymousAnonymous
BasicBasic
KerberosKerberos
NTLMNTLM
DigestDigest
PassportPassport
ServerServer
CoreCore
ServerServer
CoreCore
Introduction to AuthenticationIntroduction to Authentication
How authentication works in IISHow authentication works in IIS
WWW-AuthenticateWWW-Authenticate
DigestDigest
Digest Adv. Digest Adv. DigestDigest
Defining Digest AuthenticationDefining Digest Authentication
Digest Authentication is an industry Digest Authentication is an industry standard per Requests for Comments standard per Requests for Comments (RFC) 2617(RFC) 2617For IIS administrators and developers, For IIS administrators and developers, Digest is available on these platforms:Digest is available on these platforms:
MicrosoftMicrosoft® ® WindowsWindows®® 2000 and IIS 5.0 2000 and IIS 5.0MicrosoftMicrosoft® ® Windows Server™ 2003 and IIS Windows Server™ 2003 and IIS 6.06.0
Why interest in Digest?Why interest in Digest?Password is protected, not sent on wire in Password is protected, not sent on wire in “clear text”“clear text”Digest is optimized for WindowsDigest is optimized for Windows®® domains domains
Digest vs. Advanced DigestDigest vs. Advanced Digest
Digest, available on Windows 2000 Digest, available on Windows 2000 Server and Windows Server 2003, Server and Windows Server 2003, requires the following:requires the following:
Relies on worker process to run as Local Relies on worker process to run as Local SystemSystemUses the IIS Sub-Authenticator (iissuba.dll)Uses the IIS Sub-Authenticator (iissuba.dll)In Windows Server 2003, UseDigestSSP In Windows Server 2003, UseDigestSSP must be set to “false”must be set to “false”Requires MicrosoftRequires Microsoft® ® WindowsWindows®® Active Active DirectoryDirectory®®
User’s password must be stored with Reversible User’s password must be stored with Reversible Encryption enabledEncryption enabled
Calculates hash on the fly and transmit Calculates hash on the fly and transmit over the wireover the wire
Digest vs. Advanced Digest (2)Digest vs. Advanced Digest (2)
Advanced DigestAdvanced DigestNot available on Windows 2000Not available on Windows 2000
Implemented in core authentication Implemented in core authentication provider in LSASS (not relying on IIS Sub-provider in LSASS (not relying on IIS Sub-Authenticator)Authenticator)
Hash is stored as property of user in Hash is stored as property of user in Windows Server 2003 Active DirectoryWindows Server 2003 Active Directory
Is default Digest Authentication on clean Is default Digest Authentication on clean installs of Windows Server 2003installs of Windows Server 2003
Metabase property UseDigestSSP must be Metabase property UseDigestSSP must be set to “true”set to “true”
Digest vs. Advanced Digest (3)Digest vs. Advanced Digest (3)How it clients are How it clients are authenticated using authenticated using DigestDigest
IISIIS
Active DirectoryActive Directory
401.2 with WWW-Authenticate: Digest:Realm401.2 with WWW-Authenticate: Digest:Realm
200 OK Status200 OK Status
401.1 Login Failed401.1 Login Failedwith awith aWWW AuthenticateWWW Authenticateheaderheader
KeyKey
User HashUser Hash(Username, Password, Realm)(Username, Password, Realm)
IIS Sends IIS Sends Hash to Hash to Domain Domain
ControllersControllers
Digest vs. Advanced Digest (4)Digest vs. Advanced Digest (4)How it clients are How it clients are authenticated using authenticated using DigestDigest
IISIIS
Active DirectoryActive Directory
401.2 with WWW-Authenticate: Digest:Realm401.2 with WWW-Authenticate: Digest:Realm
200 OK Status200 OK Status
401.1 Login Failed401.1 Login Failedwith awith aWWW AuthenticateWWW Authenticateheaderheader
KeyKey
User HashUser Hash(Username, Password, Realm)(Username, Password, Realm)
IIS Sends IIS Sends Hash to Hash to Domain Domain
ControllersControllers
Hash pre-computed and
stored in Active Directory
Digging Deeply Into DigestDigging Deeply Into Digest
Digest Authentication has unique Digest Authentication has unique characteristics that provide customers characteristics that provide customers with challengeswith challenges
Local System: Non-issue on Windows Local System: Non-issue on Windows 2000 because it uses iissuba.dll and it 2000 because it uses iissuba.dll and it runs in Inetinforuns in Inetinfo
Reversible Encryption: Users password Reversible Encryption: Users password must be stored with less security in Active must be stored with less security in Active DirectoryDirectory
Digging Deeply Into DigestDigging Deeply Into DigestHow is IIS Sub-Authenticator enabled?How is IIS Sub-Authenticator enabled?
Open a Command-Prompt, type:Open a Command-Prompt, type:rundll32 systemroot\system32\iissuba.dll,RegisterIISSUBArundll32 systemroot\system32\iissuba.dll,RegisterIISSUBA
(Case Sensitive)(Case Sensitive)
Ensure Local System Ensure Local System Default for Windows 2000Default for Windows 2000
Running as Local System
is a Bad Security Practice
Windows Windows Server 2003Server 2003
Demonstration OneDemonstration One
Enabling Digest Enabling Digest Authentication in Authentication in Windows Server 2003Windows Server 2003
The goal is to demonstrate how The goal is to demonstrate how administrators and developers can administrators and developers can
successfully enable Digestsuccessfully enable Digest
Digging Into Advanced DigestDigging Into Advanced Digest
Advanced Digest is ONLY available in Advanced Digest is ONLY available in Windows Server 2003 and IIS 6.0Windows Server 2003 and IIS 6.0Advanced Digest is implemented in Advanced Digest is implemented in LSASS where all other authentication LSASS where all other authentication types are performedtypes are performedAdvanced Digest is compliant with the Advanced Digest is compliant with the Digest RFCDigest RFCThere is no UI for Advanced Digest it’s There is no UI for Advanced Digest it’s enabled using a command-lineenabled using a command-line
Property = UseDigestSSPProperty = UseDigestSSP
Digging Into Advanced Digest Digging Into Advanced Digest (2)(2)
Advanced Digest relies on a pre-computed Advanced Digest relies on a pre-computed MD5 hash stored in Active DirectoryMD5 hash stored in Active Directory
Stored in the same place as Kerberos hashesStored in the same place as Kerberos hashesMD5 hash is stored as multiple entries:MD5 hash is stored as multiple entries:
User@Domain - Ex: user@contosoUser@Domain - Ex: user@contosoDomain\User – Ex: contoso\userDomain\User – Ex: contoso\userUser@domain (UPN) – User@domain (UPN) – Ex: Ex: [email protected]
Is this property secure in Active Directory?Is this property secure in Active Directory?Yes, no user including Domain Admins have access Yes, no user including Domain Admins have access to where the hash is storedto where the hash is storedOnly Local Security Authority (LSA) has access to Only Local Security Authority (LSA) has access to this hash informationthis hash informationIt is stored on the DC and never is sent off the DCIt is stored on the DC and never is sent off the DC
Digging Into Advanced Digest Digging Into Advanced Digest (3)(3)
Limitations of Advanced Digest to dateLimitations of Advanced Digest to dateMicrosoftMicrosoft®® Internet Explorer 6.0 SP1 Internet Explorer 6.0 SP1 does not handle advanced digest does not handle advanced digest requests properlyrequests properly
For each request per connection, Internet For each request per connection, Internet Explorer prompts the user for credentialsExplorer prompts the user for credentials
This is being fixed in Windows Server This is being fixed in Windows Server 2003 Service Pack 12003 Service Pack 1
Same Connection – Prompt for each GetSame Connection – Prompt for each Get
2004-09-16 12:06:21 127.0.0.1 GET /iisstart.htm - 80 WS03EE\Administrator 127.0.0.1 200 0 02004-09-16 12:06:22 127.0.0.1 GET /pagerror.gif - 80 WS03EE\Administrator 127.0.0.1 200 0 0
Demonstration TwoDemonstration Two
Enabling Advanced Digest Enabling Advanced Digest Authentication in Windows Authentication in Windows Server 2003Server 2003
The goal is to demonstrate how The goal is to demonstrate how administrators and developers can administrators and developers can
successfully enable Advanced Digestsuccessfully enable Advanced Digest
Session SummarySession Summary
Digest follows the RFC standard 2617Digest follows the RFC standard 2617
Windows 2000 offers Digest authentication Windows 2000 offers Digest authentication onlyonly
Windows Server 2003 offers Digest and Windows Server 2003 offers Digest and Advanced Digest authenticationAdvanced Digest authentication
Clients receive in WWW-Authenticate header Clients receive in WWW-Authenticate header “Digest” and Realm for both Digest and “Digest” and Realm for both Digest and Advanced DigestAdvanced Digest
Digest requires the IIS Sub-AuthenticatorDigest requires the IIS Sub-Authenticator
Advanced digest stores all information in Advanced digest stores all information in Active Directory for each user and is Active Directory for each user and is implemented in LSASSimplemented in LSASS
References and ResourcesReferences and Resources
IIS 6.0 Help: IIS 6.0 Help:
Digest: Digest: http://www.microsoft.com/resources/documentation/iis/6/all/proddocs/en-us/sec_auth_digestauth.mspx Adv. Digest:Adv. Digest:
http://www.microsoft.com/resources/documentation/iis/6/all/proddocs/en-us/sec_auth_advdigestauth.mspx KB Articles:KB Articles:
IIS 6.0 Resource KitIIS 6.0 Resource KitIIS Forum: http://www.asp.net/forumsIIS Forum: http://www.asp.net/forums
IIS Answers: http://www.iisanswers.comIIS Answers: http://www.iisanswers.com
IIS Frequently Asked Questions (FAQ): IIS Frequently Asked Questions (FAQ): http://www.iisfaq.comhttp://www.iisfaq.com
IIS Resources: http://www.iis-resources.comIIS Resources: http://www.iis-resources.com
Get Up to Speed on .NETGet Up to Speed on .NETGet Trained on Microsoft Developer Get Trained on Microsoft Developer
TechnologiesTechnologiesRegister for upcoming webcasts at Register for upcoming webcasts at http://msdn.microsoft.com/webcasts http://msdn.microsoft.com/webcasts
All times are Pacific Standard TimeAll times are Pacific Standard Time
Friday, October 08, 2004Friday, October 08, 200411:00 AM-12:30 11:00 AM-12:30 PMPM
MSDN Webcast: Session 6: User MSDN Webcast: Session 6: User Interface Beauty Tips for Windows Interface Beauty Tips for Windows Forms Applications Forms Applications
Friday, October 08, 2004Friday, October 08, 20041:00 PM-2:30 1:00 PM-2:30 PMPM
MSDN Webcast: Mathematics Based MSDN Webcast: Mathematics Based Software Construction Models (Part 5 Software Construction Models (Part 5 of 6): Solid Prototyping—Level 200of 6): Solid Prototyping—Level 200
Monday, October 11, Monday, October 11, 20042004
9:00 AM-10:30 9:00 AM-10:30 AMAM
MSDN Webcast: Visual Studio® Tools MSDN Webcast: Visual Studio® Tools for Office - Nuts and Bolts (Part Two)for Office - Nuts and Bolts (Part Two)
Tuesday, October 12, Tuesday, October 12, 20042004
9:00 AM-10:30 9:00 AM-10:30 AMAM
MSDN Webcast: User Roles in MSDN Webcast: User Roles in InfoPath® 2003InfoPath® 2003
Wednesday, October 13, Wednesday, October 13, 20042004
9:00 AM-10:30 9:00 AM-10:30 AMAM
MSDN Webcast: Geek Speak: WSE 2.0 MSDN Webcast: Geek Speak: WSE 2.0 IntroductionIntroduction
Wednesday, October 13, Wednesday, October 13, 20042004
11:00 AM-12:30 11:00 AM-12:30 PMPM
MSDN Webcast: Digital Media and MSDN Webcast: Digital Media and DirectX on Windows CEDirectX on Windows CE
Attend MSDN EventsAttend MSDN Events
WhoWho• Your Local Microsoft Developer Community ChampionYour Local Microsoft Developer Community Champion
WhatWhat• Object Oriented Programming Fundamentals in VB.NETObject Oriented Programming Fundamentals in VB.NET • Programming with MapPoint Web ServicesProgramming with MapPoint Web Services• Optimizing ASP.NET 1.1 Web ApplicationsOptimizing ASP.NET 1.1 Web Applications• ASP.NET 2.0 Membership and PersonalizationASP.NET 2.0 Membership and Personalization
WhyWhy• Gain valuable developer knowledge, network with peers, Gain valuable developer knowledge, network with peers,
and get VS 2005 Beta 1 Refresh and VS 2005 Express and get VS 2005 Beta 1 Refresh and VS 2005 Express Betas on our content-rich special event DVDBetas on our content-rich special event DVD
WhenWhen• October through December, on Tuesdays and Thursdays October through December, on Tuesdays and Thursdays
from 1-5PM local timefrom 1-5PM local time
WhereWhere• Cities across the United StatesCities across the United States
HowHow• Visit MSDN Events at http://www.msdnevents.com to find Visit MSDN Events at http://www.msdnevents.com to find
out more!out more!
MSDN Webcast ResourcesMSDN Webcast Resources
Visit our blog Visit our blog http://blogs.msdn.com/msdnwebcasts for an http://blogs.msdn.com/msdnwebcasts for an rss feed of upcoming MSDN Webcastsrss feed of upcoming MSDN Webcasts
Submit text questions during the live webcast Submit text questions during the live webcast using the “Ask a Question” buttonusing the “Ask a Question” button
For recordings of past MSDN Webcasts: For recordings of past MSDN Webcasts: www.microsoft.com/usa/webcasts/ondemandwww.microsoft.com/usa/webcasts/ondemand
Got webcast content ideas? Send use e-mail Got webcast content ideas? Send use e-mail at: [email protected] at: [email protected]
More webcasts at More webcasts at http://msdn.microsoft.com/webcasts http://msdn.microsoft.com/webcasts
Don’t forget to fill out the survey.Don’t forget to fill out the survey.
https://https://msevents.microsoft.com/cui/msevents.microsoft.com/cui/WelcomePage.aspx?WelcomePage.aspx?EventID=...EventID=...
[PlaceWare Web Page. Use [PlaceWare Web Page. Use PlaceWarePlaceWare > > Edit Slide Edit Slide
Properties...Properties... to edit.] to edit.]