7/28/2019 Understanding Integrated Authentication

1/20

Understanding Integrated

Authentication in IIS

Chris Adams

IIS Supportability LeadMicrosoft Corp.

7/28/2019 Understanding Integrated Authentication

2/20

Agenda

Introduction to Integrated Authentication Dynamics of NTLM Authentication

Dynamics of Negotiate Authentication

Demonstration One

Best Practices for IntegratedAuthentication

References

7/28/2019 Understanding Integrated Authentication

3/20

Introduction to IntegratedAuthentication

Introduced in Windows 2000

Commonly referred to as WindowsIntegrated Authentication

Secure: It is considered secure becauseit does not transmit password on thewire

Internet Explorer preferred IF Basic and Integrated are both enabled, IE

will use Integrated for security reasons

7/28/2019 Understanding Integrated Authentication

4/20

Introduction: Lets review

How authentication works in IIS

Anonymous

Basic

Digest

Kerberos

NTLM

Passport

Server

Core

1. Request enters server core

2. Server core forwards to

anonymous provider. IIS builds

path (w3svc/1/root) and verifiesif anonymous is enabled.

Yes: Provide path and Anon.

users token to authorization

manager

No: IIS passes the path to each

provider to determine if

path has that provider enabled.

Each provider that is enabled returns to

Server core the appropriate header.

7/28/2019 Understanding Integrated Authentication

5/20

Introduction

Negotiate

Kerberos NTLM

7/28/2019 Understanding Integrated Authentication

6/20

Introduction to IntegratedAuthentication

Platform information for Windows Integrated

Windows NT 4:

Supports only NTLM (Not known as Windows Integrated)

Windows 2000:

Supports Negotiate and NTLM

Windows 2003:

Supports Negotiate and NTLM

7/28/2019 Understanding Integrated Authentication

7/20

Introduction to IntegratedAuthentication

7/28/2019 Understanding Integrated Authentication

8/20

Introduction to IntegratedAuthentication

How the appropriate integratedauthentication is determined?

AuthNTLM

NO

Yes

NTAuthenticationProviders

Negotiate NTLM401.3

Access

Denied

7/28/2019 Understanding Integrated Authentication

9/20

Dynamics of NTLM

Connection Oriented Same Connection always used per request

HTTP Keep-Alives Required

Understanding Auth Dialog Boxes NTLM, by default, doesnt prompt

NTLM may prompt if original request fails with 401.1

NTLMs use of Domain\Username\Password Domain and Username are always shared over the

wire between client and server

Password is never Always uses Hash of password

Authentication Header includes: Domain\Username\HashedPassword

7/28/2019 Understanding Integrated Authentication

10/20

Dynamics of NTLM: Security

Why is NTLM authentication secure? Hash Algorithm of password is unknown when

hackers monitor the HTTP requests on thewire

If connections are broke, manipulated (byproxies), then NTLM fails

7/28/2019 Understanding Integrated Authentication

11/20

NTLM @ Work

Get /Default.HTM

Get /Default.HTM w/ AuthNTLM

Get /Default.HTM w/ AuthNTLM

Hashed

401 WWW Auth: NTLM

200 - OK

401 Access Denied

7/28/2019 Understanding Integrated Authentication

12/20

Dynamics of NTLM NTLM at work (previous slide)

1. IE Client requests a IIS resource (Anon)

2. IIS returns 401 with WWWAuthenticate Headersaying NTLM

3. IE submits new request for a IIS resource with NTLMAuthentication header (username)

4. IIS uses NT Authentication Header to build secretkey and sends 401 with key back to client

5. IE submits new request for a IIS resource with NTLM

Authentication header (username\password\hash ofpassword)

6. IIS checks username\password\hash and matches,return 200 OKor- 401.1 Login failed (IE prompts)

7/28/2019 Understanding Integrated Authentication

13/20

Dynamics of Negotiate

Why create another authenticationprotocol?

NTLM limitations

NTLM Tokens cannot be delegated NTLM is proprietary and only supported by

Windows platform

Is Negotiate a new protocol?

No, it is just a wrapper that allows eitherKerberos or NTLM authentication based onclient request

7/28/2019 Understanding Integrated Authentication

14/20

Dynamics of Negotiate

Key Terms of Negotiate Client: Internet Explorer

Server: IIS Server that is member of

Active Directory Domain Active Directory:

Key Distribution Center (KDC) for all clients

Ticket Granting Service: Issues all tickets(aka tokens)

7/28/2019 Understanding Integrated Authentication

15/20

Dynamics of Negotiate

IIS Server

The IIS server is

started and when the

server authenticates to

domain (aka KDC) it

receives it ticket.

Active

Directory

(KDC)

Ticket Granting Services

7/28/2019 Understanding Integrated Authentication

16/20

Dynamics of Negotiate

Active

Directory

(KDC)

Registered ServicePrincipalNames for CN=CA-

WEBCAST-IIS,OU=Domain Controllers,DC=

ca-webcast,DC=local:

GC/ca-webcast-iis.ca-webcast.local/ca-

webcast.local

HOST/ca-webcast-iis.ca-webcast.local/CA-

WEBCAST

HOST/CA-WEBCAST-IIS

HOST/ca-webcast-iis.ca-webcast.local

HOST/ca-webcast-iis.ca-webcast.local/ca-webcast.local

E3514235-4B06-11D1-AB04-

00C04FC2DCD2/84bbfa08-5854-4729-80aa-

56117bc4ecb6/ca

-webcast.local

ldap/84bbfa08-5854-4729-80aa-

56117bc4ecb6._msdcs.ca-webcast.local

ldap/ca-webcast-iis.ca-webcast.local/CA-WEBCAST

ldap/CA-WEBCAST-IIS

ldap/ca-webcast-iis.ca-webcast.local

ldap/ca-webcast-iis.ca-webcast.local/ca-

webcast.local

NtFrs-88f5d2bd-b646-11d2-a6d3-00c04fc9b232/ca-

webcast-iis.ca-webcast.local

Setspn %computername%

7/28/2019 Understanding Integrated Authentication

17/20

Negotiate @ Work

KDC (Active

Directory)

IIS Server

I need a ticket for

The following service(aka HTTP\HOST)

If Service located in

KDC, Secret Key

shared with Client

Initial Client request

for IIS resourceanonymously

The Server esponse

is 401 WWWAuth

Header for Negotiate

Using key provided,

Client creates hash

(key) and sends IIS

IIS uses secret key

and verifies that

password matches

Shared

7/28/2019 Understanding Integrated Authentication

18/20

Demonstration One

Configuring a Process touse a Domain Account

and Kerberos

The purpose of this demonstration is to show how aworker process identity set on a application pool

affects authentication when the authenticated useruses the Negotiate protocol and Kerberos

7/28/2019 Understanding Integrated Authentication

19/20

References

IIS 6 Help Documentation http://www.microsoft.com/technet/treeview/def

ault.asp?url=/technet/prodtechnol/windowsserver2003/proddocs/standard/sec_auth_intwinauth.aspIIS 6 Deployment Guide

Load Balancing and Kerberos

http://www.microsoft.com/technet/treeview/def

ault.asp?url=/technet/prodtechnol/windowsserver2003/maintain/security/nlbsecbp.asp

http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechnol/windowsserver2003/maintain/security/nlbsecbp.asphttp://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechnol/windowsserver2003/maintain/security/nlbsecbp.asphttp://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechnol/windowsserver2003/maintain/security/nlbsecbp.asphttp://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechnol/windowsserver2003/maintain/security/nlbsecbp.asphttp://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechnol/windowsserver2003/maintain/security/nlbsecbp.asphttp://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechnol/windowsserver2003/maintain/security/nlbsecbp.asp

7/28/2019 Understanding Integrated Authentication

20/20

Q & A