1 / 31

The Ins and Outs of Authentication in IIS

The Ins and Outs of Authentication in IIS. Chris Adams Web Platform Supportability Lead Microsoft Corp. Introduction to Authentication Diving into Authentication Types Anonymous Access Basic Authentication Windows Authentication Digest & Advanced Digest Authentication Microsoft Passport

ally
Download Presentation

The Ins and Outs of Authentication in IIS

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. The Ins and Outs of Authentication in IIS Chris Adams Web Platform Supportability Lead Microsoft Corp.

  2. Introduction to Authentication Diving into Authentication Types Anonymous Access Basic Authentication Windows Authentication Digest & Advanced Digest Authentication Microsoft Passport Authentication References Q & A Agenda

  3. Introduction to Authentication • What is authentication? • What is authorization? • Authentication vs. Authorization • 401.1 versus 401.3

  4. Introduction to Authentication • How authentication works in IIS • Request enters server core • Server core forwards to • anonymous provider. IIS builds • path (w3svc/1/root) and verifies • if anonymous is enabled. • Yes: Provide path and Anon. • users token to authorization • manager • No: IIS passes the path to each • provider to determine if • path has that provider enabled. • Each provider that is enabled returns to • Server core the appropriate header. Anonymous Server Core Basic Kerberos NTLM Digest Passport

  5. Diving into Authentication Types • Topics • Anonymous Access • Basic • Integrated • Digest\Adv. Digest • Microsoft Passport (IIS 6 Only)

  6. Anonymous Authentication • Anonymous Account: Role of IUSR • Provides uninhibited access to resources on Windows systems • Is automatically added during setup to the systems Guests group • Also used by MS FTP server for anonymous authentication • Understanding IIS Sub-authentication • Using IIS Sub Authenticator • Default on IIS 4.0 and 5.0

  7. Anonymous Authentication (2) • Understanding IIS Sub-Authenticator • “Allow IIS to Control Password” = SubAuth is being Used • What component is IIS SubAuth? • Why does it exist? • Security Concerns: • Must run in-process (Inetinfo) • Must run as LocalSystem • Avoids password synchronization problems

  8. Anonymous Authentication (3) • Is IIS Sub-Authentication enabled? This checked enables IIS Sub-Authentication in IIS 4, 5, and 5.1. This does not exist in IIS 6.0 IIS Manager.

  9. Anonymous Authentication (4) • Metabase Properties • Two Secure Properties (see previous slide): • Token obtained at startup of w3svc service for IUSR_MachineName • Both properties must contain correct information on user account and password when sub-auth disabled • If not correct, a 401.1 results • Use Event Viewer Security log to track failures • Can be customize at the site or virtual directory level Anonymoususername : (STRING) "IUSR_CA-MAIN“ anonymoususerpass : (STRING) "**********"

  10. Anonymous Authentication (5) • How to enable IIS Sub-Authentication? • Register IISSuba.dll (case-sensitive) rundll32 %windir%\system32\iissuba.dll,RegisterIISSUBA • Run ALL worker processes using Anonymous as LocalSystem (IIS 6 only) • Set AnonymousPasswordSync metabase property to True at desired location (aka w3svc/1/root) • How to disable IIS Sub-Authentication? • UnRegister IISSuba.dll • Set AnonymousPasswordSync metabase property to True at desired location (aka w3svc/1/root)

  11. Demonstration OneWatching IIS Sub-Authentication in actionDesign to show how sub-authentication enabled vs. disabled works

  12. Introduction to Authentication Diving into Authentication Types Anonymous Access Basic Authentication Windows Authentication Digest & Advanced Digest Authentication Microsoft Passport Authentication References Q & A Agenda

  13. Basic Authentication • Limitations and Risks of Basic • “Clear Text Passwords” – Base64 Encoded • Advantages • RFC backed (RFC 2617) • Supports proxies • Wide browser support • Good authentication when combined with SSL • Disadvantages • Very insecure if not protected with Secure Socket Layer (SSL) • Internet Explorer prefers Integrated over Basic when each is enabled on path • Password sent directly on the wire (encoded) allows administrators to decrypt if desired (less secure)

  14. Demonstration TwoDecoding Basic AuthenticationDesign to show how simple it is to decode Basic Authentication and influence administrators to use SSL

  15. Introduction to Authentication Diving into Authentication Types Anonymous Access Basic Authentication Windows Authentication Digest & Advanced Digest Authentication Microsoft Passport Authentication References Q & A Agenda

  16. Windows Integrated • What is Windows Integrated Authentication? • Negotiate • First Attempt: Kerberos (W2K, XP, W2K3) • Second Attempt: NTLM • Configuring Windows Integrated • Limited configuration in IIS Manager • Using command line to hard code negotiate or NTLM

  17. Windows Integrated (2) • Limitations of Windows Integrated • Inability to force Kerberos Authentication • Troubleshooting • Kerberos • Is the Key Distribution Center (KDC) reachable? • Is the service principle name (SPN) registered properly? • NTLM • HTTP Keep-Alives enabled

  18. Windows Integrated (3) • Failures in Internet Scenario • Kerberos requires the client and server to have a trusted connection to the KDC • NTLM isn’t supported by most proxies • Webcast on Integrated Authentication: Understanding Windows Integrated Authentication in IIS http://msevents.microsoft.com/CUI/EventDetail.aspx?EventID=1032242063&Culture=en-US

  19. Demonstration ThreeDeciphering Kerberos vs. Integrated AuthenticationDesign to show key aspects of this authentication around Kerberos and NTLM

  20. Digest Authentication • What is digest authentication? • Limitation and Risks of Digest • Requirement of Digest • IIS Sub-Auth (iissuba - LocalSystem) • Active Directory • Password stored in AD with Reversible Encryption • Platforms available • Windows 2000 • Windows 2003

  21. Advanced Digest • What is advanced digest authentication? • Requirements of Adv. Digest • 2003 Active Directory Forest required • Hash Pre-Compiled at User Creation • Strictly RFC Compliant • Platforms available • Determining which digest is being used? • More details on Digest and Adv. Digest Authentication: http://www.microsoft.com/windowsserver2003/iis/support/webcasts.mspx

  22. Demonstration FourUsing Digest AuthenticationIn this demonstration, we will perform the steps to successfully get Digest authentication working on Windows Server 2003

  23. Microsoft Passport • Only available in IIS 6.0 • Uses a secure central database • Allows delegation to other sites • Requirements: • SSL • HTTP Redirects • Cookies • Microsoft JScript

  24. Microsoft Passport Key How it works… 200 OK Status HTTPS to Passport 401.1 Login Failed with a WWW Authenticate header Shared Key – No Connection Key Established during setup Passport Servers Obtains necessary Cookie to send to IIS 401.1 with WWW-Authenticate: Passport1.4 IIS

  25. Microsoft Passport • Passport References • KB Articles: • The Sample Passport Web Site Pages Are Not Working Correctly http://support.microsoft.com/?id=300057 • Error Message: Unknown Partner Error at Passport Login Server http://support.microsoft.com/?id=300111 • Microsoft Passport FAQ http://support.microsoft.com/?id=277759

  26. Session Summary • There are a lot of variables that go into authentication in IIS • Understanding how IIS Sub-Authentication works is key to two authentication types: Anonymous and Digest • Basic authentication is commonly supported by browsers, but is insecure without encryption technology • Integrated authentication is complex and difficult to troubleshoot without knowing key metabase properties such as NTAuthenticationProviders • Passport is not widely used, but is supported by Windows Server 2003 and IIS 6.0

  27. Authentication References: • IIS 6 Help: http://www.microsoft.com/technet/prodtechnol/windowsserver2003/proddocs/standard/sec_auth_websiteauth.asp • IIS 6 Resource Guide http://www.microsoft.com/downloads/details.aspx?FamilyID=80a1b6e6-829e-49b7-8c02-333d9c148e69&DisplayLang=en • Authentication and Authorization Diagnostics: http://www.microsoft.com/downloads/details.aspx?FamilyID=e90fe777-4a21-4066-bd22-b931f7572e9a&DisplayLang=en

  28. Authentication References: • KB Articles: • INFO: How IIS Authenticates Browser Clients http://support.microsoft.com/?id=264921 • HOW TO: Set Up Anonymous and Basic Authentication on the Same Web http://support.microsoft.com/?id=313251 • Anonymous and Basic Authentication Fail When You Connect to IIS 5.0 on a http://support.microsoft.com/?id=263140 • Authentication Issue with NTLM Security on IIS If User Name or Password http://support.microsoft.com/?id=262769

  29. Authentication References: • KB Articles: • HOW TO: Configure Internet Information Services Web Authentication in http://support.microsoft.com/?id=324276 • HOW TO: Troubleshoot Kerberos-Related Issues in IIS http://support.microsoft.com/?id=326985 • Kerberos Authentication Fails after Upgrading from IIS 4.0 to IIS 5.0 http://support.microsoft.com/?id=248350 • Authentication May Fail with "401.3" Error If Web Site's "Host Header“ http://support.microsoft.com/?id=294382

  30. MSDN Webcast Resources • Visit our blog http://blogs.msdn.com/msdnwebcasts for an rss feed of upcoming MSDN Webcasts • Submit text questions during the live webcast using the “Ask a Question” button • For recordings of past MSDN Webcasts: www.microsoft.com/usa/webcasts/ondemand • Got webcast content ideas? Contact us at: http://register.microsoft.com/contactus30/contactus.asp?domain=multimedia/webcast • More webcasts athttp://msdn.microsoft.com/webcasts • Don’t forget to fill out the survey.

  31. Additional Resources • New mobile development resource kits • Mobile Application Development Toolkit • WeRock 247 .NET Smart Client Training DVD • Football 247 .NET Training DVD • All may ordered or downloaded at http://msdn.microsoft.com/mobility/windowsmobile/howto/kits/default.aspx • The DevTools MAD Lounge • Updates and additional resources for the Mobile Application Development Toolkit • www.msdevtools.net • MSDN Mobile and Embedded Developer Center • http://msdn.microsoft.com/mobility

More Related