understanding digest and advanced digest authentication in iis 6 0 l.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
Understanding Digest and Advanced Digest Authentication in IIS 6.0 PowerPoint Presentation
Download Presentation
Understanding Digest and Advanced Digest Authentication in IIS 6.0

Loading in 2 Seconds...

play fullscreen
1 / 24

Understanding Digest and Advanced Digest Authentication in IIS 6.0 - PowerPoint PPT Presentation


  • 345 Views
  • Uploaded on

Understanding Digest and Advanced Digest Authentication in IIS 6.0. Chris Adams Web Platform Supportability Lead Microsoft Corporation. Introduction to Authentication Defining Digest Authentication Digest vs. Advanced Digest Digging deeply into Digest Auth

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Understanding Digest and Advanced Digest Authentication in IIS 6.0' - Mercy


Download Now An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
understanding digest and advanced digest authentication in iis 6 0

Understanding Digest and Advanced Digest Authentication in IIS 6.0

Chris Adams

Web Platform Supportability Lead

Microsoft Corporation

agenda
Introduction to Authentication

Defining Digest Authentication

Digest vs. Advanced Digest

Digging deeply into Digest Auth

Digging deeply into Advanced Digest

Summary

Agenda
introduction to authentication
Introduction to Authentication
  • What is authentication?
  • What is authorization?
  • Authentication vs. Authorization
    • 401.1 versus 401.3
introduction to authentication4
How authentication works in Microsoft® Internet Information Services (IIS)Introduction to Authentication
  • Request enters server core
  • Server core forwards to
  • anonymous provider. IIS builds
  • path (w3svc/1/root) and verifies
  • if anonymous is enabled.
  • Yes: Provide path and Anonymous
  • users token to authorization
  • manager
  • No: IIS passes the path to each
  • provider to determine if
  • path has that provider enabled.
  • Each provider that is enabled returns to
  • Server core the appropriate header.

Anonymous

Basic

Server

Core

Kerberos

NTLM

Digest

Passport

introduction to authentication5

Server

Core

Introduction to Authentication
  • How authentication works in IIS

WWW-Authenticate

Digest

Digest Adv. Digest

defining digest authentication
Defining Digest Authentication
  • Digest Authentication is an industry standard per Requests for Comments (RFC) 2617
  • For IIS administrators and developers, Digest is available on these platforms:
    • Microsoft® Windows® 2000 and IIS 5.0
    • Microsoft® Windows Server™ 2003 and IIS 6.0
  • Why interest in Digest?
    • Password is protected, not sent on wire in “clear text”
    • Digest is optimized for Windows® domains
digest vs advanced digest
Digest vs. Advanced Digest
  • Digest, available on Windows 2000 Server and Windows Server 2003, requires the following:
    • Relies on worker process to run as Local System
    • Uses the IIS Sub-Authenticator (iissuba.dll)
    • In Windows Server 2003, UseDigestSSP must be set to “false”
    • Requires Microsoft® Windows® Active Directory®
      • User’s password must be stored with Reversible Encryption enabled
    • Calculates hash on the fly and transmit over the wire
digest vs advanced digest 2
Digest vs. Advanced Digest (2)
  • Advanced Digest
    • Not available on Windows 2000
    • Implemented in core authentication provider in LSASS (not relying on IIS Sub-Authenticator)
    • Hash is stored as property of user in Windows Server 2003 Active Directory
    • Is default Digest Authentication on clean installs of Windows Server 2003
    • Metabase property UseDigestSSP must be set to “true”
digest vs advanced digest 3
Digest vs. Advanced Digest (3)

Key

How it clients are authenticated using Digest

200 OK Status

401.1 Login Failed

with a

WWW Authenticate

header

IIS Sends Hash to Domain Controllers

Active Directory

401.2 with WWW-Authenticate: Digest:Realm

User Hash

(Username, Password, Realm)

IIS

digest vs advanced digest 4
Digest vs. Advanced Digest (4)

Key

How it clients are authenticated using Digest

200 OK Status

401.1 Login Failed

with a

WWW Authenticate

header

IIS Sends Hash to Domain Controllers

Hash pre-computed and stored in Active Directory

Active Directory

401.2 with WWW-Authenticate: Digest:Realm

User Hash

(Username, Password, Realm)

IIS

digging deeply into digest
Digging Deeply Into Digest
  • Digest Authentication has unique characteristics that provide customers with challenges
    • Local System: Non-issue on Windows 2000 because it uses iissuba.dll and it runs in Inetinfo
    • Reversible Encryption: Users password must be stored with less security in Active Directory
digging deeply into digest12
Digging Deeply Into Digest
  • How is IIS Sub-Authenticator enabled?
    • Open a Command-Prompt, type:
      • rundll32 systemroot\system32\iissuba.dll,RegisterIISSUBA

(Case Sensitive)

  • Ensure Local System
    • Default for Windows 2000

Running as Local System is a Bad Security Practice

Windows Server 2003

demonstration one

Demonstration One

Enabling Digest Authentication in Windows Server 2003

The goal is to demonstrate how administrators and developers can successfully enable Digest

digging into advanced digest
Digging Into Advanced Digest
  • Advanced Digest is ONLY available in Windows Server 2003 and IIS 6.0
  • Advanced Digest is implemented in LSASS where all other authentication types are performed
  • Advanced Digest is compliant with the Digest RFC
  • There is no UI for Advanced Digest it’s enabled using a command-line
    • Property = UseDigestSSP
digging into advanced digest 2
Digging Into Advanced Digest (2)
  • Advanced Digest relies on a pre-computed MD5 hash stored in Active Directory
    • Stored in the same place as Kerberos hashes
  • MD5 hash is stored as multiple entries:
    • User@Domain - Ex: user@contoso
    • Domain\User – Ex: contoso\user
    • User@domain (UPN) –

Ex: user@contoso.local

  • Is this property secure in Active Directory?
    • Yes, no user including Domain Admins have access to where the hash is stored
    • Only Local Security Authority (LSA) has access to this hash information
    • It is stored on the DC and never is sent off the DC
digging into advanced digest 3
Digging Into Advanced Digest (3)
  • Limitations of Advanced Digest to date
  • Microsoft® Internet Explorer 6.0 SP1 does not handle advanced digest requests properly
    • For each request per connection, Internet Explorer prompts the user for credentials
  • This is being fixed in Windows Server 2003 Service Pack 1

2004-09-16 12:06:21 127.0.0.1 GET /iisstart.htm - 80 WS03EE\Administrator 127.0.0.1 200 0 0

2004-09-16 12:06:22 127.0.0.1 GET /pagerror.gif - 80 WS03EE\Administrator 127.0.0.1 200 0 0

Same Connection – Prompt for each Get

demonstration two

Demonstration Two

Enabling Advanced Digest Authentication in Windows Server 2003

The goal is to demonstrate how administrators and developers can successfully enable Advanced Digest

session summary
Session Summary
  • Digest follows the RFC standard 2617
  • Windows 2000 offers Digest authentication only
  • Windows Server 2003 offers Digest and Advanced Digest authentication
  • Clients receive in WWW-Authenticate header “Digest” and Realm for both Digest and Advanced Digest
  • Digest requires the IIS Sub-Authenticator
  • Advanced digest stores all information in Active Directory for each user and is implemented in LSASS
references and resources
References and Resources
  • IIS 6.0 Help:

Digest: http://www.microsoft.com/resources/documentation/iis/6/all/proddocs/en-us/sec_auth_digestauth.mspx

Adv. Digest:

http://www.microsoft.com/resources/documentation/iis/6/all/proddocs/en-us/sec_auth_advdigestauth.mspx

  • KB Articles:
  • IIS 6.0 Resource Kit
  • IIS Forum: http://www.asp.net/forums
  • IIS Answers: http://www.iisanswers.com
  • IIS Frequently Asked Questions (FAQ): http://www.iisfaq.com
  • IIS Resources: http://www.iis-resources.com
get up to speed on net
Get Up to Speed on .NET

Get Trained on Microsoft Developer Technologies

  • Register for upcoming webcasts at http://msdn.microsoft.com/webcasts

All times are Pacific Standard Time

attend msdn events
Attend MSDN Events
  • Who
    • Your Local Microsoft Developer Community Champion
  • What
    • Object Oriented Programming Fundamentals in VB.NET
    • Programming with MapPoint Web Services
    • Optimizing ASP.NET 1.1 Web Applications
    • ASP.NET 2.0 Membership and Personalization
  • Why
    • Gain valuable developer knowledge, network with peers, and get VS 2005 Beta 1 Refresh and VS 2005 Express Betas on our content-rich special event DVD
  • When
    • October through December, on Tuesdays and Thursdays from 1-5PM local time
  • Where
    • Cities across the United States
  • How
    • Visit MSDN Events at http://www.msdnevents.com to find out more!
msdn webcast resources
MSDN Webcast Resources
  • Visit our blog http://blogs.msdn.com/msdnwebcasts for an rss feed of upcoming MSDN Webcasts
  • Submit text questions during the live webcast using the “Ask a Question” button
  • For recordings of past MSDN Webcasts: www.microsoft.com/usa/webcasts/ondemand
  • Got webcast content ideas? Send use e-mail at: webcasts@microsoft.com
  • More webcasts at http://msdn.microsoft.com/webcasts
  • Don’t forget to fill out the survey.
https msevents microsoft com cui welcomepage aspx eventid
https://msevents.microsoft.com/cui/WelcomePage.aspx?EventID=...https://msevents.microsoft.com/cui/WelcomePage.aspx?EventID=...
  • [PlaceWare Web Page. Use PlaceWare > Edit Slide Properties... to edit.]