Authentication in ASP.

NET
Ronen Ashkenazi Solutions Development Architect Microsoft Israel RonenA@Microsoft.com
23 January 2003

Agenda
Security Considerations Relationship Between IIS and ASP.NET Authentication Methods Security for Web Services Code Access Security

Security Considerations
Consider the following when designing an application: Security goals Security risks Authentication Authorization Securing data transmission Impersonation Delegation Operating system security Securing physical access Code access security

Security Relationship Between IIS and ASP.NET

Web clients

IP address and domain permitted?

No Yes

Access denied

IIS
Yes Launch ASP.NET application

User authenticated? No

ASP.NET impersonation enabled? ASP.NET application runs with local No machine identity Yes Access check OK? (e.g. NTFS) ASP.NET application No assumes client identity

ASP.NET

Yes

Access granted

ASP.NET Authentication Providers and IIS Security

ASP.NET supports three authentication providers:
Forms Authentication Relies on a logon form and cookies Passport Authentication Centralized authentication service provided by Microsoft Windows Authentication IIS handles authentication

Provider is specified in the Web.config file

<!-- web.config file --> <authentication mode = "[Windows|Forms|Passport|None]"> </authentication>

ASP.NET and IIS Security Settings Matrix

ASP.NET Authentication Providers IIS Authentication Method

Forms

Basic

Windows

Integrated

Digest Passport Certificate Mapping None (Custom) Anonymous

Authentication Using Windows Accounts

Authenticate users with Windows user accounts by combining IIS authentication and the Windows authentication provider for ASP.NET No authentication-specific code needs to be written with this approach ASP.NET constructs and attaches a WindowsPrincipal object to the application context

Authentication Using Non-Windows Accounts

Configure IIS for Anonymous authentication and use one of the following .NET authentication modules: None custom or no authentication Forms provide a logon page Passport use the Passport service

Impersonation and Delegation

Impersonation allows ASP.NET applications to execute with a client's identity Delegation enhances impersonation by allowing remote resources to be accessed while acting as the client Impersonation is configured in the Web.config file
<!-- web.config file --> <identity impersonate="[true|false]" name="domain\user" password="pwd"> </identity>

ASP Thread Token for ASP and IIS Configurations

ASP.NET impersonation
Disabled Enabled

IIS is using Anonymous

Process account IUSR_SERVER

IIS is not using Anonymous

Process account Authenticated user

Application resides on UNC share

IIS UNC token IIS UNC token

Enabled with a specified user "Jeff"

"Jeff"

"Jeff"

"Jeff"

10

Application Identities
ASP.NET application worker process (aspnet_wp.exe) executes under ASPNET account ASPNET account has minimal privileges Configure account name in <processModel> element of machine.config file
"SYSTEM" (System account) "MACHINE" (ASPNET) Custom user account
<system.web> <processModel enable="true" username="domain\user" password="pwd"> </processModel> </system.web>

11

Authentication Methods
Factors in Choosing an Authentication Method Determining an Authentication Method

12

Factors in Choosing an Authentication Method

Server and client operating systems Client browser type Number of users, location and type of user name and password database Deployment considerations (Internet vs. intranet and firewalls) Application type (interactive Web site or non-interactive Web service) Sensitivity of data being protected Performance and scalability factors Application authorization requirements (all users, or restricted areas)

13

Determining an Authentication Method

Users log on? No Personalization required? Users in Windows accounts? No Users in Passport? No Yes Anonymous and cookies Anonymous and passport No Certificates Interactive user logon? Yes Secure logon? Yes Forms over SSL Certificates Yes Yes (Continued next slide)

Yes

No

Anonymous

Passport

Forms

No

14

Determining an Authentication Method

Yes, users are in Windows accounts App runs on Internet? Delegation No required? Yes Custom Credential Mapping Basic Kerberos

No Yes Basic Forms Digest Servers and clients Win2K?

Yes Basic Digest NTLM Kerberos Certificates

Secure logon?

No

Yes Basic/SSL Digest/SSL Forms/SSL Certificates

No Basic NTLM Certificates

15

Authentication Methods
Anonymous Authentication Basic Authentication Digest Authentication Integrated Windows Authentication Certificate Authentication Passport Authentication Forms Authentication Using Cookies

16

Overview of Anonymous Authentication

No authentication occurs in either IIS or ASP.NET Good choice for publicly available Web site not requiring the identity of the caller No browser restrictions

17

Anonymous Authentication
Typical usage scenarios Consider Anonymous authentication when:
Caller name and/or password is not required for logon or business logic components The information you are protecting is considered "public"

Do not use Anonymous authentication when:

You require a logon name and password

18

Anonymous Authentication
Other considerations Good choice for sites containing personalized content only
For example, a news site only interested in user's zip code

Impersonation cannot be used

Appropriate permissions need configuring for anonymous user account

Gives highest performance, but lowest security

19

Anonymous Authentication
Implementation Configure IIS for Anonymous authentication Configure the appropriate anonymous user account in IIS Configure the ASP.NET Web.config file
<!-- web.config file --> <system.web> <authentication mode="None" /> </system.web>

20

Overview of Basic Authentication

IIS instructs the browser to send the user's credentials over HTTP
Browser prompts the user with a dialog box User names and passwords are sent using Base64 encoding, which is NOT secure

Most browsers support Basic authentication

21

Basic Authentication
Typical usage scenarios Consider Basic authentication when you require:
Users to have Windows NT Domain or Active Directory accounts Support for multiple browsers Support for authentication over the Internet Access to the clear text password in your application code Delegation

Do not use Basic authentication when you require:

Secure logon while not using a secure channel, such as Secure Sockets Layer (SSL) Storage of information in a custom database A customized form presented to the user as a logon page

22

Basic Authentication
Other considerations Delegation is possible using Basic authentication Combine Basic authentication with SSL to prevent passwords from being deciphered

23

Basic Authentication
Implementation Configure IIS for Basic authentication Configure user accounts to have "log on locally" enabled on Web server Configure the ASP.NET Web.config file
<!-- web.config file --> <system.web> <authentication mode="Windows" /> </system.web>

24

Overview of Digest Authentication

New to Windows 2000 and IIS 5.0 Encrypts the user's password using MD5 Dependent on browser and server capabilities Cannot perform delegation

25

Digest Authentication
Typical usage scenarios Consider Digest authentication when:
The Web server is running Windows 2000 and users have Windows accounts stored in Active Directory All clients use either the .NET platform or Internet Explorer 5.0 or later Password encryption above that of Basic authentication is required Support of authentication over the Internet is required

Do not use Digest authentication when:

Some clients use platforms other than .NET or Internet Explorer 5.0 or later Users do not have Windows accounts stored in Active Directory Delegation is required
26

Digest Authentication
Other considerations Security
Digest authentication is more secure than Basic authentication alone Less secure than Basic authentication with SSL Can also be combined with SSL

Platform requirements for Digest authentication

Clients .NET or Internet Explorer 5.0 (or later) Server running Active Directory with user accounts configured for Digest authentication

27

Digest Authentication
Implementation Configure IIS for Digest authentication Configure the ASP.NET Web.config file
<!-- web.config file --> <system.web> <authentication mode="Windows" /> </system.web>

28

Overview of Integrated Windows Authentication

Uses either NTLM challenge/response or Kerberos to authenticate users with a Windows NT Domain or Active Directory account No password is sent across the network Best suited to an intranet environment Works with Internet Explorer 3.01 or later

29

Integrated Windows Authentication

Typical usage scenarios Consider Integrated Windows authentication when:
Users have Windows NT Domain or Active Directory accounts Your application runs on an intranet (behind a firewall) All clients are running Internet Explorer 3.01 or later Delegation is required (requires Kerberos) Seamless logon procedure for domain users is required (e.g. without pop-up logon dialog boxes)

Do not use Integrated Windows authentication when:

User accounts are stored in an external database Authentication over the Internet is required Clients are using non-Microsoft browsers You need the client's clear text password

30

Integrated Windows Authentication

Other considerations NTLM and Kerberos are considered highly secure NTLM does not support delegation; Kerberos does Neither NTLM or Kerberos are commonly used over the Internet Kerberos is faster than NTLM, but neither is as fast as Basic authentication

31

Integrated Windows Authentication

Implementation Clients and servers must be running Windows 2000 in a Windows 2000 domain
User and service accounts must be enabled for delegation

Configure IIS for Integrated Windows authentication Configure the ASP.NET Web.config file
<!-- web.config file --> <system.web> <authentication mode="Windows" /> </system.web>

32

Overview of Certificate Authentication

A certificate is a digital "key" installed on a computer Certificates can be mapped to user accounts
Request: Welcome.aspx Response: Certificate request Request: Login.aspx + Certificate Response: Welcome.aspx Web Server Client Certificate Validation

Domain Controller

33

Certificate Authentication
Typical usage scenarios Consider Certificate authentication when:
Data is considered very sensitive and you require a very secure solution Mutual authentication is required Third parties will manage the relationship between the server and the certificate holder Client interaction must be seamless; for example, automated B2B exchanges

Do not use Certificate authentication when:

The cost of issuing and managing client certificates outweighs the value of the added security

34

Certificate Authentication
Other considerations Client certificates must be deployed to the client workstations Map certificates to:
Individual user accounts (one-to-one mapping) Any user from a single company (many-to-one mapping)

35

Certificate Authentication
Implementation Configure IIS for Certificate authentication Configure the ASP.NET Web.config file
<!-- web.config file --> <system.web> <authentication mode="Windows" /> </system.web>

36

Overview of Passport Authentication

A centralized authentication service provided by Microsoft
Client Request: Welcome.aspx Response: Passport Sign In Request: Login.aspx + Cookie Response: Welcome.aspx Web Server Passport authentication Creates authentication cookies

Microsoft Passport

37

Passport Authentication
Typical usage scenarios Consider Passport authentication when:
Your site will interact with other Passport-enabled sites Single sign-on capability is required External maintenance of user names and passwords is useful

Do not use Passport authentication when:

You want to use user names and passwords already stored in your own database or Active Directory Clients are other applications that access the site programmatically

38

Passport Authentication
Other considerations Requires registration with the Passport service and installation of the Passport SDK on the server Delegation is not possible on Windows 2000 Passport User ID (PUID) is an identity only
Implement code to map PUID to users in Active Directory or custom database

Passport uses encrypted cookies making system secure

Combine Passport with SSL to prevent replay attacks for highest level of security

39

Passport Authentication
Implementation Install Passport SDK on server Register with Passport service Configure IIS for Anonymous authentication Configure the ASP.NET Web.config file
<!-- web.config file --> <system.web> <authentication mode="Passport" /> </system.web>

40

Overview of Forms Authentication

A custom user interface accepts user credentials Authentication is performed against a database using custom code
Web Server Authenticate user Web.config or User database

Client

Request: Welcome.aspx Response: Login.aspx Request: Login.aspx + data Response: Welcome.aspx + Cookie

41

Forms Authentication
Typical usage scenarios Consider Forms authentication when:
User names and passwords are stored somewhere other than Windows accounts Your application runs over the Internet Support for all browsers and client operating systems is required A custom logon page is needed

Do not use Forms authentication when:

Applications are deployed on a corporate intranet and can take advantage of Integrated Windows authentication You cannot programmatically verify the user name and password

42

Forms Authentication
Other considerations Use SSL to secure passwords submitted via the logon page Set cookie expiration to avoid cookie theft and misuse SSL degrades performance, so consider separating logon and content servers Checking for the cookie is automatic in ASP.NET applications Use Forms authentication with Windows accounts as an alternative to Basic or Digest authentication

43

Forms Authentication
Implementation Create a logon page Create your custom account information lookup code Configure IIS for Anonymous authentication Configure the ASP.NET Web.config file, including the redirect URL for unauthenticated clients
<!-- web.config file --> <system.web> <authentication mode="Forms" <forms loginUrl="login.aspx"/> /> </system.web>

44

Additional Resources

Patterns & practices are Microsofts recommendations for architects, software developers, and IT professionals responsible for delivering and managing enterprise systems on the Microsoft Platform

To explore the available patterns & practices, visit: http:// msdn.microsoft.com/practices

45