Authentication in ASP.NET

acceptableseashoreΑσφάλεια

5 Νοε 2013 (πριν από 3 χρόνια και 9 μήνες)

84 εμφανίσεις

Authentication in ASP.NET

23 January 2003

Ronen Ashkenazi

Solutions Development Architect

Microsoft Israel

RonenA@Microsoft.com

2

Agenda


Security Considerations


Relationship Between IIS and ASP.NET


Authentication Methods


Security for Web Services


Code Access Security

3

Security Considerations

Consider
the following when designing an application:


Impersonation


Delegation


Operating system security


Securing physical access


Code access security


Security goals


Security risks


Authentication


Authorization


Securing data transmission

4

ASP.NET

Security Relationship Between IIS and ASP.NET

IIS

Web clients

Launch ASP.NET

application

Access denied

ASP.NET application

assumes client identity

Access granted

IP address and domain
permitted?

User authenticated?

No

Yes

Yes

No

Yes

ASP.NET impersonation
enabled?

No

Access check OK?

(e.g. NTFS)

No

ASP.NET application

runs with local

machine identity

Yes

5

ASP.NET Authentication Providers and IIS Security


ASP.NET supports three authentication providers:


Forms Authentication


Relies on a logon form and cookies


Passport Authentication


Centralized authentication service
provided by Microsoft


Windows Authentication


IIS handles authentication



Provider is specified in the Web.config file

<!
--

web.config file
--
>

<authentication


mode = "[Windows|Forms|Passport|None]">

</authentication>

6

IIS Authentication

Method

ASP.NET
Authentication

Providers

ASP.NET and IIS Security Settings Matrix

Forms

Windows

Passport

None (Custom)

Basic

Integrated

Digest

Certificate Mapping

Anonymous

7

Authentication Using Windows Accounts


Authenticate users with Windows user accounts by
combining IIS authentication and the Windows
authentication provider for ASP.NET


No authentication
-
specific code needs to be written with
this approach


ASP.NET constructs and attaches a WindowsPrincipal
object to the application context

8

Authentication Using Non
-
Windows Accounts

Configure IIS for Anonymous authentication and use one of
the following .NET authentication modules:


None


custom or no authentication


Forms


provide a logon page


Passport


use the Passport service

9

Impersonation and Delegation


Impersonation allows ASP.NET applications to execute
with a client's identity


Delegation enhances impersonation by allowing remote
resources to be accessed while acting as the client


Impersonation is configured in the Web.config file

<!
--

web.config file
--
>

<identity


impersonate="[true|false]"


name="domain
\
user"


password="pwd">

</identity>

10

ASP Thread Token for ASP and IIS Configurations


ASP.NET
impersonation



IIS is using
Anonymous


IIS is not using
Anonymous

Application
resides on
UNC share

Disabled

Process account

Process account

IIS UNC token

Enabled

IUSR_
SERVER

Authenticated user

IIS UNC token

Enabled with a
specified user
"Jeff"

"Jeff"

"Jeff"

"Jeff"

11

Application Identities


ASP.NET application worker process (aspnet_wp.exe)
executes under ASPNET account


ASPNET account has minimal privileges


Configure account name in <processModel> element of
machine.config file


"SYSTEM" (System account)


"MACHINE" (ASPNET)


Custom user account

<system.web>


<processModel



enable="true"



username="domain
\
user"



password="pwd">


</processModel>

</system.web>

12

Authentication Methods


Factors in Choosing an Authentication Method


Determining an Authentication Method

13

Factors in Choosing an Authentication Method


Server and client operating systems


Client browser type


Number of users, location and type of user name and password
database


Deployment considerations (Internet vs. intranet and firewalls)


Application type (interactive Web site or non
-
interactive Web service)


Sensitivity of data being protected


Performance and scalability factors


Application authorization requirements (all users, or restricted areas)

14

Determining an Authentication Method

Anonymous and cookies

Anonymous and passport

No

Yes

Anonymous

No

Yes

Yes

(Continued next
slide)

No

Yes

No

Certificates

No

Yes

Forms over SSL

Certificates

Yes

No

Forms

Passport

Users in

Passport?

Users

log on?

Users in

Windows

accounts?

Personalization

required?

Interactive

user logon?

Secure

logon?

15

Determining an Authentication Method

No

Yes

No

Basic

Forms

Digest

Basic/SSL

Digest/SSL

Forms/SSL

Certificates

Yes

No

No

Basic

NTLM

Certificates

Yes

Custom Credential Mapping

Basic

Kerberos

Yes

Basic

Digest

NTLM

Kerberos

Certificates

App runs on

Internet?

Secure

logon?

Delegation

required?

Servers

and clients

Win2K?

Yes, users are in

Windows accounts

16

Authentication Methods


Anonymous Authentication


Basic Authentication


Digest Authentication


Integrated Windows Authentication


Certificate Authentication


Passport Authentication


Forms Authentication


Using Cookies

17

Overview of Anonymous Authentication


No authentication occurs in either IIS or ASP.NET


Good choice for publicly available Web site not requiring
the identity of the caller


No browser restrictions

18

Anonymous Authentication



Consider Anonymous authentication when:


Caller name and/or password is not required for logon or business
logic components


The information you are protecting is considered "public"


Do not use Anonymous authentication when:


You require a logon name and password

Typical usage scenarios

19

Anonymous Authentication



Good choice for sites containing personalized content only


For example, a news site only interested in user's zip code


Impersonation cannot be used


Appropriate permissions need configuring for anonymous user
account


Gives highest performance, but lowest security

Other considerations

20

Anonymous Authentication



Configure IIS for Anonymous authentication


Configure the appropriate anonymous user account in IIS


Configure the ASP.NET Web.config file

Implementation

<!
--

web.config file
--
>

<system.web>


<authentication mode="None" />

</system.web>

21

Overview of Basic Authentication


IIS instructs the browser to send the user's credentials
over HTTP


Browser prompts the user with a dialog box


User names and passwords are sent using Base64 encoding,
which is NOT secure


Most browsers support Basic authentication

22

Basic Authentication



Consider Basic authentication when you require:


Users to have Windows NT Domain or Active Directory accounts


Support for multiple browsers


Support for authentication over the Internet


Access to the clear text password in your application code


Delegation


Do not use Basic authentication when you require:


Secure logon while not using a secure channel, such as Secure
Sockets Layer (SSL)


Storage of information in a custom database


A customized form presented to the user as a logon page

Typical usage scenarios

23

Basic Authentication



Delegation is possible using Basic authentication


Combine Basic authentication with SSL to prevent
passwords from being deciphered

Other considerations

24

Basic Authentication



Configure IIS for Basic authentication


Configure user accounts to have "log on locally" enabled
on Web server


Configure the ASP.NET Web.config file

Implementation

<!
--

web.config file
--
>

<system.web>


<authentication mode="Windows" />

</system.web>

25

Overview of Digest Authentication


New to Windows 2000 and IIS 5.0


Encrypts the user's password using MD5


Dependent on browser and server capabilities


Cannot perform delegation

26

Digest Authentication



Consider Digest authentication when:


The Web server is running Windows 2000 and users have
Windows accounts stored in Active Directory


All clients use either the .NET platform or Internet Explorer 5.0 or
later


Password encryption above that of Basic authentication is required


Support of authentication over the Internet is required


Do not use Digest authentication when:


Some clients use platforms other than .NET or Internet Explorer
5.0 or later


Users do not have Windows accounts stored in Active Directory


Delegation is required

Typical usage scenarios

27

Digest Authentication



Security


Digest authentication is more secure than Basic authentication
alone


Less secure than Basic authentication with SSL


Can also be combined with SSL


Platform requirements for Digest authentication


Clients


.NET or Internet Explorer 5.0 (or later)


Server


running Active Directory with user accounts configured for
Digest authentication

Other considerations

28

Digest Authentication



Configure IIS for Digest authentication


Configure the ASP.NET Web.config file

Implementation

<!
--

web.config file
--
>

<system.web>


<authentication mode="Windows" />

</system.web>

29

Overview of Integrated Windows Authentication


Uses either NTLM challenge/response or Kerberos to
authenticate users with a Windows NT Domain or Active
Directory account


No password is sent across the network


Best suited to an intranet environment


Works with Internet Explorer 3.01 or later

30

Integrated Windows Authentication



Consider Integrated Windows authentication when:


Users have Windows NT Domain or Active Directory accounts


Your application runs on an intranet (behind a firewall)


All clients are running Internet Explorer 3.01 or later


Delegation is required (requires Kerberos)


Seamless logon procedure for domain users is required

(e.g. without pop
-
up logon dialog boxes)


Do not use Integrated Windows authentication when:


User accounts are stored in an external database


Authentication over the Internet is required


Clients are using non
-
Microsoft browsers


You need the client's clear text password

Typical usage scenarios

31

Integrated Windows Authentication



NTLM and Kerberos are considered highly secure


NTLM does not support delegation; Kerberos does


Neither NTLM or Kerberos are commonly used over the
Internet


Kerberos is faster than NTLM, but neither is as fast as
Basic authentication

Other considerations

32

Integrated Windows Authentication



Clients and servers must be running Windows 2000 in a
Windows 2000 domain


User and service accounts must be enabled for delegation


Configure IIS for Integrated Windows authentication


Configure the ASP.NET Web.config file

Implementation

<!
--

web.config file
--
>

<system.web>


<authentication mode="Windows" />

</system.web>

33

Overview of Certificate Authentication


A certificate is a digital "key" installed on a computer


Certificates can be mapped to user accounts

Web Server

Domain

Controller

Client

Request: Welcome.aspx

Response: Certificate request

Response: Welcome.aspx

Request: Login.aspx + Certificate

Certificate

Validation

34

Certificate Authentication



Consider Certificate authentication when:


Data is considered very sensitive and you require a very secure
solution


Mutual authentication is required


Third parties will manage the relationship between the server and
the certificate holder


Client interaction must be seamless; for example, automated B2B
exchanges


Do not use Certificate authentication when:


The cost of issuing and managing client certificates outweighs the
value of the added security

Typical usage scenarios

35

Certificate Authentication



Client certificates must be deployed to the client
workstations


Map certificates to:


Individual user accounts (one
-
to
-
one mapping)


Any user from a single company (many
-
to
-
one mapping)

Other considerations

36

Certificate Authentication



Configure IIS for Certificate authentication


Configure the ASP.NET Web.config file

Implementation

<!
--

web.config file
--
>

<system.web>


<authentication mode="Windows" />

</system.web>

37

Overview of Passport Authentication


A centralized authentication service provided by Microsoft

Web
Server

Microsoft

Passport

Client

Request: Welcome.aspx

Response: Passport Sign In

Request: Login.aspx + Cookie

Response: Welcome.aspx

Passport authentication

Creates authentication cookies

38

Passport Authentication



Consider Passport authentication when:


Your site will interact with other Passport
-
enabled sites


Single sign
-
on capability is required


External maintenance of user names and passwords is useful


Do not use Passport authentication when:


You want to use user names and passwords already stored in your
own database or Active Directory


Clients are other applications that access the site programmatically

Typical usage scenarios

39

Passport Authentication



Requires registration with the Passport service and
installation of the Passport SDK on the server


Delegation is not possible on Windows 2000


Passport User ID (PUID) is an identity only


Implement code to map PUID to users in Active Directory or
custom database


Passport uses encrypted cookies making system secure


Combine Passport with SSL to prevent replay attacks for highest
level of security

Other considerations

40

Passport Authentication



Install Passport SDK on server


Register with Passport service


Configure IIS for Anonymous authentication


Configure the ASP.NET Web.config file

Implementation

<!
--

web.config file
--
>

<system.web>


<authentication mode="Passport" />

</system.web>

41

Overview of Forms Authentication


A custom user interface accepts user credentials


Authentication is performed against a database using custom code

Web Server

Client

Request: Welcome.aspx

Response: Login.aspx

Request: Login.aspx + data

Response: Welcome.aspx + Cookie

Authenticate

user

Web.config

or

User database

42

Forms Authentication



Consider Forms authentication when:


User names and passwords are stored somewhere other than
Windows accounts


Your application runs over the Internet


Support for all browsers and client operating systems is required


A custom logon page is needed


Do not use Forms authentication when:


Applications are deployed on a corporate intranet and can take
advantage of Integrated Windows authentication


You cannot programmatically verify the user name and password

Typical usage scenarios

43

Forms Authentication



Use SSL to secure passwords submitted via the logon
page


Set cookie expiration to avoid cookie theft and misuse


SSL degrades performance, so consider separating logon
and content servers


Checking for the cookie is automatic in ASP.NET
applications


Use Forms authentication with Windows accounts as an
alternative to Basic or Digest authentication

Other considerations

44

Forms Authentication



Create a logon page


Create your custom account information lookup code


Configure IIS for Anonymous authentication


Configure the ASP.NET Web.config file, including the
redirect URL for unauthenticated clients

Implementation

<!
--

web.config file
--
>

<system.web>


<authentication mode="Forms"



<forms loginUrl="login.aspx"/>


/>

</system.web>

45

Additional Resources

Patterns & practices are Microsoft’s recommendations for
architects, software developers, and IT professionals
responsible for delivering and managing enterprise systems
on the Microsoft Platform



To explore the available patterns & practices, visit:
http://msdn.microsoft.com/practices