Comprehension Integrated Authentication in IIS .

Uploaded on:
Category: Product / Service
Understanding Integrated Authentication in IIS. Chris Adams IIS Supportability Lead Microsoft Corp. Agenda. Introduction to Integrated Authentication Dynamics of NTLM Authentication Dynamics of Negotiate Authentication Demonstration One Best Practices for Integrated Authentication
Slide 1

Understanding Integrated Authentication in IIS Chris Adams IIS Supportability Lead Microsoft Corp.

Slide 2

Agenda Introduction to Integrated Authentication Dynamics of NTLM Authentication Dynamics of Negotiate Authentication Demonstration One Best Practices for Integrated Authentication References

Slide 3

Introduction to Integrated Authentication Introduced in Windows 2000 Commonly alluded to as "Windows Integrated Authentication" Secure: It is viewed as secure on the grounds that it doesn\'t transmit secret key "on the wire" Internet Explorer favored – IF Basic and Integrated are both empowered, IE will utilize Integrated for security reasons

Slide 4

Introduction: Let\'s audit… How confirmation works in IIS Request enters server center Server center advances to anonymous supplier. IIS fabricates path (w3svc/1/root) and confirms if mysterious is empowered . Yes: Provide way and Anon. clients token to approval supervisor No: IIS passes the way to each provider to figure out whether path has that supplier empowered. Every supplier that is empowered comes back to Server center the suitable header. Anonymous Server Core Basic Kerberos NTLM Digest Passport

Slide 5

Introduction… Negotiate NTLM Kerberos

Slide 6

Introduction to Integrated Authentication Platform data for Windows Integrated Windows NT 4 : Supports just NTLM (Not known as Windows Integrated) Windows 2000 : Supports Negotiate and NTLM Windows 2003 : Supports Negotiate and NTLM

Slide 7

Introduction to Integrated Authentication Metabase Property: AuthNTLM

Slide 8

Introduction to Integrated Authentication How the fitting coordinated confirmation is resolved? NTAuthenticationProviders AuthNTLM Yes NO 401.3 Access Denied Negotiate NTLM

Slide 9

Dynamics of NTLM Connection Oriented Same Connection constantly utilized per ask for HTTP Keep-Alives Required Understanding Auth Dialog Boxes NTLM, as a matter of course, doesn\'t instant NTLM may provoke if unique demand falls flat with 401.1 NTLM\'s utilization of Domain\Username\Password Domain and Username are constantly shared over the wire amongst customer and server Password is never – Always utilizes Hash of secret word Authentication Header incorporates: Domain\Username\HashedPassword

Slide 10

Dynamics of NTLM: Security Why is NTLM validation secure? Hash Algorithm of watchword is obscure when programmers screen the HTTP asks for on the wire If associations are penniless, controlled (by intermediaries), then NTLM comes up short

Slide 11

NTLM @ Work… Client Requests: One Connection Get/Default.HTM 1 3 Get/Default.HTM w/AuthNTLM Get/Default.HTM w/AuthNTLM Hashed 5 Server Responses: Same Connection 401 – Access Denied 2 401 – WWW Auth: NTLM 4 200 - OK 6

Slide 12

Dynamics of NTLM at work… (past slide) IE Client asks for an IIS asset (Anon) IIS returns 401 with WWWAuthenticate Header saying NTLM IE submits new demand for an IIS asset with NTLM Authentication header (username) IIS utilizes NT Authentication Header to assemble mystery key and sends 401 with key back to customer IE submits new demand for an IIS asset with NTLM Authentication header (username\password\hash of secret key) IIS checks username\password\hash and matches, return 200 OK –or-401.1 Login fizzled (IE prompts)

Slide 13

Dynamics of Negotiate Why make another validation convention? NTLM restrictions NTLM Tokens can\'t be designated NTLM is exclusive and just bolstered by Windows stage Is Negotiate another convention? No, it is only a wrapper that permits either Kerberos or NTLM verification in light of customer demand

Slide 14

Dynamics of Negotiate Key Terms of Negotiate Client: Internet Explorer Server: IIS Server that is individual from Active Directory Domain Active Directory: Key Distribution Center (KDC) for all customers Ticket Granting Service: Issues all tickets (otherwise known as tokens)

Slide 15

Dynamics of Negotiate IIS Server Active Directory (KDC) The IIS server is begun and when the server validates to space (otherwise known as KDC) it gets it ticket. Ticket Granting Services

Slide 16

Dynamics of Negotiate Active Directory (KDC) Registered ServicePrincipalNames for CN=CA-WEBCAST-IIS,OU=Domain Controllers,DC= ca-webcast,DC=local: GC/ HOST/ HOST/CA-WEBCAST-IIS HOST/ HOST/ E3514235-4B06-11D1-AB04-00C04FC2DCD2/84bbfa08-5854-4729-80aa-56117bc4ecb6/ca - webcast.local ldap/ ldap/ ldap/CA-WEBCAST-IIS ldap/ ldap/ NtFrs-88f5d2bd-b646-11d2-a6d3-00c04fc9b232/ Setspn %computername%

Slide 17

Negotiate @ Work… Client Requests: One Connection Initial Client ask for IIS asset namelessly KDC (Active Directory) 1 The Server esponse is 401 – WWWAuth Header for Negotiate 3 2 4 I require a ticket for The accompanying administration (otherwise known as HTTP\HOST) 3 6 If Service situated in KDC, Secret Key imparted to Client Shared 4 5 IIS Server 2 Using key gave, Client makes hash (key) and sends IIS 5 1 IIS utilizes mystery key and checks that watchword matches 6

Slide 18

Demonstration One Configuring a Process to utilize a Domain Account and Kerberos The reason for this exhibition is to show how a laborer procedure personality set on an application pool influences validation when the verified client utilizes the Negotiate convention and Kerberos

Slide 19

References IIS 6 Help Documentation 6 Deployment Guide Load Balancing and Kerberos after/security/nlbsecbp.asp

Slide 20

Q & A

View more...