WEB343
WEB343
ASP.NET and IIS: New
ASP.NET and IIS: New
Developments in Web Security
Developments in Web Security
With IIS 6.0 and ASP.NET
With IIS 6.0 and ASP.NET
Stefan Schackow
Stefan Schackow
Program Manager
Program Manager
Web Platform and Tools Team
Web Platform and Tools Team
Microsoft Corporation
Microsoft Corporation
Agenda
Agenda
Internet Information Services (IIS) 6.0
Internet Information Services (IIS) 6.0
Authentication Modes
Authentication Modes
Credential Handoff to Microsoft
Credential Handoff to Microsoft
ASP.NET 2.0
ASP.NET 2.0
Impersonation demo
Impersonation demo
Securing ASP with ASP.NET 2.0
Securing ASP with ASP.NET 2.0
Wildcard mapping demo
Wildcard mapping demo
Custom HttpHandler demo
Custom HttpHandler demo
ASP.NET Trust Levels
ASP.NET Trust Levels
Medium trust and Access demo
Medium trust and Access demo
Authentication in IIS 6.0
Authentication in IIS 6.0
Authentication in IIS 6.0
Authentication in IIS 6.0
Authentication mechanisms
Authentication mechanisms
Basic
Basic
Digest
Digest
Windows Server 2003 has built-in
Windows Server 2003 has built-in
support for this
support for this
No longer need sub-authenticator
No longer need sub-authenticator
Certificate mapping
Certificate mapping
Integrated
Integrated
NTLM
NTLM
Kerberos
Kerberos
Authentication in IIS 6.0
Authentication in IIS 6.0
Choosing the right authentication
Choosing the right authentication
Do you need to flow client identity?
Do you need to flow client identity?
Integrated security to SQL Server
Integrated security to SQL Server
Passing credentials to webservice and System.Net
Passing credentials to webservice and System.Net
classes
classes
If you need to delegate credentials use:
If you need to delegate credentials use:
Integrated using Kerberos
Integrated using Kerberos
Otherwise:
Otherwise:
Basic + SSL
Basic + SSL
Digest
Digest
NTLM
NTLM
Certificate mapping
Certificate mapping
IIS 6.0 Credential Handoff to
IIS 6.0 Credential Handoff to
ASP.NET 2.0
ASP.NET 2.0
IIS 6.0 to ASP.NET 2.0
IIS 6.0 to ASP.NET 2.0
Handing off credentials
Handing off credentials
IIS Impersonation Token
IIS Impersonation Token
Handed off to ASP.NET 2.0 via the
Handed off to ASP.NET 2.0 via the
ISAPI APIs
ISAPI APIs
OS thread identity
OS thread identity
Comes from application pool identity
Comes from application pool identity
Available using Win32 APIs
Available using Win32 APIs
IIS 6.0 Worker Process
IIS 6.0 Worker Process
O/S Thread
ISAPI Extension Control Block
ISAPI Extension Control Block
Identity from
Identity from
Application
Application
Pool Config
Pool Config
Impersonation Token comes
Impersonation Token comes
from “Authentication
from “Authentication
Methods” tab
Methods” tab
IIS 6.0 to ASP.NET 2.0
IIS 6.0 to ASP.NET 2.0
ASP.NET 2.0 identities
ASP.NET 2.0 identities
OS thread identity
OS thread identity
Can modify with:
Can modify with:
<identity impersonate=“true” … />
<identity impersonate=“true” … />
ASP.NET user principal
ASP.NET user principal
Frequently
Frequently
not
not
the same as the OS thread
the same as the OS thread
identity
identity
Available from:
Available from:
HttpContext.User
HttpContext.User
Thread.CurrentPrincipal
Thread.CurrentPrincipal
ASP.NET syncs both values for you
ASP.NET syncs both values for you
IIS 6.0 Worker Process
IIS 6.0 Worker Process
Impersonation Token
Impersonation Token
O/S Thread
O/S Thread
ASP.NET ISAPI
Extension
ASP.NET Managed Code App-Domain
ASP.NET Managed Code App-Domain
HTTP Module
HTTP Module
HTTP Module
HTTP Module
HTTP Module
HTTP Module
HTTP
Context
User
Property
Set
Set
IPrincipal
IPrincipal
Using IIS Security Information
Using IIS Security Information
in ASP.NET
in ASP.NET
ASP.NET 2.0 Security Info
ASP.NET 2.0 Security Info
Modifying OS thread identity
Modifying OS thread identity
OS thread identity and impersonation
OS thread identity and impersonation
Client impersonation:
Client impersonation:
<identity impersonate=“true” />
<identity impersonate=“true” />
Application impersonation:
Application impersonation:
<identity impersonate=“true”
<identity impersonate=“true”
user=“some user”
user=“some user”
password=“some password />
password=“some password />
Both modes change the OS thread
Both modes change the OS thread
identity
identity
IIS 6.0 Worker Process
IIS 6.0 Worker Process
Client Impersonation
Client Impersonation
Impersonation Token
Impersonation Token
O/S Thread
O/S Thread
Set Thread
Token
ASP.NET App-Domain
ASP.NET App-Domain
HTTP Module
HTTP Module
HTTP Module
HTTP Module
HTTP Module
HTTP Module
Enter Pipeline with
Enter Pipeline with
New Client Impersonation
New Client Impersonation
IIS 6.0 Worker Process
IIS 6.0 Worker Process
Application Impersonation
Application Impersonation
Impersonation Token
Impersonation Token
O/S Thread
O/S Thread
Logon User
ASP.NET App-Domain
ASP.NET App-Domain
HTTP Module
HTTP Module
HTTP Module
HTTP Module
HTTP Module
HTTP Module
<identity
<identity
user=
user=
password=
password=
Web.Config
Web.Config
ASP.NET 2.0 Security Info
ASP.NET 2.0 Security Info
Setting HttpContext.User
Setting HttpContext.User
The user depends on:
The user depends on:
Authentication mode set in ASP.NET
Authentication mode set in ASP.NET
IIS impersonation token
IIS impersonation token
Can get impersonation token
Can get impersonation token
regardless of authentication mode
regardless of authentication mode
Request.LogonUserIdentity
Request.LogonUserIdentity
Available at Medium trust and higher
Available at Medium trust and higher