understanding integrated authentication
TRANSCRIPT
-
7/28/2019 Understanding Integrated Authentication
1/20
Understanding Integrated
Authentication in IIS
Chris Adams
IIS Supportability LeadMicrosoft Corp.
-
7/28/2019 Understanding Integrated Authentication
2/20
Agenda
Introduction to Integrated Authentication Dynamics of NTLM Authentication
Dynamics of Negotiate Authentication
Demonstration One
Best Practices for IntegratedAuthentication
References
-
7/28/2019 Understanding Integrated Authentication
3/20
Introduction to IntegratedAuthentication
Introduced in Windows 2000
Commonly referred to as WindowsIntegrated Authentication
Secure: It is considered secure becauseit does not transmit password on thewire
Internet Explorer preferred IF Basic and Integrated are both enabled, IE
will use Integrated for security reasons
-
7/28/2019 Understanding Integrated Authentication
4/20
Introduction: Lets review
How authentication works in IIS
Anonymous
Basic
Digest
Kerberos
NTLM
Passport
Server
Core
1. Request enters server core
2. Server core forwards to
anonymous provider. IIS builds
path (w3svc/1/root) and verifiesif anonymous is enabled.
Yes: Provide path and Anon.
users token to authorization
manager
No: IIS passes the path to each
provider to determine if
path has that provider enabled.
Each provider that is enabled returns to
Server core the appropriate header.
-
7/28/2019 Understanding Integrated Authentication
5/20
Introduction
Negotiate
Kerberos NTLM
-
7/28/2019 Understanding Integrated Authentication
6/20
Introduction to IntegratedAuthentication
Platform information for Windows Integrated
Windows NT 4:
Supports only NTLM (Not known as Windows Integrated)
Windows 2000:
Supports Negotiate and NTLM
Windows 2003:
Supports Negotiate and NTLM
-
7/28/2019 Understanding Integrated Authentication
7/20
Introduction to IntegratedAuthentication
-
7/28/2019 Understanding Integrated Authentication
8/20
Introduction to IntegratedAuthentication
How the appropriate integratedauthentication is determined?
AuthNTLM
NO
Yes
NTAuthenticationProviders
Negotiate NTLM401.3
Access
Denied
-
7/28/2019 Understanding Integrated Authentication
9/20
Dynamics of NTLM
Connection Oriented Same Connection always used per request
HTTP Keep-Alives Required
Understanding Auth Dialog Boxes NTLM, by default, doesnt prompt
NTLM may prompt if original request fails with 401.1
NTLMs use of Domain\Username\Password Domain and Username are always shared over the
wire between client and server
Password is never Always uses Hash of password
Authentication Header includes: Domain\Username\HashedPassword
-
7/28/2019 Understanding Integrated Authentication
10/20
Dynamics of NTLM: Security
Why is NTLM authentication secure? Hash Algorithm of password is unknown when
hackers monitor the HTTP requests on thewire
If connections are broke, manipulated (byproxies), then NTLM fails
-
7/28/2019 Understanding Integrated Authentication
11/20
NTLM @ Work
Get /Default.HTM
Get /Default.HTM w/ AuthNTLM
Get /Default.HTM w/ AuthNTLM
Hashed
401 WWW Auth: NTLM
200 - OK
401 Access Denied
-
7/28/2019 Understanding Integrated Authentication
12/20
Dynamics of NTLM NTLM at work (previous slide)
1. IE Client requests a IIS resource (Anon)
2. IIS returns 401 with WWWAuthenticate Headersaying NTLM
3. IE submits new request for a IIS resource with NTLMAuthentication header (username)
4. IIS uses NT Authentication Header to build secretkey and sends 401 with key back to client
5. IE submits new request for a IIS resource with NTLM
Authentication header (username\password\hash ofpassword)
6. IIS checks username\password\hash and matches,return 200 OKor- 401.1 Login failed (IE prompts)
-
7/28/2019 Understanding Integrated Authentication
13/20
Dynamics of Negotiate
Why create another authenticationprotocol?
NTLM limitations
NTLM Tokens cannot be delegated NTLM is proprietary and only supported by
Windows platform
Is Negotiate a new protocol?
No, it is just a wrapper that allows eitherKerberos or NTLM authentication based onclient request
-
7/28/2019 Understanding Integrated Authentication
14/20
Dynamics of Negotiate
Key Terms of Negotiate Client: Internet Explorer
Server: IIS Server that is member of
Active Directory Domain Active Directory:
Key Distribution Center (KDC) for all clients
Ticket Granting Service: Issues all tickets(aka tokens)
-
7/28/2019 Understanding Integrated Authentication
15/20
Dynamics of Negotiate
IIS Server
The IIS server is
started and when the
server authenticates to
domain (aka KDC) it
receives it ticket.
Active
Directory
(KDC)
Ticket Granting Services
-
7/28/2019 Understanding Integrated Authentication
16/20
Dynamics of Negotiate
Active
Directory
(KDC)
Registered ServicePrincipalNames for CN=CA-
WEBCAST-IIS,OU=Domain Controllers,DC=
ca-webcast,DC=local:
GC/ca-webcast-iis.ca-webcast.local/ca-
webcast.local
HOST/ca-webcast-iis.ca-webcast.local/CA-
WEBCAST
HOST/CA-WEBCAST-IIS
HOST/ca-webcast-iis.ca-webcast.local
HOST/ca-webcast-iis.ca-webcast.local/ca-webcast.local
E3514235-4B06-11D1-AB04-
00C04FC2DCD2/84bbfa08-5854-4729-80aa-
56117bc4ecb6/ca
-webcast.local
ldap/84bbfa08-5854-4729-80aa-
56117bc4ecb6._msdcs.ca-webcast.local
ldap/ca-webcast-iis.ca-webcast.local/CA-WEBCAST
ldap/CA-WEBCAST-IIS
ldap/ca-webcast-iis.ca-webcast.local
ldap/ca-webcast-iis.ca-webcast.local/ca-
webcast.local
NtFrs-88f5d2bd-b646-11d2-a6d3-00c04fc9b232/ca-
webcast-iis.ca-webcast.local
Setspn %computername%
-
7/28/2019 Understanding Integrated Authentication
17/20
Negotiate @ Work
KDC (Active
Directory)
IIS Server
I need a ticket for
The following service(aka HTTP\HOST)
If Service located in
KDC, Secret Key
shared with Client
Initial Client request
for IIS resourceanonymously
The Server esponse
is 401 WWWAuth
Header for Negotiate
Using key provided,
Client creates hash
(key) and sends IIS
IIS uses secret key
and verifies that
password matches
Shared
-
7/28/2019 Understanding Integrated Authentication
18/20
Demonstration One
Configuring a Process touse a Domain Account
and Kerberos
The purpose of this demonstration is to show how aworker process identity set on a application pool
affects authentication when the authenticated useruses the Negotiate protocol and Kerberos
-
7/28/2019 Understanding Integrated Authentication
19/20
References
IIS 6 Help Documentation http://www.microsoft.com/technet/treeview/def
ault.asp?url=/technet/prodtechnol/windowsserver2003/proddocs/standard/sec_auth_intwinauth.aspIIS 6 Deployment Guide
Load Balancing and Kerberos
http://www.microsoft.com/technet/treeview/def
ault.asp?url=/technet/prodtechnol/windowsserver2003/maintain/security/nlbsecbp.asp
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechnol/windowsserver2003/maintain/security/nlbsecbp.asphttp://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechnol/windowsserver2003/maintain/security/nlbsecbp.asphttp://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechnol/windowsserver2003/maintain/security/nlbsecbp.asphttp://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechnol/windowsserver2003/maintain/security/nlbsecbp.asphttp://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechnol/windowsserver2003/maintain/security/nlbsecbp.asphttp://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechnol/windowsserver2003/maintain/security/nlbsecbp.asp -
7/28/2019 Understanding Integrated Authentication
20/20
Q & A