View
224
Download
2
Tags:
Embed Size (px)
Citation preview
Microsoft ASP.NET Microsoft ASP.NET SecuritySecurity
Venkat ChilakalaVenkat ChilakalaSupport ProfessionalSupport ProfessionalMicrosoft CorporationMicrosoft Corporation
2
AgendaAgenda
IntroductionIntroduction Security flow for a requestSecurity flow for a request AuthenticationAuthentication AuthorizationAuthorization Role-based securityRole-based security ImpersonationImpersonation FAQFAQ Questions and answersQuestions and answers
3
Security Flow for a Request (ASP)Security Flow for a Request (ASP)
4
Security Flow for a Request Security Flow for a Request (ASP.NET)(ASP.NET)
5
AuthenticationAuthentication
DefinedDefined Authentication in ASPAuthentication in ASP Authentication in ASP.NETAuthentication in ASP.NET
IIS authenticationIIS authentication ASP.NET authenticationASP.NET authentication
ASP.NET authentication providersASP.NET authentication providers Forms, Windows, Passport, Default, and CustomForms, Windows, Passport, Default, and Custom
6
Forms AuthenticationForms Authentication
Uses cookie to authenticateUses cookie to authenticate Enables SSL for logon pageEnables SSL for logon page Often used for personalizationOften used for personalization
7
Forms Authentication FlowForms Authentication FlowCookie-Based Authentication Architecture
Client requests page
Authorized
ASP.NET Authentication
Not Authenticated Authenticated
Login Page(Users enter their credentials)
Authenticated
Cookie
Authorized
Not Authenticated
Access Denied
RequestedPage
8
Forms Authentication ConfigurationForms Authentication Configuration
Enable anonymous access in IISEnable anonymous access in IIS Configure <authentication> sectionConfigure <authentication> section
Set mode to “Forms”Set mode to “Forms” Add the <forms> sectionAdd the <forms> section
Configure <authorization> sectionConfigure <authorization> section Deny access to anonymous userDeny access to anonymous user
Create logon pageCreate logon page Validate the userValidate the user Provide authentication cookieProvide authentication cookie Redirect the user to the requested pageRedirect the user to the requested page
9
<forms> Section Attributes<forms> Section Attributes
loginUrl: unauthenticated request are redirected to loginUrl: unauthenticated request are redirected to this pagethis page
name: name of the authentication cookiename: name of the authentication cookie path: path of the authentication cookiepath: path of the authentication cookie protection: All | None | Encryption | Validationprotection: All | None | Encryption | Validation timeout: authentication cookie expiration time in timeout: authentication cookie expiration time in
minutesminutes
<authentication mode="Forms"><forms name=".ASPXAUTH" loginUrl="login.aspx"
protection="All" timeout="30"
path="/" /></authentication>
10
Forms Authentication CodeForms Authentication Code
If FormsAuthentication.Authenticate(txtUserName.Value,txtUserPass.value) Then
FormsAuthentication.RedirectFromLoginPage(txtUserName.Value, _ chkPersistCookie.Checked)
Else
Response.Redirect("logon.aspx", false)
End If
11
Windows AuthenticationWindows Authentication
Can be used in combination with Basic, Can be used in combination with Basic, NTLM, Digest, Kerberos, and so forthNTLM, Digest, Kerberos, and so forth
User is authenticated by IISUser is authenticated by IIS Easiest of allEasiest of all Request flowRequest flow
Client makes requestClient makes request IIS authenticates request, forwards to ASP.NETIIS authenticates request, forwards to ASP.NET Impersonation turned on?Impersonation turned on? ASP.NET returns response to clientASP.NET returns response to client
12
Windows Authentication ConfigurationWindows Authentication Configuration
Set mode to “Windows”Set mode to “Windows” Configure <authorization> sectionConfigure <authorization> section ExampleExample
<authentication mode=" Windows" /><authorization> <deny users="?" /> <allow users= "*" /></authorization>
13
Passport AuthenticationPassport Authentication
Single sign-in across member sitesSingle sign-in across member sites Includes user profiles servicesIncludes user profiles services Integrated into ASP.NET authenticationIntegrated into ASP.NET authentication ScenariosScenarios
Don’t want to maintain a database of usersDon’t want to maintain a database of users Provide personalized contentProvide personalized content Need to provide single-sign in capabilitiesNeed to provide single-sign in capabilities
More details at More details at http://http://www.passport.comwww.passport.com//
14
Passport Authentication ConfigurationPassport Authentication Configuration
What you need: What you need: Install Passport SDKInstall Passport SDK Register with Microsoft PassportRegister with Microsoft Passport
Set mode to “Passport”Set mode to “Passport” Configure <passport> sectionConfigure <passport> section ExampleExample
<authentication mode="Passport"><passport redirectUrl="internal|url" /></authentication>
15
Default and Custom AuthenticationDefault and Custom Authentication
Why use default authentication?Why use default authentication? Increases performanceIncreases performance Allows you to perform custom authenticationAllows you to perform custom authentication
Configuration: Set mode to “None”Configuration: Set mode to “None” ExampleExample
<authentication mode="None" />
16
Custom AuthenticationCustom Authentication
Handle AuthenticateRequest eventHandle AuthenticateRequest event Application level (global.asax)Application level (global.asax) HTTP module (implement IHttpModule)HTTP module (implement IHttpModule)
ScenariosScenarios Custom authentication using munged URLs for Custom authentication using munged URLs for
Web applicationsWeb applications Customize forms authenticationCustomize forms authentication
17
AuthorizationAuthorization
Process of determining whether a user is allowed to Process of determining whether a user is allowed to perform a requested action perform a requested action
File-based authorizationFile-based authorization Performed by FileAuthorizationModulePerformed by FileAuthorizationModule Performs checks against Windows ACLsPerforms checks against Windows ACLs
Custom – handle AuthorizeRequest eventCustom – handle AuthorizeRequest event Application level (global.asax)Application level (global.asax) HTTP module (implement IHttpModule)HTTP module (implement IHttpModule)
URL-based authorizationURL-based authorization Performed by UrlAuthorizationModulePerformed by UrlAuthorizationModule Positive and negative assertionsPositive and negative assertions Can selectively allow or deny access to URI namespacesCan selectively allow or deny access to URI namespaces
18
URL Authorization ConfigurationURL Authorization Configuration
Add <authorization> sectionAdd <authorization> section Add <allow> and <deny> sectionsAdd <allow> and <deny> sections Example - allow “Admins” or “WebUsers” Example - allow “Admins” or “WebUsers”
and deny all others:and deny all others:
<authorization> <allow roles="Admins" /> <allow roles="WebUsers" /> <deny users="*" /></authorization>
19
Role-Based SecurityRole-Based Security
What is this?What is this? Do not get confused with MTS and COM+ Do not get confused with MTS and COM+
role-based securityrole-based security How does this work?How does this work?
With Microsoft® Windows® usersWith Microsoft® Windows® users With non-Windows usersWith non-Windows users
20
Windows Users(Check Roles)Windows Users(Check Roles)
If User.IsInRole("BUILTIN\Administrators") thenIf User.IsInRole("BUILTIN\Administrators") then
Response.Write("You are an Admin")Response.Write("You are an Admin")
Else If User.IsInRole("BUILTIN\Users") thenElse If User.IsInRole("BUILTIN\Users") then
Response.Write("You are a User")Response.Write("You are a User")
ElseElse
Response.Write("Invalid user")Response.Write("Invalid user")
End ifEnd if
21
Non-Windows Users (Attach Roles)Non-Windows Users (Attach Roles) Handle AuthenticateRequest eventHandle AuthenticateRequest event
Create GenericPrincipalCreate GenericPrincipal Attach roles to IdentityAttach roles to Identity Assign new Principal to UserAssign new Principal to User
SampleSample
Sub Application_AuthenticateRequest(s As Object, e As EventArgs) If Not (User Is Nothing) Then If User.Identity.AuthenticationType = "Forms" Then Dim Roles(1) As String Roles(0) = "Admin" User = new GenericPrincipal(User.Identity,Roles) End If End IfEnd Sub
22
Non-Windows Users (Check Non-Windows Users (Check Roles)Roles)
if User.IsInRole("Admin") thenif User.IsInRole("Admin") then
Response.Write ("You are an Response.Write ("You are an Administrator")Administrator")
ElseElse
Response.Write ("You do not have any Response.Write ("You do not have any role role assigned")assigned")
End ifEnd if
23
ImpersonationImpersonation
DefinedDefined Request gets impersonated automatically in Request gets impersonated automatically in
ASPASP In ASP.NET, developer has more control over In ASP.NET, developer has more control over
thisthis You can set to automatically impersonateYou can set to automatically impersonate You can set to not impersonate (that is, use You can set to not impersonate (that is, use
Process Identity)Process Identity) Different ways to impersonate in ASP.NETDifferent ways to impersonate in ASP.NET
<identity> tag<identity> tag Code-based impersonationCode-based impersonation
24
Impersonation ConfigurationImpersonation Configuration
<identity impersonate = “false” /><identity impersonate = “false” /> <identity impersonate = “true” /><identity impersonate = “true” /> <identity impersonate = “true” userName = <identity impersonate = “true” userName =
“username” password = “password” />“username” password = “password” />
25
Code ImpersonationCode Impersonation
Call LogonUser APICall LogonUser API Call ImpersonateLoggedOnUser APICall ImpersonateLoggedOnUser API
Run the code in the security context of the Run the code in the security context of the impersonated userimpersonated user
Call RevertToSelfCall RevertToSelf
26
Frequently Asked QuestionsFrequently Asked Questions
Q: Request.ServerVariables(“Logon_User”) Q: Request.ServerVariables(“Logon_User”) returns an empty stringreturns an empty string
A:A:
<authorization><authorization>
<deny users=“?” /><!--deny access to <deny users=“?” /><!--deny access to anonymous user -->anonymous user -->
<allow users=“*” /> <!--allow all users --><allow users=“*” /> <!--allow all users -->
</authorization></authorization>
27
Frequently Asked Questions (2)Frequently Asked Questions (2)
Q: Access denied to “NT Authority\System” Q: Access denied to “NT Authority\System” oror access denied to “NT Authority\Anonymous Logon” access denied to “NT Authority\Anonymous Logon” when you try to access resources on a remote when you try to access resources on a remote machine. (for example, Remote SQL Server, remote machine. (for example, Remote SQL Server, remote file system, and so forth)file system, and so forth)
A: This may occur because your application is A: This may occur because your application is running into a delegation scenario. The solution is to running into a delegation scenario. The solution is to ensure that you have a primary security token when ensure that you have a primary security token when requesting these resources. There are many ways to requesting these resources. There are many ways to resolve this issue based on your requirement. One of resolve this issue based on your requirement. One of them is to use Basic Authentication for your them is to use Basic Authentication for your Application.Application.
28
Frequently Asked Questions (3)Frequently Asked Questions (3) Q: Using Forms Authentication for a Web application, how do I Q: Using Forms Authentication for a Web application, how do I
allow anonymous access to default.aspx page but not other allow anonymous access to default.aspx page but not other pages in the same directory?pages in the same directory?
A: The answer is to use the <location> section of the A: The answer is to use the <location> section of the web.config file to allow anonymous access to default.aspx web.config file to allow anonymous access to default.aspx page page onlyonly and deny anonymous access to all the other pages. and deny anonymous access to all the other pages.
Example:Example:<configuration><configuration>..............................................
<location path="default.aspx"><location path="default.aspx"> <system.web><system.web>
<authorization><authorization><allow users ="*" /><allow users ="*" />
</authorization></authorization></system.web></system.web>
</location></location></configuration></configuration>
29
ResourcesResources
Knowledge Base article “BETA-INFO: Knowledge Base article “BETA-INFO: ASP.NET Security Overview”ASP.NET Security Overview” http://http://
support.microsoft.com/support/misc/kblookup.assupport.microsoft.com/support/misc/kblookup.asp?idp?id=Q306590=Q306590
MSDN article “Authentication in MSDN article “Authentication in ASP.NET: .NET Security Guidance”ASP.NET: .NET Security Guidance” http://msdn.microsoft.com/library/default.asp?urlhttp://msdn.microsoft.com/library/default.asp?url
=/library/en-us/dnbda/html/authaspdotnet.asp=/library/en-us/dnbda/html/authaspdotnet.asp
30
Thank you for joining us for today’s Microsoft SupportThank you for joining us for today’s Microsoft SupportWebCast.WebCast.
For information about all upcoming Support WebCasts For information about all upcoming Support WebCasts and access to the archived content (streaming mediaand access to the archived content (streaming mediafiles, PowerPointfiles, PowerPoint®® slides, and transcripts), please visit: slides, and transcripts), please visit: http://http://support.microsoft.com/webcastssupport.microsoft.com/webcasts//
We sincerely appreciate your feedback. Please send any We sincerely appreciate your feedback. Please send any comments or suggestions regarding the Support comments or suggestions regarding the Support WebCasts to WebCasts to [email protected]@microsoft.com and include and include““Support WebCasts” in the subject line.Support WebCasts” in the subject line.