Embed Size (px)
Citation preview
The .NET Runtime and IISThe .NET Runtime and IIS
Presented byPresented by
Chris Dickey – cdickey.net consultingChris Dickey – cdickey.net consulting
www.cdickey.netwww.cdickey.net
TopicsTopics
Installing the .NET runtimeInstalling the .NET runtime The role of IIS as the application serverThe role of IIS as the application server .NET Remoting and Web Services.NET Remoting and Web Services How the .NET runtime works with IIS 5.0How the .NET runtime works with IIS 5.0 Significance of the HTTP PipelineSignificance of the HTTP Pipeline SecuritySecurity Whats coming with IIS 6.0Whats coming with IIS 6.0
Installing the .NET RuntimeInstalling the .NET Runtime
http://msdn.microsoft.com/netframework/dhttp://msdn.microsoft.com/netframework/downloads/default.aspownloads/default.asp
Windows Update ServiceWindows Update Service .NET Runtime.NET Runtime .NET SDK + Runtime.NET SDK + Runtime Visual Studio.NETVisual Studio.NET
IIS is the Application ServerIIS is the Application Server
Static PagesStatic Pages ISAPIISAPI ASPASP ASP.NETASP.NET Web ServicesWeb Services RemotingRemoting Connection Point to SQL ServerConnection Point to SQL Server
ASP.NET Web PagesASP.NET Web Pages
What most people think of as ASP.NETWhat most people think of as ASP.NET Compiled web pagesCompiled web pages Huge advance over previous ASP versionHuge advance over previous ASP version Lots of well known featuresLots of well known features
Web ServicesWeb Services
Communication between diverse systemsCommunication between diverse systems SOAP packets transported using HTTP SOAP packets transported using HTTP
and SMTP protocolsand SMTP protocols Application connectivity protocolApplication connectivity protocol IIS is the client connection pointIIS is the client connection point Takes advantage of the HTTP RuntimeTakes advantage of the HTTP Runtime
.NET Remoting.NET Remoting
Replacement for DCOMReplacement for DCOM tailored for .NET-to-.NET communicationstailored for .NET-to-.NET communications Can be hosted by ASP.NET runtimeCan be hosted by ASP.NET runtime Takes advantage of the HTTP RuntimeTakes advantage of the HTTP Runtime
.NET compatibility and interoperability.NET compatibility and interoperability
ASP.NET coexists with IIS 5.0 and ASPASP.NET coexists with IIS 5.0 and ASP Runs in a separate processRuns in a separate process Doesn’t use the registryDoesn’t use the registry Routed through IIS ISAPIRouted through IIS ISAPI Can’t share sessions – 2 separate Can’t share sessions – 2 separate
systemssystems
IIS 5.0 and ASP.NET RuntimeIIS 5.0 and ASP.NET Runtime
HTTP PipelineHTTP Pipeline
general-purpose framework for server-side general-purpose framework for server-side HTTP programmingHTTP programming
foundation for ASP.NET pages, Web foundation for ASP.NET pages, Web Services, RemotingServices, Remoting
HTTPModulesHTTPModules HTTPHAndlersHTTPHAndlers HTTPContext, HTTPContext.UserHTTPContext, HTTPContext.User ISAPI: HTTP_FILTER_CONTEXTISAPI: HTTP_FILTER_CONTEXT
ASP .NET Request ProcessingASP .NET Request Processing
Nat
ive
Co
de
Nat
ive
Co
de
.NE
T C
od
e.N
ET
Co
de
ApplicationApplication
Host (IIS)Host (IIS)
ASP.NETASP.NETPagePage
ASP.NET RuntimeASP.NET Runtime
ASP.NETASP.NETServiceService
HTTPHTTPHandlerHandler
HTTP ModuleHTTP Module
Global.asaxGlobal.asax
HTTP ModuleHTTP Module Http ContextHttp Context
Configuration Files / AccountsConfiguration Files / Accounts
XML configuration files – case sensitiveXML configuration files – case sensitive Can be read by all authenticated usersCan be read by all authenticated users machine.configmachine.config web.configweb.config machine, site, application, folder levelsmachine, site, application, folder levels SYSTEM, ASPNET, IUSR_<machine>, SYSTEM, ASPNET, IUSR_<machine>,
IWAM_<machine>IWAM_<machine>
DemoDemo
Run .net app – HTTPHandlerRun .net app – HTTPHandler Show IIS 5.0 configShow IIS 5.0 config Show aspnet_wp.exe process – only 1Show aspnet_wp.exe process – only 1 *.config files*.config files
Security ServicesSecurity Services
ASP .NET support for authentication and ASP .NET support for authentication and authorizationauthorization Extensible and customizableExtensible and customizable Authentication scheme transparencyAuthentication scheme transparency Simple deployment modelSimple deployment model
Support for granular declarative and Support for granular declarative and imperative authorizationsimperative authorizations
Uses CLR Evidence-Based SecurityUses CLR Evidence-Based Security Supports application layer securitySupports application layer security
Flow of SecurityFlow of Security
Process IdentityProcess Identity
WindowsWindows®® 2000: Default is ASPNET 2000: Default is ASPNET Can also run with SYSTEM account or configured Can also run with SYSTEM account or configured
account using <processModel>account using <processModel>
Windows .NET ServerWindows .NET Server Uses IIS 6 process modelUses IIS 6 process model Default is NetworkServiceDefault is NetworkService App Pools are configurable, identity is configurableApp Pools are configurable, identity is configurable
HTTP PipelineHTTP Pipeline
AuthenticationAuthentication ASP .NET is an ISAPI extensionASP .NET is an ISAPI extension
Only receives requests for mapped contentOnly receives requests for mapped content
Windows Authentication (via IIS)Windows Authentication (via IIS) Basic, Digest, NTLM, Kerberos, IIS Certificate SupportBasic, Digest, NTLM, Kerberos, IIS Certificate Support
Forms-based (Cookie) AuthenticationForms-based (Cookie) Authentication Application credential verificationApplication credential verification
Supports MicrosoftSupports Microsoft®® Passport Authentication Passport Authentication Custom AuthenticationCustom Authentication
Forms-Based AuthForms-Based Auth
Easy to implementEasy to implement ASP .NET provides redirectionASP .NET provides redirection
StepsSteps Configure IIS to allow anonymous users (typically)Configure IIS to allow anonymous users (typically) Use SSL!Use SSL! Configure ASP .NET cookie authenticationConfigure ASP .NET cookie authentication Write your login pageWrite your login page
How It Works: Forms AuthenticationHow It Works: Forms Authentication
Web BrowserWeb Browser
11
1.1. GET default.aspx HTTP/1.1GET default.aspx HTTP/1.1
22
2. 302 Redirect2. 302 RedirectLocation: login.aspxLocation: login.aspx
33
3. POST default.aspx HTTP/1.13. POST default.aspx HTTP/1.1<form data containing credentials><form data containing credentials>
55
5. 200 OK5. 200 OKSet-Cookie: .ASPXAUTH Auth TicketSet-Cookie: .ASPXAUTH Auth Ticket
66
6. GET default.aspx HTTP/1.16. GET default.aspx HTTP/1.1Cookie: .ASPXAUTH Auth TicketCookie: .ASPXAUTH Auth Ticket
44
4. App 4. App authenticationauthentication
IIS/IIS/ASP.NETASP.NET
SQL/ADSQL/AD
Custom Web AuthenticationCustom Web Authentication
Handle AuthenticateRequest eventHandle AuthenticateRequest event Application level (global.asax) orApplication level (global.asax) or Http Module (implement IHttpModule)Http Module (implement IHttpModule)
Scenarios:Scenarios: Custom SOAP authenticationCustom SOAP authentication
E.g., application defined scheme based on E.g., application defined scheme based on SOAP headersSOAP headers
Forms authentication for mobile devices without cookiesForms authentication for mobile devices without cookies Customize forms authenticationCustomize forms authentication
Authorization StrategiesAuthorization Strategies
Windows Security and ACLsWindows Security and ACLs ACLs checked for Windows authACLs checked for Windows auth Independent of impersonationIndependent of impersonation
COM+ RolesCOM+ Roles URL AuthorizationURL Authorization Custom AuthorizationCustom Authorization Windows .NET AuthZ FrameworkWindows .NET AuthZ Framework Explicit imperative/declarative checksExplicit imperative/declarative checks
Web Apps: Custom RolesWeb Apps: Custom Roles
Handle authentication eventHandle authentication event Replace HttpContext.User with custom Replace HttpContext.User with custom
IPrincipal or GenericPrincipalIPrincipal or GenericPrincipalpublic voidpublic voidWindowsAuthentication_OnAuthenticate(WindowsAuthentication_OnAuthenticate(
Object src,Object src,WindowsAuthenticationEvent e)WindowsAuthenticationEvent e)
{{ // replace HttpContext Principal// replace HttpContext Principal e.Context.User = new MyPrincipal(e.Identity);e.Context.User = new MyPrincipal(e.Identity);}}
Use Custom RolesUse Custom Roles
Application defines roles Application defines roles Strategies:Strategies:
Define Windows/AD groups and use Define Windows/AD groups and use WindowsPrincipalWindowsPrincipal
Use GenericPrincipal or IPrincipalUse GenericPrincipal or IPrincipal
//System.Security.Principal.IPrincipal//System.Security.Principal.IPrincipalpublic interface IPrincipal {public interface IPrincipal {
IIdentity {get;}IIdentity {get;}bool IsInRole(string role);bool IsInRole(string role);
}}
Custom Web AuthorizationCustom Web Authorization
Handle AuthorizeRequest eventHandle AuthorizeRequest event Application level (global.asax) orApplication level (global.asax) or Http Module (implement IHttpModule)Http Module (implement IHttpModule)
Scenarios:Scenarios: Implement per-request billing systemImplement per-request billing system Restrict access based on business rulesRestrict access based on business rules Restrict access based on dynamic behaviors (e.g., Restrict access based on dynamic behaviors (e.g.,
implement a per-day access limit, etc).implement a per-day access limit, etc).
Internet Information Services 6Internet Information Services 6
Complete rearchitectureComplete rearchitecture Kernel-mode HTTPKernel-mode HTTP Web server security lockdown wizardWeb server security lockdown wizard Worker process application poolsWorker process application pools
IIS 6.0 ArchitectureIIS 6.0 Architecture
IIS 6.0 Application PoolsIIS 6.0 Application Pools
IIS 6.0 Process RecyclingIIS 6.0 Process Recycling
ReferencesReferences
MSDN Magazine - September 2002MSDN Magazine - September 2002 www.www.WindowsWebSolutionsWindowsWebSolutions.com.com Keith Brown - Keith Brown - portals.devx.com/SummitDays/Article/6666portals.devx.com/SummitDays/Article/6666 Tim Ewald - Tim Ewald - msdnmsdn
.microsoft.com/msdnmag/issues/02/09/HTTPPipelines/defa.microsoft.com/msdnmag/issues/02/09/HTTPPipelines/default.aspxult.aspx
Technical Overview of IIS 6.0 - Technical Overview of IIS 6.0 - www.microsoft.com/windows.netserver/techinfo/overview/iiwww.microsoft.com/windows.netserver/techinfo/overview/iis.mspxs.mspx
Windows.NET Server Devcon - Windows.NET Server Devcon - www.microsoft.com/misc/external/serverdevcon/www.microsoft.com/misc/external/serverdevcon/
