1 / 24

Understanding Digest and Advanced Digest Authentication in IIS 6.0

Understanding Digest and Advanced Digest Authentication in IIS 6.0. Chris Adams Web Platform Supportability Lead Microsoft Corporation. Introduction to Authentication Defining Digest Authentication Digest vs. Advanced Digest Digging deeply into Digest Auth

Mercy
Download Presentation

Understanding Digest and Advanced Digest Authentication in IIS 6.0

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Understanding Digest and Advanced Digest Authentication in IIS 6.0 Chris Adams Web Platform Supportability Lead Microsoft Corporation

  2. Introduction to Authentication Defining Digest Authentication Digest vs. Advanced Digest Digging deeply into Digest Auth Digging deeply into Advanced Digest Summary Agenda

  3. Introduction to Authentication • What is authentication? • What is authorization? • Authentication vs. Authorization • 401.1 versus 401.3

  4. How authentication works in Microsoft® Internet Information Services (IIS) Introduction to Authentication • Request enters server core • Server core forwards to • anonymous provider. IIS builds • path (w3svc/1/root) and verifies • if anonymous is enabled. • Yes: Provide path and Anonymous • users token to authorization • manager • No: IIS passes the path to each • provider to determine if • path has that provider enabled. • Each provider that is enabled returns to • Server core the appropriate header. Anonymous Basic Server Core Kerberos NTLM Digest Passport

  5. Server Core Introduction to Authentication • How authentication works in IIS WWW-Authenticate Digest Digest Adv. Digest

  6. Defining Digest Authentication • Digest Authentication is an industry standard per Requests for Comments (RFC) 2617 • For IIS administrators and developers, Digest is available on these platforms: • Microsoft® Windows® 2000 and IIS 5.0 • Microsoft® Windows Server™ 2003 and IIS 6.0 • Why interest in Digest? • Password is protected, not sent on wire in “clear text” • Digest is optimized for Windows® domains

  7. Digest vs. Advanced Digest • Digest, available on Windows 2000 Server and Windows Server 2003, requires the following: • Relies on worker process to run as Local System • Uses the IIS Sub-Authenticator (iissuba.dll) • In Windows Server 2003, UseDigestSSP must be set to “false” • Requires Microsoft® Windows® Active Directory® • User’s password must be stored with Reversible Encryption enabled • Calculates hash on the fly and transmit over the wire

  8. Digest vs. Advanced Digest (2) • Advanced Digest • Not available on Windows 2000 • Implemented in core authentication provider in LSASS (not relying on IIS Sub-Authenticator) • Hash is stored as property of user in Windows Server 2003 Active Directory • Is default Digest Authentication on clean installs of Windows Server 2003 • Metabase property UseDigestSSP must be set to “true”

  9. Digest vs. Advanced Digest (3) Key How it clients are authenticated using Digest 200 OK Status 401.1 Login Failed with a WWW Authenticate header IIS Sends Hash to Domain Controllers Active Directory 401.2 with WWW-Authenticate: Digest:Realm User Hash (Username, Password, Realm) IIS

  10. Digest vs. Advanced Digest (4) Key How it clients are authenticated using Digest 200 OK Status 401.1 Login Failed with a WWW Authenticate header IIS Sends Hash to Domain Controllers Hash pre-computed and stored in Active Directory Active Directory 401.2 with WWW-Authenticate: Digest:Realm User Hash (Username, Password, Realm) IIS

  11. Digging Deeply Into Digest • Digest Authentication has unique characteristics that provide customers with challenges • Local System: Non-issue on Windows 2000 because it uses iissuba.dll and it runs in Inetinfo • Reversible Encryption: Users password must be stored with less security in Active Directory

  12. Digging Deeply Into Digest • How is IIS Sub-Authenticator enabled? • Open a Command-Prompt, type: • rundll32 systemroot\system32\iissuba.dll,RegisterIISSUBA (Case Sensitive) • Ensure Local System • Default for Windows 2000 Running as Local System is a Bad Security Practice Windows Server 2003

  13. Demonstration One Enabling Digest Authentication in Windows Server 2003 The goal is to demonstrate how administrators and developers can successfully enable Digest

  14. Digging Into Advanced Digest • Advanced Digest is ONLY available in Windows Server 2003 and IIS 6.0 • Advanced Digest is implemented in LSASS where all other authentication types are performed • Advanced Digest is compliant with the Digest RFC • There is no UI for Advanced Digest it’s enabled using a command-line • Property = UseDigestSSP

  15. Digging Into Advanced Digest (2) • Advanced Digest relies on a pre-computed MD5 hash stored in Active Directory • Stored in the same place as Kerberos hashes • MD5 hash is stored as multiple entries: • User@Domain - Ex: user@contoso • Domain\User – Ex: contoso\user • User@domain (UPN) – Ex: user@contoso.local • Is this property secure in Active Directory? • Yes, no user including Domain Admins have access to where the hash is stored • Only Local Security Authority (LSA) has access to this hash information • It is stored on the DC and never is sent off the DC

  16. Digging Into Advanced Digest (3) • Limitations of Advanced Digest to date • Microsoft® Internet Explorer 6.0 SP1 does not handle advanced digest requests properly • For each request per connection, Internet Explorer prompts the user for credentials • This is being fixed in Windows Server 2003 Service Pack 1 2004-09-16 12:06:21 127.0.0.1 GET /iisstart.htm - 80 WS03EE\Administrator 127.0.0.1 200 0 0 2004-09-16 12:06:22 127.0.0.1 GET /pagerror.gif - 80 WS03EE\Administrator 127.0.0.1 200 0 0 Same Connection – Prompt for each Get

  17. Demonstration Two Enabling Advanced Digest Authentication in Windows Server 2003 The goal is to demonstrate how administrators and developers can successfully enable Advanced Digest

  18. Session Summary • Digest follows the RFC standard 2617 • Windows 2000 offers Digest authentication only • Windows Server 2003 offers Digest and Advanced Digest authentication • Clients receive in WWW-Authenticate header “Digest” and Realm for both Digest and Advanced Digest • Digest requires the IIS Sub-Authenticator • Advanced digest stores all information in Active Directory for each user and is implemented in LSASS

  19. References and Resources • IIS 6.0 Help: Digest: http://www.microsoft.com/resources/documentation/iis/6/all/proddocs/en-us/sec_auth_digestauth.mspx Adv. Digest: http://www.microsoft.com/resources/documentation/iis/6/all/proddocs/en-us/sec_auth_advdigestauth.mspx • KB Articles: • IIS 6.0 Resource Kit • IIS Forum: http://www.asp.net/forums • IIS Answers: http://www.iisanswers.com • IIS Frequently Asked Questions (FAQ): http://www.iisfaq.com • IIS Resources: http://www.iis-resources.com

  20. Get Up to Speed on .NET Get Trained on Microsoft Developer Technologies • Register for upcoming webcasts at http://msdn.microsoft.com/webcasts All times are Pacific Standard Time

  21. Attend MSDN Events • Who • Your Local Microsoft Developer Community Champion • What • Object Oriented Programming Fundamentals in VB.NET • Programming with MapPoint Web Services • Optimizing ASP.NET 1.1 Web Applications • ASP.NET 2.0 Membership and Personalization • Why • Gain valuable developer knowledge, network with peers, and get VS 2005 Beta 1 Refresh and VS 2005 Express Betas on our content-rich special event DVD • When • October through December, on Tuesdays and Thursdays from 1-5PM local time • Where • Cities across the United States • How • Visit MSDN Events at http://www.msdnevents.com to find out more!

  22. MSDN Webcast Resources • Visit our blog http://blogs.msdn.com/msdnwebcasts for an rss feed of upcoming MSDN Webcasts • Submit text questions during the live webcast using the “Ask a Question” button • For recordings of past MSDN Webcasts: www.microsoft.com/usa/webcasts/ondemand • Got webcast content ideas? Send use e-mail at: webcasts@microsoft.com • More webcasts at http://msdn.microsoft.com/webcasts • Don’t forget to fill out the survey.

  23. https://msevents.microsoft.com/cui/WelcomePage.aspx?EventID=...https://msevents.microsoft.com/cui/WelcomePage.aspx?EventID=... • [PlaceWare Web Page. Use PlaceWare > Edit Slide Properties... to edit.]

More Related