Microsoft ASP.NET Microsoft ASP.NET SecuritySecurity

Venkat ChilakalaVenkat ChilakalaSupport ProfessionalSupport ProfessionalMicrosoft CorporationMicrosoft Corporation

2

AgendaAgenda

IntroductionIntroduction Security flow for a requestSecurity flow for a request AuthenticationAuthentication AuthorizationAuthorization Role-based securityRole-based security ImpersonationImpersonation FAQFAQ Questions and answersQuestions and answers

3

Security Flow for a Request (ASP)Security Flow for a Request (ASP)

4

Security Flow for a Request Security Flow for a Request (ASP.NET)(ASP.NET)

5

AuthenticationAuthentication

DefinedDefined Authentication in ASPAuthentication in ASP Authentication in ASP.NETAuthentication in ASP.NET

IIS authenticationIIS authentication ASP.NET authenticationASP.NET authentication

ASP.NET authentication providersASP.NET authentication providers Forms, Windows, Passport, Default, and CustomForms, Windows, Passport, Default, and Custom

6

Forms AuthenticationForms Authentication

Uses cookie to authenticateUses cookie to authenticate Enables SSL for logon pageEnables SSL for logon page Often used for personalizationOften used for personalization

7

Forms Authentication FlowForms Authentication FlowCookie-Based Authentication Architecture

Client requests page

Authorized

ASP.NET Authentication

Not Authenticated Authenticated

Login Page(Users enter their credentials)

Authenticated

Cookie

Authorized

Not Authenticated

Access Denied

RequestedPage

8

Forms Authentication ConfigurationForms Authentication Configuration

Enable anonymous access in IISEnable anonymous access in IIS Configure <authentication> sectionConfigure <authentication> section

Set mode to “Forms”Set mode to “Forms” Add the <forms> sectionAdd the <forms> section

Configure <authorization> sectionConfigure <authorization> section Deny access to anonymous userDeny access to anonymous user

Create logon pageCreate logon page Validate the userValidate the user Provide authentication cookieProvide authentication cookie Redirect the user to the requested pageRedirect the user to the requested page

9

<forms> Section Attributes<forms> Section Attributes

loginUrl: unauthenticated request are redirected to loginUrl: unauthenticated request are redirected to this pagethis page

name: name of the authentication cookiename: name of the authentication cookie path: path of the authentication cookiepath: path of the authentication cookie protection: All | None | Encryption | Validationprotection: All | None | Encryption | Validation timeout: authentication cookie expiration time in timeout: authentication cookie expiration time in

minutesminutes

<authentication mode="Forms"><forms name=".ASPXAUTH" loginUrl="login.aspx"

protection="All" timeout="30"

path="/" /></authentication>

10

Forms Authentication CodeForms Authentication Code

If FormsAuthentication.Authenticate(txtUserName.Value,txtUserPass.value) Then

FormsAuthentication.RedirectFromLoginPage(txtUserName.Value, _ chkPersistCookie.Checked)

Else

Response.Redirect("logon.aspx", false)

End If

11

Windows AuthenticationWindows Authentication

Can be used in combination with Basic, Can be used in combination with Basic, NTLM, Digest, Kerberos, and so forthNTLM, Digest, Kerberos, and so forth

User is authenticated by IISUser is authenticated by IIS Easiest of allEasiest of all Request flowRequest flow

Client makes requestClient makes request IIS authenticates request, forwards to ASP.NETIIS authenticates request, forwards to ASP.NET Impersonation turned on?Impersonation turned on? ASP.NET returns response to clientASP.NET returns response to client

12

Windows Authentication ConfigurationWindows Authentication Configuration

Set mode to “Windows”Set mode to “Windows” Configure <authorization> sectionConfigure <authorization> section ExampleExample

<authentication mode=" Windows" /><authorization> <deny users="?" /> <allow users= "*" /></authorization>

13

Passport AuthenticationPassport Authentication

Single sign-in across member sitesSingle sign-in across member sites Includes user profiles servicesIncludes user profiles services Integrated into ASP.NET authenticationIntegrated into ASP.NET authentication ScenariosScenarios

Don’t want to maintain a database of usersDon’t want to maintain a database of users Provide personalized contentProvide personalized content Need to provide single-sign in capabilitiesNeed to provide single-sign in capabilities

More details at More details at http://http://www.passport.comwww.passport.com//

14

Passport Authentication ConfigurationPassport Authentication Configuration

What you need: What you need: Install Passport SDKInstall Passport SDK Register with Microsoft PassportRegister with Microsoft Passport

Set mode to “Passport”Set mode to “Passport” Configure <passport> sectionConfigure <passport> section ExampleExample

<authentication mode="Passport"><passport redirectUrl="internal|url" /></authentication>

15

Default and Custom AuthenticationDefault and Custom Authentication

Why use default authentication?Why use default authentication? Increases performanceIncreases performance Allows you to perform custom authenticationAllows you to perform custom authentication

Configuration: Set mode to “None”Configuration: Set mode to “None” ExampleExample

<authentication mode="None" />

16

Custom AuthenticationCustom Authentication

Handle AuthenticateRequest eventHandle AuthenticateRequest event Application level (global.asax)Application level (global.asax) HTTP module (implement IHttpModule)HTTP module (implement IHttpModule)

ScenariosScenarios Custom authentication using munged URLs for Custom authentication using munged URLs for

Web applicationsWeb applications Customize forms authenticationCustomize forms authentication

17

AuthorizationAuthorization

Process of determining whether a user is allowed to Process of determining whether a user is allowed to perform a requested action perform a requested action

File-based authorizationFile-based authorization Performed by FileAuthorizationModulePerformed by FileAuthorizationModule Performs checks against Windows ACLsPerforms checks against Windows ACLs

Custom – handle AuthorizeRequest eventCustom – handle AuthorizeRequest event Application level (global.asax)Application level (global.asax) HTTP module (implement IHttpModule)HTTP module (implement IHttpModule)

URL-based authorizationURL-based authorization Performed by UrlAuthorizationModulePerformed by UrlAuthorizationModule Positive and negative assertionsPositive and negative assertions Can selectively allow or deny access to URI namespacesCan selectively allow or deny access to URI namespaces

18

URL Authorization ConfigurationURL Authorization Configuration

Add <authorization> sectionAdd <authorization> section Add <allow> and <deny> sectionsAdd <allow> and <deny> sections Example - allow “Admins” or “WebUsers” Example - allow “Admins” or “WebUsers”

and deny all others:and deny all others:

<authorization> <allow roles="Admins" /> <allow roles="WebUsers" /> <deny users="*" /></authorization>

19

Role-Based SecurityRole-Based Security

What is this?What is this? Do not get confused with MTS and COM+ Do not get confused with MTS and COM+

role-based securityrole-based security How does this work?How does this work?

With Microsoft® Windows® usersWith Microsoft® Windows® users With non-Windows usersWith non-Windows users

20

Windows Users(Check Roles)Windows Users(Check Roles)

If User.IsInRole("BUILTIN\Administrators") thenIf User.IsInRole("BUILTIN\Administrators") then

Response.Write("You are an Admin")Response.Write("You are an Admin")

Else If User.IsInRole("BUILTIN\Users") thenElse If User.IsInRole("BUILTIN\Users") then

Response.Write("You are a User")Response.Write("You are a User")

ElseElse

Response.Write("Invalid user")Response.Write("Invalid user")

End ifEnd if

21

Non-Windows Users (Attach Roles)Non-Windows Users (Attach Roles) Handle AuthenticateRequest eventHandle AuthenticateRequest event

Create GenericPrincipalCreate GenericPrincipal Attach roles to IdentityAttach roles to Identity Assign new Principal to UserAssign new Principal to User

SampleSample

Sub Application_AuthenticateRequest(s As Object, e As EventArgs) If Not (User Is Nothing) Then If User.Identity.AuthenticationType = "Forms" Then Dim Roles(1) As String Roles(0) = "Admin" User = new GenericPrincipal(User.Identity,Roles) End If End IfEnd Sub

22

Non-Windows Users (Check Non-Windows Users (Check Roles)Roles)

if User.IsInRole("Admin") thenif User.IsInRole("Admin") then

Response.Write ("You are an Response.Write ("You are an Administrator")Administrator")

ElseElse

Response.Write ("You do not have any Response.Write ("You do not have any role role assigned")assigned")

End ifEnd if

23

ImpersonationImpersonation

DefinedDefined Request gets impersonated automatically in Request gets impersonated automatically in

ASPASP In ASP.NET, developer has more control over In ASP.NET, developer has more control over

thisthis You can set to automatically impersonateYou can set to automatically impersonate You can set to not impersonate (that is, use You can set to not impersonate (that is, use

Process Identity)Process Identity) Different ways to impersonate in ASP.NETDifferent ways to impersonate in ASP.NET

<identity> tag<identity> tag Code-based impersonationCode-based impersonation

24

Impersonation ConfigurationImpersonation Configuration

<identity impersonate = “false” /><identity impersonate = “false” /> <identity impersonate = “true” /><identity impersonate = “true” /> <identity impersonate = “true” userName = <identity impersonate = “true” userName =

“username” password = “password” />“username” password = “password” />

25

Code ImpersonationCode Impersonation

Call LogonUser APICall LogonUser API Call ImpersonateLoggedOnUser APICall ImpersonateLoggedOnUser API

Run the code in the security context of the Run the code in the security context of the impersonated userimpersonated user

Call RevertToSelfCall RevertToSelf

26

Frequently Asked QuestionsFrequently Asked Questions

Q: Request.ServerVariables(“Logon_User”) Q: Request.ServerVariables(“Logon_User”) returns an empty stringreturns an empty string

A:A:

<authorization><authorization>

<deny users=“?” /><!--deny access to <deny users=“?” /><!--deny access to anonymous user -->anonymous user -->

<allow users=“*” /> <!--allow all users --><allow users=“*” /> <!--allow all users -->

</authorization></authorization>

27

Frequently Asked Questions (2)Frequently Asked Questions (2)

Q: Access denied to “NT Authority\System” Q: Access denied to “NT Authority\System” oror access denied to “NT Authority\Anonymous Logon” access denied to “NT Authority\Anonymous Logon” when you try to access resources on a remote when you try to access resources on a remote machine. (for example, Remote SQL Server, remote machine. (for example, Remote SQL Server, remote file system, and so forth)file system, and so forth)

A: This may occur because your application is A: This may occur because your application is running into a delegation scenario. The solution is to running into a delegation scenario. The solution is to ensure that you have a primary security token when ensure that you have a primary security token when requesting these resources. There are many ways to requesting these resources. There are many ways to resolve this issue based on your requirement. One of resolve this issue based on your requirement. One of them is to use Basic Authentication for your them is to use Basic Authentication for your Application.Application.

28

Frequently Asked Questions (3)Frequently Asked Questions (3) Q: Using Forms Authentication for a Web application, how do I Q: Using Forms Authentication for a Web application, how do I

allow anonymous access to default.aspx page but not other allow anonymous access to default.aspx page but not other pages in the same directory?pages in the same directory?

A: The answer is to use the <location> section of the A: The answer is to use the <location> section of the web.config file to allow anonymous access to default.aspx web.config file to allow anonymous access to default.aspx page page onlyonly and deny anonymous access to all the other pages. and deny anonymous access to all the other pages.

Example:Example:<configuration><configuration>..............................................

<location path="default.aspx"><location path="default.aspx"> <system.web><system.web>

<authorization><authorization><allow users ="*" /><allow users ="*" />

</authorization></authorization></system.web></system.web>

</location></location></configuration></configuration>

29

ResourcesResources

Knowledge Base article “BETA-INFO: Knowledge Base article “BETA-INFO: ASP.NET Security Overview”ASP.NET Security Overview” http://http://

support.microsoft.com/support/misc/kblookup.assupport.microsoft.com/support/misc/kblookup.asp?idp?id=Q306590=Q306590

MSDN article “Authentication in MSDN article “Authentication in ASP.NET: .NET Security Guidance”ASP.NET: .NET Security Guidance” http://msdn.microsoft.com/library/default.asp?urlhttp://msdn.microsoft.com/library/default.asp?url

=/library/en-us/dnbda/html/authaspdotnet.asp=/library/en-us/dnbda/html/authaspdotnet.asp

30

Thank you for joining us for today’s Microsoft SupportThank you for joining us for today’s Microsoft SupportWebCast.WebCast.

For information about all upcoming Support WebCasts For information about all upcoming Support WebCasts and access to the archived content (streaming mediaand access to the archived content (streaming mediafiles, PowerPointfiles, PowerPoint®® slides, and transcripts), please visit: slides, and transcripts), please visit: http://http://support.microsoft.com/webcastssupport.microsoft.com/webcasts//

We sincerely appreciate your feedback. Please send any We sincerely appreciate your feedback. Please send any comments or suggestions regarding the Support comments or suggestions regarding the Support WebCasts to WebCasts to feedback@microsoft.comfeedback@microsoft.com and include and include““Support WebCasts” in the subject line.Support WebCasts” in the subject line.