Understanding Understanding Integrated Integrated Authentication in IIS Authentication in IIS Chris Adams Chris Adams IIS Supportability Lead IIS Supportability Lead Microsoft Corp. Microsoft Corp.
Dec 25, 2015
Understanding Integrated Understanding Integrated Authentication in IISAuthentication in IIS
Chris AdamsChris Adams
IIS Supportability LeadIIS Supportability Lead
Microsoft Corp.Microsoft Corp.
AgendaAgenda
Introduction to Integrated AuthenticationIntroduction to Integrated Authentication Dynamics of NTLM AuthenticationDynamics of NTLM Authentication Dynamics of Negotiate AuthenticationDynamics of Negotiate Authentication
Demonstration OneDemonstration One
Best Practices for Integrated Best Practices for Integrated AuthenticationAuthentication
ReferencesReferences
Introduction to Integrated Introduction to Integrated AuthenticationAuthentication Introduced in Windows 2000Introduced in Windows 2000 Commonly referred to as “Windows Commonly referred to as “Windows
Integrated Authentication”Integrated Authentication” Secure: It is considered secure because Secure: It is considered secure because
it does not transmit password “on the it does not transmit password “on the wire”wire”
Internet Explorer preferred –Internet Explorer preferred – IF Basic and Integrated are both enabled, IE IF Basic and Integrated are both enabled, IE
will use Integrated for security reasonswill use Integrated for security reasons
Introduction: Let’s review…Introduction: Let’s review…
How authentication works in IISHow authentication works in IIS
Anonymous
Basic
Digest
Kerberos
NTLM
Passport
Server
Core
1. Request enters server core2. Server core forwards to
anonymous provider. IIS buildspath (w3svc/1/root) and verifiesif anonymous is enabled.Yes: Provide path and Anon.
users token to authorization manager
No: IIS passes the path to eachprovider to determine if path has that provider enabled.
Each provider that is enabled returns toServer core the appropriate header.
Introduction to Integrated Introduction to Integrated AuthenticationAuthentication
Platform information for Windows IntegratedPlatform information for Windows Integrated
Windows NT 4Windows NT 4:: Supports only NTLM (Not known as Windows Integrated)Supports only NTLM (Not known as Windows Integrated)
Windows 2000Windows 2000:: Supports Negotiate and NTLMSupports Negotiate and NTLM
Windows 2003Windows 2003:: Supports Negotiate and NTLMSupports Negotiate and NTLM
Introduction to Integrated Introduction to Integrated AuthenticationAuthentication How the appropriate integrated How the appropriate integrated
authentication is determined?authentication is determined?
AuthNTLM
NO
Yes
NTAuthenticationProviders
Negotiate NTLM401.3
Access
Denied
Dynamics of NTLMDynamics of NTLM Connection OrientedConnection Oriented
Same Connection always used per requestSame Connection always used per request HTTP Keep-Alives RequiredHTTP Keep-Alives Required
Understanding Auth Dialog BoxesUnderstanding Auth Dialog Boxes NTLM, by default, doesn’t promptNTLM, by default, doesn’t prompt NTLM may prompt if original request fails with 401.1NTLM may prompt if original request fails with 401.1
NTLM’s use of Domain\Username\PasswordNTLM’s use of Domain\Username\Password Domain and Username are always shared over the Domain and Username are always shared over the
wire between client and serverwire between client and server Password is never – Always uses Hash of passwordPassword is never – Always uses Hash of password Authentication Header includes: Authentication Header includes:
Domain\Username\HashedPasswordDomain\Username\HashedPassword
Dynamics of NTLM: SecurityDynamics of NTLM: Security
Why is NTLM authentication secure?Why is NTLM authentication secure? Hash Algorithm of password is unknown when Hash Algorithm of password is unknown when
hackers monitor the HTTP requests on the hackers monitor the HTTP requests on the wirewire
If connections are broke, manipulated (by If connections are broke, manipulated (by proxies), then NTLM failsproxies), then NTLM fails
NTLM @ Work…NTLM @ Work…
Get /Default.HTM
Get /Default.HTM w/ AuthNTLM
Get /Default.HTM w/ AuthNTLM Hashed
401 – WWW Auth: NTLM
200 - OK
401 – Access Denied
Dynamics of NTLMDynamics of NTLM NTLM at work… (previous slide)NTLM at work… (previous slide)
1.1. IE Client requests a IIS resource (Anon)IE Client requests a IIS resource (Anon)2.2. IIS returns 401 with WWWAuthenticate Header IIS returns 401 with WWWAuthenticate Header
saying NTLMsaying NTLM3.3. IE submits new request for a IIS resource with NTLM IE submits new request for a IIS resource with NTLM
Authentication header (username)Authentication header (username)4.4. IIS uses NT Authentication Header to build secret IIS uses NT Authentication Header to build secret
key and sends 401 with key back to clientkey and sends 401 with key back to client5.5. IE submits new request for a IIS resource with NTLM IE submits new request for a IIS resource with NTLM
Authentication header (username\password\hash of Authentication header (username\password\hash of password)password)
6.6. IIS checks username\password\hash and matches, IIS checks username\password\hash and matches, return 200 OK –or- 401.1 Login failed (IE prompts)return 200 OK –or- 401.1 Login failed (IE prompts)
Dynamics of NegotiateDynamics of Negotiate
Why create another authentication Why create another authentication protocol?protocol? NTLM limitationsNTLM limitations
NTLM Tokens cannot be delegatedNTLM Tokens cannot be delegated NTLM is proprietary and only supported by NTLM is proprietary and only supported by
Windows platformWindows platform
Is Negotiate a new protocol?Is Negotiate a new protocol? No, it is just a wrapper that allows either No, it is just a wrapper that allows either
Kerberos or NTLM authentication based on Kerberos or NTLM authentication based on client requestclient request
Dynamics of NegotiateDynamics of Negotiate
Key Terms of NegotiateKey Terms of Negotiate Client: Internet ExplorerClient: Internet Explorer Server: IIS Server that is member of Server: IIS Server that is member of
Active Directory DomainActive Directory Domain Active Directory:Active Directory:
Key Distribution Center (KDC) for all clientsKey Distribution Center (KDC) for all clients Ticket Granting Service: Issues all tickets Ticket Granting Service: Issues all tickets
(aka tokens)(aka tokens)
Dynamics of NegotiateDynamics of Negotiate
IIS Server
The IIS server isstarted and when the server authenticates todomain (aka KDC) itreceives it ticket.
ActiveDirectory
(KDC)
Ticket Granting Services
Dynamics of NegotiateDynamics of Negotiate
ActiveDirectory
(KDC)
Registered ServicePrincipalNames for CN=CA-WEBCAST-IIS,OU=Domain Controllers,DC=ca-webcast,DC=local: GC/ca-webcast-iis.ca-webcast.local/ca-webcast.local HOST/ca-webcast-iis.ca-webcast.local/CA-WEBCAST HOST/CA-WEBCAST-IIS HOST/ca-webcast-iis.ca-webcast.local HOST/ca-webcast-iis.ca-webcast.local/ca-webcast.local E3514235-4B06-11D1-AB04-00C04FC2DCD2/84bbfa08-5854-4729-80aa-56117bc4ecb6/ca-webcast.local ldap/84bbfa08-5854-4729-80aa-56117bc4ecb6._msdcs.ca-webcast.local ldap/ca-webcast-iis.ca-webcast.local/CA-WEBCAST ldap/CA-WEBCAST-IIS ldap/ca-webcast-iis.ca-webcast.local ldap/ca-webcast-iis.ca-webcast.local/ca-webcast.local NtFrs-88f5d2bd-b646-11d2-a6d3-00c04fc9b232/ca-webcast-iis.ca-webcast.local
Setspn %computername%
Negotiate @ Work…Negotiate @ Work…
KDC (Active Directory)
IIS Server
I need a ticket for The following service(aka HTTP\HOST)
If Service located in KDC, Secret Key shared with Client
Initial Client request for IIS resource anonymously
The Server esponse is 401 – WWWAuth Header for Negotiate
Using key provided, Client creates hash (key) and sends IIS
IIS uses secret key and verifies that password matches
Shared
Demonstration OneDemonstration One
Configuring a Process to Configuring a Process to use a Domain Accountuse a Domain Account
and Kerberosand Kerberos
The purpose of this demonstration is to show how a The purpose of this demonstration is to show how a worker process identity set on a application pool worker process identity set on a application pool
affects authentication when the authenticated user affects authentication when the authenticated user uses the Negotiate protocol and Kerberosuses the Negotiate protocol and Kerberos
ReferencesReferences
IIS 6 Help DocumentationIIS 6 Help Documentation http://www.microsoft.com/technet/treeview/http://www.microsoft.com/technet/treeview/
default.asp?url=/technet/prodtechnol/default.asp?url=/technet/prodtechnol/windowsserver2003/proddocs/standard/windowsserver2003/proddocs/standard/sec_auth_intwinauth.aspIIS 6 Deployment sec_auth_intwinauth.aspIIS 6 Deployment GuideGuide
Load Balancing and KerberosLoad Balancing and Kerberos http://www.microsoft.com/technet/treeview/def
ault.asp?url=/technet/prodtechnol/windowsserver2003/maintain/security/nlbsecbp.asp