Understanding Integrated Understanding Integrated Authentication in IISAuthentication in IIS

Chris AdamsChris Adams

IIS Supportability LeadIIS Supportability Lead

Microsoft Corp.Microsoft Corp.

AgendaAgenda

Introduction to Integrated AuthenticationIntroduction to Integrated Authentication Dynamics of NTLM AuthenticationDynamics of NTLM Authentication Dynamics of Negotiate AuthenticationDynamics of Negotiate Authentication

Demonstration OneDemonstration One

Best Practices for Integrated Best Practices for Integrated AuthenticationAuthentication

ReferencesReferences

Introduction to Integrated Introduction to Integrated AuthenticationAuthentication Introduced in Windows 2000Introduced in Windows 2000 Commonly referred to as “Windows Commonly referred to as “Windows

Integrated Authentication”Integrated Authentication” Secure: It is considered secure because Secure: It is considered secure because

it does not transmit password “on the it does not transmit password “on the wire”wire”

Internet Explorer preferred –Internet Explorer preferred – IF Basic and Integrated are both enabled, IE IF Basic and Integrated are both enabled, IE

will use Integrated for security reasonswill use Integrated for security reasons

Introduction: Let’s review…Introduction: Let’s review…

How authentication works in IISHow authentication works in IIS

Anonymous

Basic

Digest

Kerberos

NTLM

Passport

Server

Core

1. Request enters server core2. Server core forwards to

anonymous provider. IIS buildspath (w3svc/1/root) and verifiesif anonymous is enabled.Yes: Provide path and Anon.

users token to authorization manager

No: IIS passes the path to eachprovider to determine if path has that provider enabled.

Each provider that is enabled returns toServer core the appropriate header.

Introduction…Introduction…

Negotiate

Kerberos NTLM

Introduction to Integrated Introduction to Integrated AuthenticationAuthentication

Platform information for Windows IntegratedPlatform information for Windows Integrated

Windows NT 4Windows NT 4:: Supports only NTLM (Not known as Windows Integrated)Supports only NTLM (Not known as Windows Integrated)

Windows 2000Windows 2000:: Supports Negotiate and NTLMSupports Negotiate and NTLM

Windows 2003Windows 2003:: Supports Negotiate and NTLMSupports Negotiate and NTLM

Introduction to Integrated Introduction to Integrated AuthenticationAuthentication

Introduction to Integrated Introduction to Integrated AuthenticationAuthentication How the appropriate integrated How the appropriate integrated

authentication is determined?authentication is determined?

AuthNTLM

NO

Yes

NTAuthenticationProviders

Negotiate NTLM401.3

Access

Denied

Dynamics of NTLMDynamics of NTLM Connection OrientedConnection Oriented

Same Connection always used per requestSame Connection always used per request HTTP Keep-Alives RequiredHTTP Keep-Alives Required

Understanding Auth Dialog BoxesUnderstanding Auth Dialog Boxes NTLM, by default, doesn’t promptNTLM, by default, doesn’t prompt NTLM may prompt if original request fails with 401.1NTLM may prompt if original request fails with 401.1

NTLM’s use of Domain\Username\PasswordNTLM’s use of Domain\Username\Password Domain and Username are always shared over the Domain and Username are always shared over the

wire between client and serverwire between client and server Password is never – Always uses Hash of passwordPassword is never – Always uses Hash of password Authentication Header includes: Authentication Header includes:

Domain\Username\HashedPasswordDomain\Username\HashedPassword

Dynamics of NTLM: SecurityDynamics of NTLM: Security

Why is NTLM authentication secure?Why is NTLM authentication secure? Hash Algorithm of password is unknown when Hash Algorithm of password is unknown when

hackers monitor the HTTP requests on the hackers monitor the HTTP requests on the wirewire

If connections are broke, manipulated (by If connections are broke, manipulated (by proxies), then NTLM failsproxies), then NTLM fails

NTLM @ Work…NTLM @ Work…

Get /Default.HTM

Get /Default.HTM w/ AuthNTLM

Get /Default.HTM w/ AuthNTLM Hashed

401 – WWW Auth: NTLM

200 - OK

401 – Access Denied

Dynamics of NTLMDynamics of NTLM NTLM at work… (previous slide)NTLM at work… (previous slide)

1.1. IE Client requests a IIS resource (Anon)IE Client requests a IIS resource (Anon)2.2. IIS returns 401 with WWWAuthenticate Header IIS returns 401 with WWWAuthenticate Header

saying NTLMsaying NTLM3.3. IE submits new request for a IIS resource with NTLM IE submits new request for a IIS resource with NTLM

Authentication header (username)Authentication header (username)4.4. IIS uses NT Authentication Header to build secret IIS uses NT Authentication Header to build secret

key and sends 401 with key back to clientkey and sends 401 with key back to client5.5. IE submits new request for a IIS resource with NTLM IE submits new request for a IIS resource with NTLM

Authentication header (username\password\hash of Authentication header (username\password\hash of password)password)

6.6. IIS checks username\password\hash and matches, IIS checks username\password\hash and matches, return 200 OK –or- 401.1 Login failed (IE prompts)return 200 OK –or- 401.1 Login failed (IE prompts)

Dynamics of NegotiateDynamics of Negotiate

Why create another authentication Why create another authentication protocol?protocol? NTLM limitationsNTLM limitations

NTLM Tokens cannot be delegatedNTLM Tokens cannot be delegated NTLM is proprietary and only supported by NTLM is proprietary and only supported by

Windows platformWindows platform

Is Negotiate a new protocol?Is Negotiate a new protocol? No, it is just a wrapper that allows either No, it is just a wrapper that allows either

Kerberos or NTLM authentication based on Kerberos or NTLM authentication based on client requestclient request

Dynamics of NegotiateDynamics of Negotiate

Key Terms of NegotiateKey Terms of Negotiate Client: Internet ExplorerClient: Internet Explorer Server: IIS Server that is member of Server: IIS Server that is member of

Active Directory DomainActive Directory Domain Active Directory:Active Directory:

Key Distribution Center (KDC) for all clientsKey Distribution Center (KDC) for all clients Ticket Granting Service: Issues all tickets Ticket Granting Service: Issues all tickets

(aka tokens)(aka tokens)

Dynamics of NegotiateDynamics of Negotiate

IIS Server

The IIS server isstarted and when the server authenticates todomain (aka KDC) itreceives it ticket.

ActiveDirectory

(KDC)

Ticket Granting Services

Dynamics of NegotiateDynamics of Negotiate

ActiveDirectory

(KDC)

Registered ServicePrincipalNames for CN=CA-WEBCAST-IIS,OU=Domain Controllers,DC=ca-webcast,DC=local: GC/ca-webcast-iis.ca-webcast.local/ca-webcast.local HOST/ca-webcast-iis.ca-webcast.local/CA-WEBCAST HOST/CA-WEBCAST-IIS HOST/ca-webcast-iis.ca-webcast.local HOST/ca-webcast-iis.ca-webcast.local/ca-webcast.local E3514235-4B06-11D1-AB04-00C04FC2DCD2/84bbfa08-5854-4729-80aa-56117bc4ecb6/ca-webcast.local ldap/84bbfa08-5854-4729-80aa-56117bc4ecb6._msdcs.ca-webcast.local ldap/ca-webcast-iis.ca-webcast.local/CA-WEBCAST ldap/CA-WEBCAST-IIS ldap/ca-webcast-iis.ca-webcast.local ldap/ca-webcast-iis.ca-webcast.local/ca-webcast.local NtFrs-88f5d2bd-b646-11d2-a6d3-00c04fc9b232/ca-webcast-iis.ca-webcast.local

Setspn %computername%

Negotiate @ Work…Negotiate @ Work…

KDC (Active Directory)

IIS Server

I need a ticket for The following service(aka HTTP\HOST)

If Service located in KDC, Secret Key shared with Client

Initial Client request for IIS resource anonymously

The Server esponse is 401 – WWWAuth Header for Negotiate

Using key provided, Client creates hash (key) and sends IIS

IIS uses secret key and verifies that password matches

Shared

Demonstration OneDemonstration One

Configuring a Process to Configuring a Process to use a Domain Accountuse a Domain Account

and Kerberosand Kerberos

The purpose of this demonstration is to show how a The purpose of this demonstration is to show how a worker process identity set on a application pool worker process identity set on a application pool

affects authentication when the authenticated user affects authentication when the authenticated user uses the Negotiate protocol and Kerberosuses the Negotiate protocol and Kerberos

ReferencesReferences

IIS 6 Help DocumentationIIS 6 Help Documentation http://www.microsoft.com/technet/treeview/http://www.microsoft.com/technet/treeview/

default.asp?url=/technet/prodtechnol/default.asp?url=/technet/prodtechnol/windowsserver2003/proddocs/standard/windowsserver2003/proddocs/standard/sec_auth_intwinauth.aspIIS 6 Deployment sec_auth_intwinauth.aspIIS 6 Deployment GuideGuide

Load Balancing and KerberosLoad Balancing and Kerberos http://www.microsoft.com/technet/treeview/def

ault.asp?url=/technet/prodtechnol/windowsserver2003/maintain/security/nlbsecbp.asp

Q & AQ & A