Authentication

Various types of authentication

• Anonymous authentication
• Basic authentication
• Digest and Advanced Digest authentication
• Integrated Windows authentication
• .NET Passport authentication
 Anonymous authentication

• This authentication method allows everyone access to

the public areas of your Web sites, without asking for a
user name or password.
• Logon Types
• Four main classifications of authentication are used in IIS:
• INTERACTIVE
• BATCH
• NETWORK
• SERVICE
 Basic authentication
• Both the web server and FTP server components in IIS support Basic
authentication. Here’s how it works in IIS:
– The user enters a username and password for authentication.
– The web browser Base64-encodes the password and sends it to the server.
– IIS verifies that the username and password are valid, and that they have access to
the resources.
• Basic Authentication Tokens
• You can reduce this risk in two main ways:
• Don’t log on using Basic authentication with any user account that has elevated
rights, especially Administrator rights.
• Set the UserTokenTTL setting in the registry to a lower value so that tokens
expire more frequently. You can even set it to 0 so that tokens are not cached at
all.
• Obviously, not caching tokens causes a performance hit. You need to weigh this
against the need to have Administrator accounts that access the server.
 Digest Authentication

• how Digest authentication works:

– The server sends the client a note that Digest authentication is required for
this resource.
– The server also sends the client a 'nonce,' some randomly generated
information to include in the authentication hash. This information helps
prevent replay attacks.
– The client adds this information to its username/password combo and
performs a one-way hash on it using the MD5 hashing algorithm.
– The client sends the hash to the server. It also sends the nonce in clear text.
– The server takes the nonce data, combines it with the local plaintext copy of
the username/password combo, and performs a one-way hash on it using
the MD5 hashing algorithm.
– This hash is compared to the one received, and if they match, the
authentication is accepted.
 Advanced Digest Authentication

• Advanced Digest authentication has the

following requirements:
– You must be running Active Directory.
– Both the IIS server and a domain controller must be
running WS03.
– The clients using Advanced Digest authentication
must be running at least IE 5.
– The user account must be in an Active Directory
domain that is trusted to the IIS server (or the same
domain).
 Integrated Windows Authentication

• It supports both NTLM and kerberos v5

– Kerberos generally works with proxy servers, but it
tends to have a hard time with firewalls. NTLM
generally works through firewalls, but it tends to
have a hard time with proxy servers.
 how NTLM works

2
Enter user name
Password 1 Hash of server
Domain name password 4

3
16 bit Nounce
5

Again encrpyts the

Nounce and compare
Domain
• The user types in a username, password, and a domain name when
logging in to the client machine.
• The client creates a hash of this password and discards the original.
• The client sends the server the plaintext username.
• The server sends a 16-bit nonce to the client.
• The client encrypts this nonce along with the hash of the user's
password and sends it to the server.
• The server then sends the username, the nonce, and the client's
response to a domain controller.
• The domain controller encrypts the nonce along with its own hash of
the user's password, and it compares the value to the one sent by the
server.
• If the values match, the domain controller notifies the server that
authentication is successful.
• If the values do not match or no username matches, the domain
controller notifies the server, which then sends that message to the
client. The client's browser then prompts the user for login information.
 How Kerberos works
• Enter user Grant TGT service
Compare with
name master copy Create
Encrypt session key
• Password and store KDC encrypted
it with user key
Time stamp

encrypting the
logon session key
and a TGT for the
user with its own
master key.
 Kerberos Authentication
how the client gets the initial TGT from the KDC:
• The user logs in to the client with a username and password.
• The client encrypts the password and saves it.
• The client sends the KDC a message requesting credentials for the TGT
service, along with the user's encrypted password.
• The KDC compares the encrypted password with its master copy to make
sure they match. It also checks the timestamp the client added to the
request to make sure it is within five minutes of its own time.
• If everything matches, the KDC creates the requested credentials for the
TGT service by creating a logon session key and encrypting it with the
user's key.
• The KDC also creates another credential by encrypting the logon session
key and a TGT for the user with its own master key.
• The KDC then sends both credentials to the client.
• The client decrypts the logon session key from the first credential using its
encrypted password, and it stores that logon session key in its ticket cache.
• The client also stores the TGT in its ticket cache.
.NET Passport Authentication