Tuesday, August 17, 2010

Authentication and Authorization



Authentication and Authorization are two interrelated concepts, which form the core of security for .NET applications. The authentication and authorization processes in ASP.NET are very flexible, simple and can be implemented in the code. ASP.NET is not a standalone product; it is linked with IIS and is, in fact, a layer on top of IIS. So, any request that comes into the ASP.NET process is first authenticated and authorized by IIS. In short, the ASP.NET process is completely unaware if any user has been denied access to any page by IIS. Several security authorities interact when the user raises a request for an ASP.NET page. You must get to know how these processes work in order to fully understand the ASP.NET system.

Authentication

Authorization

Authentication is a process in which the user’s credentials are used to verify the user’s identity. In short, this is the process of determining the identity of the request entity.Authorization is a process in which the authenticated user is allowed (authorized) access to resources.

In short, whenever a user logs on to an application, the authentication process is first carried followed by the authorization user. Certain applications do not have any restriction/validation on the logged in user. Even such applications authenticate the user as anonymous.

ASP.NET and IIS
Below, is the sequence of events involved in the authentication process (jointly done by IIS and ASP.NET):

  1. The incoming request is first checked by IIS. If the IP address from where the request is sought is not allowed access to the domain, IIS denies the request.
  2. By default, IIS allows anonymous access and hence requests are automatically authenticated. However, this can be overridden for each application within IIS. Next in the sequence, IIS performs this authentication, if it has been configured to do so.
  3. As a next step, the authenticated user request is passed to ASP.NET.
  4. ASP.NET now checks whether Impersonation is enabled or not. By default impersonation is not enabled in ASP.NET. Generally, some applications require impersonation for ASP compatibility and server authentication.
  5. If impersonation is enabled, ASP.NET executes with the identity of the entity on behalf of which it is performing the executing task.
  6. If impersonation is disabled, the application runs with the privileges of ASP.NET.
  7. Finally, the identity that has been authenticated and checked for in the previous steps is used to request resources from the OS. ASP.NET relies on NTFS file permissions for granting access.
  8. If access is granted (successful authorization), ASP.NET returns the user’s request through IIS.


The above sequence of steps is pictorially depicted in Illustration 1.




Authentication and Authorization


Authentication Providers
ASP.NET provides three types of authentication, namely windows authentication, forms authentication and passport authentication. It is the job of the authentication provider to verify the credentials of the user and decide whether a particular request should be considered authenticated or not.

  • Windows Authentication Provider
    Windows authentication provider is the default provider for ASP.NET. It lets us/application authenticate users based on the users’ Windows accounts. IIS performs authentication for this provider and the authenticated identity is then passed on to the code.

  • Passport Authentication Provider
    This provider uses the passport services provided by Microsoft

  • Forms Authentication Provider
    The forms authentication provider uses custom HTML
    forms to collect authentication information and lets us use our logic to authenticate users. The user’s credentials are stored in a cookie for use during the session. If the application authenticates the request, the system issues a form that contains the credentials or a key for reacquiring the identity. Subsequent requests are issued with the form in the request headers; they are authenticated and authorized by an ASP.NET handler using whatever validation method we have specified in our code.

To select an authentication provider, an entry indicating the same has to be made in the web.config file.


<authentication mode=”windows”> //For Windows authentication
//For Passport authentication
//For Forms authentication

ASP.NET also supports custom authentication providers. Setting the authentication mode for the application to “none” and then writing our own code to perform authentication can achieve this.


<authentication mode=”none”> //For Custom authentication

ASAPI Filters

For example, we might install an ISAPI* filter** in IIS that compares incoming requests’ IP address with a list of source IP addresses and considers the request to be authenticated only if the IP address is found in the source list. In this example, we can set the authentication mode to “none” in the web.config file. This will prevent any of the default authentication providers from being triggered.

We just had a brief look at the authentication providers of ASP.NET. Let us now go into detail and explore the authentication modes in detail.

IIS provides Windows Authentication and hence, this should be configured within IIS. There are four different kinds of Windows authentication available: Anonymous, Basic, Digest and Integrated Windows Authentication.

  • Anonymous Authentication: IIS doesn’t perform any authentication checks. IIS allows any user to access the ASP.NET application.

  • Basic Authentication: For this kind of authentication, the Windows user name and password have to be provided to connect. However, this information is sent over the network in plain text, and, hence, this is an insecure method of authentication.

  • Digest Authentication: It is the same as basic authentication except for the fact that the password is hashed before it is sent across the network. However, to be using Digest Authentication, we must use Internet Explorer 5.0 or above.

  • Integrated Windows Authentication: In this kind of authentication technique, passwords are not sent across the network. The application here uses either the kerberos or challenge/response protocols to authenticate users. Kerberos, a network authentication protocol, is designed to provide strong authentication for client-server applications. It provides the tools of authentication and strong cryptography over the network to help secure information in systems across an entire enterprise.

  • Passport Authentication: Passport authentication is a centralized authentication service. This uses Microsoft’s Passport service to authenticate the users of an application. If the authentication mode of an application is configured as “Passport”, and if the users have signed up with Passport, then the authentication formalities are pushed over to Passport servers.

    Passport uses an encrypted cookie mechanism to identify and indicate authenticated users. If the users have already been signed into Passport when they visit the application page, ASP.NET will consider them as authenticated; otherwise, the users will be redirected to Passport servers to login. Upon successful login, they’ll be redirected back to the application page.

  • Forms Authentication: With forms authentication, custom logic can be built into an ASP.NET application. The following happens when forms authentication is used in an ASP.NET application:

    • When a user requests a page for the application, ASP.NET checks for the presence of a special session cookie.

    • If the cookie is present, ASP.NET assumes the user is authenticated and processes the request.

    • If the cookie isn’t present, ASP.NET redirects the user to a web form where the custom logic has been built into the code. The authentication checks can be incorporated into the web form, and when the user is authenticated ASP.NET needs to be informed of the same by setting a property. Once this is done, ASP.NET creates the special cookie to handle any subsequent requests.

    Impersonation is a technique that allows the ASP.NET process to act as the authenticated user, or as an arbitrary specified user. ASP.NET impersonation is controlled by entries in the application’s web.config file. By default, impersonation is disabled. Including the following code in the file can explicitly turn impersonation off:

    ASP.NET does not perform impersonation if the above piece of code is found in the file. This means that ASP.NET will run with its own privileges. After the user has been authenticated, ASP.NET uses it own identity to request access to resources.

    By default, ASP.NET runs as an unprivileged account. By changing the userName attribute of the processModel section in the machine.config file, the account can be changed from a low-privileged one to a high-privileged one. When this modification is made, it applies to all sites on the server user account becomes a high privileged account. However, this is a security risk as it elevates the privileges of the ASP.NET process and the OS may be at risk.

    To enable impersonation, the following code should be included:

    In this case, ASP.NET takes on the identity IIS passes to it. If anonymous access is allowed in IIS, ASP.NET will impersonate the IUSR_ComputerName account that IIS uses. If anonymous access is not allowed, ASP.NET will take on the credentials of the authenticated user and makes requests for resources taking on that identity. A further important feature of any ASP.NET application is that a particular identity can also be used for all authenticated requests. To accomplish this, the following line of code needs to be included:

    In this case, all authenticated users will be taking on the identity and using this identity ASP.NET makes all requests for resources. The drawback to this technique is that the password must be coded in plain text in the web.config file. Though ASP.NET does not allow for this file to be downloaded, it is still a security risk.

    Best Practices
    Below is a list of some best practices to help you in choosing an authentication mode and configuring authorization:

    • If there is no sensitive data in the application, no anonymous authentication is the best authentication mode. This allows all users, who have access to the host, to access the application.

    • If authentication of users needs to be performed, there are several choices. Windows Authentication in ASP.NET is the best authentication mode to use if all user accounts exist on the network in which the application is running. If not all users have accounts on the network, then forms authorization can be used.

    • If different users, having different sets of privileges, need to access the application then impersonation in the ASP.NET configuration file should be turned on.

    *ISAPI: Internet Server Application Program Interface - is a programming interface on IIS, Microsoft's
    web server. It allows third parties (and Microsoft) to add functionality to web servers running Microsoft IIS.

    **ISAPI Filter:     A DLL that uses the ISAPI to register for web server events and edit the data stream going to and coming from the Microsoft IIS web server.


Note: As per my knowledge no guaranty with this content.


Posted by at No comments:
Subscribe to: Comments (Atom)