IIS 7.0 : Implementing Access Control – Authentication (part 1)

Authentication

Authentication is the process of determining the identity of the user making the request to the Web server. Authorization features can then use this identity to allow or reject the request to specific resources or parts of the application. In some cases, the Web server or the application can impersonate it to access resources. Finally, the application can use the identity to personalize the application experience for the requesting user.

IIS 7.0 includes the following authentication features:

  • Anonymous Authentication This authentication method provides a configured Windows identity for all anonymous users of the application without the need to provide any client credentials. It is used to allow anonymous (unauthenticated) access.

  • Basic Authentication This authentication method enables the client to provide the user name and password to the Web server in clear text. Basic Authentication is defined in RFC 2617, and virtually all browsers support it.

  • Digest Authentication This authentication method is a more secure version of Basic Authentication, and it enables the client to provide user credentials via a hash of the user name and password. Digest Authentication is defined in RFC 2617, and most browsers support it. The implementation used in IIS 7.0 was known as the Advanced Digest Authentication method in IIS 6.0.

  • Windows Authentication This authentication method supports the NT LAN Manager (NTLM) or Kerberos Windows authentication protocols.

  • Client Certificate Mapping Authentication This authentication method enables client SSL certificates to be mapped to Windows accounts by using Active Directory directory services.

  • IIS Client Certificate Mapping Authentication This authentication method enables client SSL certificates to be mapped to Windows accounts via one-to-one or many-to-one mappings stored in IIS configuration.

  • UNC Authentication Though this is not a true authentication method in the sense that it does not help to establish the identity of the requesting client, IIS 7.0 uses UNC Authentication to establish an identity to access remote content located on a UNC share.

In addition, IIS 7.0 applications using ASP.NET Integrated mode use a unified authentication model between IIS and ASP.NET. This enables existing ASP.NET authentication modules or new managed authentication modules developed with ASP.NET APIs to be used for all content in the application. When ASP.NET is installed, the following authentication methods are also available:

The following IIS 6.0 authentication methods are no longer supported:

  • IIS 6.0 Digest Authentication IIS 7.0 Advanced Digest Authentication method is now provided as the only digest authentication method.

  • .NET Passport Authentication The Passport support is not included in Windows Server 2008, and therefore this method is also no longer supported.

Developers can also provide custom authentication features developed with the new IIS 7.0 native module API or with ASP.NET APIs for applications using the Integrated mode. In fact, applications running in Integrated mode can use most existing custom ASP.NET authentication modules immediately to provide site-wide authentication.

You can configure one or more authentication methods for your Web site, application, or part thereof to protect it with user-based authorization, enable impersonation for resource access, or allow for application personalization.

Note

IIS 7.0 requires that each request is authenticated. Because of this, at least one authentication method must be enabled and be able to provide an authenticated user for each request.

In the remainder of this section, we will review each of the authentication methods.

Anonymous Authentication

Anonymous authentication enables clients to access public areas of your Web site without requiring the client to provide any credentials. Anonymous authentication is the default authentication method enabled in IIS 7.0.

Note

Anonymous authentication is part of the default IIS install and is enabled by default. You can manually install or uninstall it by installing or uninstalling the AnonymousAuthnenticationModule module.

Anonymous authentication applies for all requests that do not have an authenticated user identity determined by other authentication methods. It works by setting the authenticated user identity for such requests to be a Windows identity corresponding to the configured anonymous user account.

Caution

Be sure to disable anonymous authentication for parts of your Web site that you do not want to be accessed by anonymous users. You must do this even if you have other authentication methods enabled.

By default, anonymous authentication is configured to use the new built-in IUSR account. It no longer uses the custom IUSR_ComputerName account that is used by default with anonymous authentication in IIS 6.0. Because IUSR is a built-in account, it does not have a password that must be periodically changed or synchronized between multiple servers. In addition, because it is built in, the IUSR account has the same SID on all machines. Therefore, ACLs that reference it remain valid when copied from one IIS 7.0 server to another.

When using anonymous authentication, you have the following options:

  • Use the built-in IUSR account. This is the default.

  • Use a custom account. You can configure a custom account that should be used for anonymous requests instead of the IUSR account.

  • Use the application pool identity. You can configure anonymous authentication to use the identity of the IIS worker process (application pool identity) instead of a separate anonymous account.

You can use the application pool identity option to simplify resource access management. This ensures that that resource access is always made under the application pool identity, both when the Web server accesses application resources using the application pool identity and when the Web server or application access resources while impersonating the authenticated user. This way, you only need to manage access rights for a single identity.

You can use IIS Manager to enable or disable anonymous authentication and set the anonymous user options. Select the desired node in the tree view and double-click Authentication. Then, select Anonymous Authentication in the list and use the EnableDisable, and Edit commands in the Actions pane to configure it.

You can also set anonymous authentication configuration directly; use Appcmd.exe from the command line, or use configuration APIs to configure the system.webServer/security/anonymousAuthentication section. You do this with Appcmd by using the following syntax.

%systemroot%\system32\inetsrv\Appcmd set config [ConfigurationPath]
/section:system.webServer/security/anonymousAuthentication [/enabled:bool]
[/username:string] [/password:string] [/logonMethod:enum]

The parameters of this command are shown in Table 1.

Table 1. Parameters to Set Anonymous Authentication and Anonymous User Options
ParameterDescription
ConfigurationPathThe configuration path at which to set the specified configuration. If you specify this parameter, you may also need to specify the /commit:apphost parameter to avoid locking errors when applying configuration to Web site or URL levels.
enabledWhether to enable or disable anonymous authentication.
usernameThe user name to use for anonymous authentication. Set to “” to use the application pool identity. Default is IUSR.
passwordThe password to use when specifying a custom account for anonymous authentication.
logonMethodThe logon method to use for the anonymous user. Allowed values are Interactive, Batch, Network, ClearText. Default is ClearText. See http://msdn2.microsoft.com/en-us/library/aa378184.aspx for more information about logon types.

Basic Authentication

Basic authentication implements the Basic Authentication protocol, a standard HTTP authentication scheme defined in RFC 2617 and supported by most HTTP client software. It enables the client to pass both the user name and the password in clear text, and it uses these credentials to log on locally at the Web server or the Web server’s domain. The credentials, therefore, must correspond to a valid local or domain account, and they result in the request being authenticated with a Windows token corresponding to this account.

Note

Basic authentication is not part of the default IIS install. You can manually install it from the Security feature category through Windows Features On And Off on Windows Vista. You can also install it from the Security role service category of the Web Server (IIS) role in Server Manager on Windows Server 2008.

Basic authentication is a challenge-based authentication scheme. When a client makes the initial request to a resource that requires authentication, and basic authentication is enabled, the request will be rejected with a 401 unauthorized status that will include a “WWW-Authenticate: basic” response header. If the client supports basic authentication, it will usually prompt the user for credentials and then reissue the request with the credentials included. The basic authentication module will see that credentials are present on the subsequent request and attempt to authenticate the request by logging on with those credentials. The client will typically send these credentials again on every request to the same URL or any URL that is below the URL included in the initial authenticated request.

Caution

Just enabling basic authentication does not mean that authentication is required for your application. You must either disable anonymous authentication and/or configure URL authorization rules or NTFS permissions that deny access to the anonymous user.

Basic authentication is not secure because it passes the credentials in clear text, and therefore may enable an attacker to steal them by eavesdropping on the request packets at the network level. This can be mitigated by using SSL to secure the communication channel between the client and the server. If SSL is used to protect all requests that include the credentials, basic authentication may be a secure option.

Caution

Basic authentication may enable user credentials to be leaked because it sends them to the Web server in an unencrypted form. When using basic authentication, use SSL to secure the Web site.

Because basic authentication performs the logon locally at the Web server, the resulting Windows token can be used to access resources on a remote server without configuring delegation or Protocol Transition.

By default, basic authentication caches the logon token for the corresponding user name and password in the token cache. During this time, the token may be available inside that process. If the worker process is compromised, malicious code can use this token to elevate privileges if the token represents a user with high privileges. If you do not trust the code in the process, you can either disable token caching by uninstalling the token cache module or reduce the amount of time the tokens are cached by setting the HKLM\SYSTEM\CurrentControlSet\Services\InetInfo\Parameters\UserTokenTTL value to the number of seconds to cache tokens for.

You can use IIS Manager to enable or disable basic authentication and set the logon method options. Select the desired node in the tree view and double-click Authentication. Then, select Basic Authentication from the list and use the EnableDisable, and Edit commands in the Actions pane to configure it.

You can also set basic authentication configuration directly; use Appcmd.exe from the command line, or use configuration APIs to configure the system.webServer/security/basicAuthentication section. You do this with Appcmd by using the following syntax.

%systemroot%\system32\inetsrv\Appcmd set config [ConfigurationPath]
/section:system.webServer/security/basicAuthentication [/enabled:bool]
[/realm:string] [/defaultLogonDomain:string] [/logonMethod:enum]

The parameters of this command are shown in Table 2.

Table 2. Parameters for Setting Basic Authentication Configuration Directly
ParameterDescription
ConfigurationPathThe configuration path at which to set the specified configuration. If you specify this parameter, you may also need to specify the “/commit:apphost” parameter to avoid locking errors when applying configuration to Web site or URL levels.
enabledWhether to enable or disable basic authentication.
realmThe basic authentication realm that will be indicated to the client for informational purposes. The Web server does not use the realm during the logon process.
defaultLogonDomainThe domain that will be used by the server to log on using the credentials provided by the client. If the client user name specifies the domain, it will be used instead. If empty, the computer domain is used. The default value is “”.
logonMethodThe logon method to use for the logon. Allowed values are InteractiveBatchNetwork, and ClearText. Default is ClearText. See http://msdn2.microsoft.com/en-us/library/aa378184.aspx for more information about logon types.