Understanding Windows Authentication in Detail

Agenda

  1. What is Authentication and Authorization?
  2. Understanding Windows Authentication
  3. Types of Windows Authentication
  4. Programmatic Authentication
  5. Impersonation

Authentication and Authorization

In simple words, Authentication is the process that addresses the question "Who are you?". Authentication is done by obtaining a valid username and password on an internet or intranet system. Once a user is authenticated, the system confirms that you match the identity of whoever you claim to be. However, authentication doesn't confirm whether you are authorized to access the resource that you might be trying to access; that is done by Authorization.

Authorization addresses the question "What Can You Do?" and this happens after successful authentication. Authorization is the process of verifying that a user is allowed to access a requested resource. This process determines whether an authenticated user is permitted access to any part of an application, access to specific points of an application, or access only to specified datasets that the application provides. After all, how can you determine whether someone is allowed to do something if you don't recognize that person's identity.

Windows Authentication Overview

Form Authentication is a wonderful approach, if you are implementing your own authentication process using a back-end database and a custom page. But if you are creating a web application for a limited number of users who are already part of a network domain then Windows Authentication is beneficial and the preferred choice for authentication.

Windows-based authentication is manipulated between the Windows server and the client machine.

The ASP.NET applications reside in Internet Information Server (IIS). Any user's web request goes directly to the IIS server and it provides the authentication process in a Windows-based authentication model. This type of authentication is quite useful in an intranet environment in which users are asked to log into a network.

In this scenario, you can utilize the credentials that are already in place for the authentication and authorization process. This authentication is done by IIS. It first accepts user's credentials from the domain login "Domain\UserName and Password". If this process fails then IIS displays an error and asks to re-enter the login information.

The following are the advantages of Windows Authentication:

  • It relies on and allows the user to use existing Windows Accounts.
  • Establishes the foundation for a Uniform Authentication model for multiple types of applications.
  • For developers it is easy to implement.

The following are the disadvantages of Windows Authentication:

  • Applicable to Microsoft platforms only.
  • No custom control over this platform provided authentication process.

To set up your ASP.NET application to work with Windows-based authentication, begin by creating some users and groups. Within your Windows operating system, go to "Control Panel" -> "User Accounts" -> "Manage another account" -> "Create a new account" then choose "Add or Remove User". Then create an account "Test" as in the following screenshot.

New User Creation

Figure 1.1: New User Creation

Types of Windows Authentication

During implementation of Windows Authentication, typically IIS proposes a range of possible authentication strategies to authenticate each request it receives
as in the following:

  • Basic Authentication
  • Digest Authentication
  • Integrated Windows Authentication
  • UNC Authentication
  • Anonymous Authentication

Before you proceed with implementing and using Windows Authentication, let's verify the prerequisites, in other words the IIS configuration. You can confirm whether IIS is already installed by typing in the address http://localhost (or http://127.0.0.1) in the browser. The following page was displayed in the browser and ensures that IIS is configured:

IIS Page

Figure 1.2 IIS Page

If the page shown above is not displayed then you don't have IIS configured. In such a situation you need to manually turn on IIS from the Windows Feature List. Here, you just enable the Internet Information Services option as shown in the following screenshot, Figure 1.3.

Windows Features

Figure 1.3: Windows Features

This entire process will take some time to configure. Once completed you can open the IIS Manager from Administrative Tools or you can directly open it by running the inetmgr command. The following shows the IIS Manager as it appears when opened:

IIS Manager

Figure 1.4 IIS Manager

________________________________________
Note: It is suggested to register the ASP.NET 4.0 version with the IIS 7.0 web server before creating any project via running the command "aspnet_regiis.exe -i".
________________________________________

Basic Authentication

This form of authentication is supported by all browsers. When a website requests client authentication using Basic Authentication, the web browser displays a login dialog box from user name and password as in the following screenshot.

IIS Basic Authentication

Figure 1.5 IIS Basic Authentication

After a user provides built-in Windows user account information, the data is transmitted to the web server. Once IIS receives the authentication data, it attempts to authenticate the user with the corresponding Windows account. This password is encoded using Base64 and sent to the server. It is important to note that the Base64 encoding is not encryption. So the drawback of this mechanism is that the user name and password are sent in clear text (unencrypted) during communication.

Do It Yourself

In order to see Basic Authentication in action, we will create an ASP.NET website hosted on a local IIS web server.
Use the following procedure to create the sample.

  1. First open the Visual Studio 2010 IDE. Then go to menu "File" -> "New" -> "Website..."  and name this website "WinAuthTest".

    New ASP.NET website

    Figure 1.6 New ASP.NET website
     
  2. Ensure that IIS 7.0 is properly configured with registration of ASP.NET 4.0 and other components as explained earlier.
  3. Open the IIS Manager using the inetmgr command from the Run window.
  4. You see in the IIS Manager that the website "WinAuthTest" entry is added with its corresponding virtual directory as in the following:

    IIS

    Figure 1.7 IIS
     
  5. Now click on "Authentication under IIS" in the dialog box. The following options will appear:

    Authentications

    Figure 1.8 Authentications
     
  6. It might be possible that the various authentication options above are not displayed because they are turned on by default. So you can configure them manually from Windows Features under Internet Information Services Security options as in the following screenshot;

    IIS Security options

    Figure 1.9 IIS Security options
     
  7. Now as shown in the reference Figure 1.8, enable the Basic Authentication and compile the ASP.NET "WinAuthTest" project by pressing F5. Windows will show the Figure 1.5 images.
  8. Enter the temporarily created Windows account "test" as in Figure 1.1 to proceed. Windows won't let the website open until you enter the correct user name and password.

Digest Authentication

Digest Authentication, like Basic Authentication, requires the user to provide account information using a login dialog box that is displayed by the browser. Unlike Basic Authentication, the user name and password are not transmitted in clear text. Instead, a cryptographically secure hash with this information is sent. We can implement this authentication by simply enabling this option in IIS as in the following screenshot.

Digest Authentications

Figure 1.10 Digest Authentications

Digest Authentication involves hashing the user's password using the MD5 algorithm. Windows is unable to store MD5 hashes of passwords for local accounts (SAM database) thus the limitation of Digest Authentication is that in IIS, it only functions when the virtual directory is being authenticated or controlled by a Windows Active Directory Domain Controller.

Digest Authentication protects users and applications from a variety of malicious attacks by incorporating a piece of information about the request as input to the hashing algorithm.

Enabling and disabling digest authentication can also be done programmatically. We can enable this authentication using the AppCmd command as in the following:

  1. appcmd.exe set config /section:digestAuthentication /enable:true  
Integrated Windows Authentication

Integrated Windows Authentication is the most reasonable mechanism for LAN-WAN-based applications. For this authentication to work properly, both client and server must be on the same network. In fact, integrated authentication does not transmit any credential information. Instead, it coordinates with the domain server where it is logged in and gets that computer to send the authentication information to the server.

It does authentication without any client interactions. When IIS asks the client to authenticate itself, the browser sends a token that represents the Windows account of the current user. Technically, this authentication incorporates two authentication mechanisms, NTLM and Kerberos. Enabling integrated authentication via IIS Manager typically enables support for both of these two mechanisms as in the following screenshot:

Integrated Authentications

Figure 1.11 Integrated Authentications

UNC Authentication

Universal Naming Convention (UNC) authentication allows you to configure IIS to use a specified user account when accessing resources on a remote share. This authentication can be implemented during creation of a virtual directory for a web application. Use the following procedure to configure UNC authentication:
  1. Open IIS Manager using inetmgr from the "Run" window.
  2. Locate the website at which you wish to add a new virtual directory. Right-click and choose "Add Virtual Directory".

    UNC Authentications

    Figure 1.12 UNC Authentications
     
  3. Enter the alias name that the directory should be accessed under and UNC physical path as in the following screenshot.

    UNC Authentications1

    Figure 1.13 UNC Authentications
     
  4. Now click the "Connect as" button and choose the "Application User" radio button and chose a specific user account. Finally click the "Ok" button.

     User Account


Figure 1.14 User Account

Anonymous Authentication

A remote user is not required to supply credentials to access a file when Anonymous Authentication is enabled. By default, the configured anonymous access account is the IUSR account created when IIS is installed. Anonymous Authentication can be configured from the IIS Manager as in the following screenshot.

Anonymous Authentications

Figure 1.15 Anonymous Authentications

It is important to note that if you enable more than one authentication option, the client will use the strongest authentication method as long as anonymous authentication is not enabled. If anonymous authentication is enabled then the client will access the website anonymously. So it is suggested to disable anonymous authentication during more than one authentication implementation.

Programmatic Authentication

You can access some additional information about the currently authenticated user using the WindowsIdentity class. The following code is required to do that:

  1. using System;  
  2. using System.Configuration;  
  3. using System.Web;  
  4. using System.Web.Security;  
  5. using System.Security.Principal;  
  6.    
  7. public partial class _Default : System.Web.UI.Page  
  8. {  
  9.     protected void Button1_Click(object sender, EventArgs e)  
  10.     {  
  11.         if (Request.IsAuthenticated)  
  12.         {  
  13.             // Display generic identity information.  
  14.             lblData.Text = "<b>Name: </b>" + User.Identity.Name;  
  15.              
  16.             if (User is WindowsPrincipal)  
  17.             {  
  18.                 WindowsPrincipal principal = (WindowsPrincipal)User;  
  19.                 lblData.Text += "<br><b>Power user? </b>";  
  20.                 lblData.Text += principal.IsInRole(  
  21.                 WindowsBuiltInRole.PowerUser).ToString();  
  22.    
  23.                 WindowsIdentity identity = principal.Identity as WindowsIdentity;  
  24.                 lblData.Text += "<br><b>Token: </b>";  
  25.                 lblData.Text += identity.Token.ToString();  
  26.                 lblData.Text += "<br><b>Guest? </b>";  
  27.                 lblData.Text += identity.IsGuest.ToString();  
  28.                 lblData.Text += "<br><b>System? </b>";  
  29.                 lblData.Text += identity.IsSystem.ToString();  
  30.             }  
  31.         }  
  32.     }  
  33. }  

When you build this program, the following extra Windows-specific information will be displayed:

Information's

Figure 1.16 Information

Impersonation

Impersonation is the process under which an application can take the identity of its user to access all the resources the user is authorized for. Instead of using a fixed account for all users, web pages and applications, you can temporarily change the identity that ASP.NET uses for certain tasks.

You may want to access some resources residing on your local system, that requires you to login with valid credentials. Let's say that you have some files in the location "C:\temp\". The ACL editor for the folder temp removes all the groups and leaves only the Administrator users and Administrator user groups associated to it as in the following screenshot.

ACL

Figure 1.17 ACL

Now create a simple ASP.NET Web Application with a Button and a List box control to access all files that reside in the temp folder as in the following code:

  1. protected void btnAccessFiles_Click(object sender, EventArgs e)  
  2. {  
  3.     String[] xfiels = Directory.GetFiles(@"c:\temp");  
  4.   
  5.    
  6.     foreach (string a in xfiels)  
  7.     {  
  8.         ListBox1.Items.Add(a.ToString());   
  9.     }  
  10. }  

Now configure the application in IIS to use Windows integrated authentication. Finally build the project. When you click the button to access the files in the temp folder, you might see an error indicating that access to "C:\temp" is denied. This is because your application is running with an ASP.NET account that will not be allowed access to the "C:\temp" folder depending on the ACL.

So we need to make our application run under the Administrator's identity that can be done by impersonation. We would add the following code to the web.config file to impersonate the Administrator identity:

  1. <configuration>  
  2.    <system.web>  
  3.     <identity impersonate ="true" userName ="VidyaVrat" password ="abc123"/>  
  4.   </system.web>  
  5. </configuration>  
Now build the project again to test the application and it should work fine when you click the button as in the following screenshot:

Output

Figure 1.18 Output

Alternately, you can also configure impersonation using the IIS Manager. Let's use the preceding example as a reference. When you are done with all the programmatic and other configurations related to impersonation you will see that in IIS Manager the ASP.NET impersonation option is enabled and configured with the impersonation "VidyaVrat" account as in the following;

Impersonations

Figure 1.19 Impersonations