Tài liệu Module 4: Internet Information Services Authentication docx

76 356 0
Tài liệu Module 4: Internet Information Services Authentication docx

Đang tải... (xem toàn văn)

Tài liệu hạn chế xem trước, để xem đầy đủ mời bạn chọn Tải xuống

Thông tin tài liệu

Module 4: Internet Information Services Authentication Contents Overview Lesson: Introduction to Web Client Authentication Lesson: Configuring Access Permissions for a Web Server 16 Lesson: Selecting a Secure Client Authentication Method 25 Lesson: Running Services As an Authenticated User 45 Review 54 Lab 4: Authentication and Access Control 56 Information in this document, including URL and other Internet Web site references, is subject to change without notice Unless otherwise noted, the example companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious, and no association with any real company, organization, product, domain name, e-mail address, logo, person, place or event is intended or should be inferred Complying with all applicable copyright laws is the responsibility of the user Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property  2002 Microsoft Corporation All rights reserved Microsoft, MS-DOS, Windows, Windows NT, ActiveX, Active Directory, Authenticode, Hotmail, JScript, Microsoft Press, MSDN, PowerPoint, Visual Basic, Visual C++, Visual Studio, and Windows Media are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries The names of actual companies and products mentioned herein may be the trademarks of their respective owners Module 4: Internet Information Services Authentication iii Instructor Notes Presentation: 75 minutes Lab: 30 minutes This module provides students with information about the Web client authentication methods that are supported by Internet Information Services (IIS) and Microsoft® Windows® 2000 Server Initial Web client authentication and the flow of user identities through the Web application are the focus of this module After completing this module, students will be able to select the best IIS authentication method for a given set of requirements After completing this module, students will be able to: ! ! Use Information Protocol (IP) address and domain name restrictions, and IIS Web-based permissions, to effectively control who can access the resources on a Web server ! List and explain all of the authentication methods that are supported by IIS and select the best method for a given set of requirements ! Required materials Explain how Web client authentication is used to pass user identity through a Web application Explain how the identity of an authenticated Web client is mapped to a Windows 2000 user identity and passed to Web applications and COM+ components To teach this module, you need the following materials: ! ! Preparation tasks Microsoft PowerPoint® file 2300A_04.ppt Hypertext Markup Language (HTML) and Flash animation files: 2300A_04_A05_1570.htm, 2300A_04_A05_1570.swf To prepare for this module: ! Read all of the materials for this module ! Complete the demonstrations and lab ! Read Module 5, “Implementing Security on a Web Server,” in Course 2295, Implementing and Supporting Microsoft Internet Information Services 5.0 ! Read Module 12, “Configuring a Web Server,” in Course 2153, Implementing a Microsoft Windows 2000 Network Infrastructure ! Read the article “Principal and Identity Objects” in the Microsoft NET Framework documentation ! For background information on COM+ and role-based security, see Course 2557, Building COM+ Applications Using Microsoft NET Enterprise Services ! Read the Microsoft MSDN® Magazine article, “An Introductory Guide to Building and Deploying More Secure Sites with ASP.NET and IIS,” which is available at http://msdn.microsoft.com/msdnmag/issues/02/04/ ASPSec/ASPSec.asp iv Module 4: Internet Information Services Authentication ! Read the MSDN Magazine article, “Web Security: Part 2: Introducing the Web Application Manager, Client Authentication Options, and Process Isolation,” which is available at http://msdn.microsoft.com/msdnmag/ issues/0700/websecure2/websecure2.asp ! Read the MSDN article, “Securing Your Web Application,” which is available at http://msdn.microsoft.com/library/en-us/vsentpro/html/ veconsecuringyourwebapplication.asp ! Read the MSDN article, “Implementing a Secure Site with ASP,” which is available at http://msnd.microsoft.com/library/en-us/dnsecure/html/ msdn_implement.asp ! Read the MSDN article, “Untangling Web Security: Getting the Most from IIS Security,” which is available at http://msdn.microsoft.com/library/en-us/ dnsecure/html/WebsecIISsec.asp Module 4: Internet Information Services Authentication v How to Teach This Module This section contains information that will help you to teach this module Lesson: Introduction to Web Client Authentication This section describes the instructional methods for teaching each topic in this lesson Why Web Servers Are Attacked Explain the ways and reasons why a Web server is the target of so many attacks Authentication and Authorization Define authentication and authorization This module is about authentication Module 5, “Securing Web Pages,” in Course 2300, Developing Secure Web Applications, is about authentication and authorization These terms will be revisited many times throughout Course 2300, Developing Secure Web Applications Impersonation and Delagation The primary difference between impersonation and delegation is that impersonation occurs on the Web server, while delegation occurs across computer boundaries User Identities and Permissions Introduce the user and group accounts listed on the slide IWAM_computername will be covered at the end of this module The ASPNET account is new in Microsoft NET, and it secures the Microsoft ASP.NET pages by limiting the rights of the account that the pages run as How IIS Impersonates a Windows User Account Expand on the subject of impersonation by explaining how IIS performs work on behalf of an authenticated client The identity under which IIS performs this work varies, based on the type of authentication that is used and the platform that you use to develop the Web application (Active Server Pages (ASP) or ASP.NET) Programmatically Accessing User Identity In ASP.NET, you use the code User.Identity.Name to discover the name of the authenticated user In this code, User is a Principal object and User.Identity is an Identity object This property uses the User property of the HttpContext object to determine where the request has originated from The HttpContext object provides access to the intrinsic Request, Response, and Server objects for the request This topic also introduces how to enable impersonation in an ASP.NET Web application by setting an attribute in the Web.config file This may be the first time some students have heard about the Web.config configuration file Quickly explain its purpose and use Web.config will be covered again in Modules 5, “Securing Web Pages,” and Module 6, “Securing File System Data,” in Course 2300, Developing Secure Web Applications Demonstration: Programmatically Accessing User Identity This demonstration is performed with the Web site configured to allow Anonymous access Therefore, the code will not show a name for the user The same page will be demonstrated in the next lesson to show how the page changes based on the authentication method selected for IIS vi Module 4: Internet Information Services Authentication Lesson: Configuring Access Permissions for a Web Server Using IP Address and Domain Name Restrictions One reason to use IP address restriction is that if there is a known proxy server that is waging attacks, you can restrict access to your Web site for that IP address The http://www.ntbugtraq.com Web site has a list of servers that known hackers use Using Web-Based Permissions Web-based permissions are one way to protect files that are not handled “by default” by the Web server, such as inc files Practice: Using WebBased Permissions This practice reinforces the point that some of the default permissions settings in IIS can expose Web application implementation files to users It is important to understand what the default permission settings are and how to modify these settings to best protect Web application files Using the Permissions Wizard Quickly demonstrate the Permissions Wizard Many of the settings in the Permissions Wizard are beyond the scope of this course, but the wizard does provide a quick way to configure Web-based permissions for common scenarios, such as a public Web site or a secure Web site The students not run the Permission Wizard in this course because they will manually implement the same settings Lesson: Selecting a Secure Client Authentication Method Overview of IIS Web Client Authentication The term “identified access” may be new to students Explain the difference between identified access, which is typically used for the personalization of a Web site, and authenticated access Demonstration: Setting IIS Authentication Methods The demonstration should set the different authentication methods on the Mod04 subfolder of the 2300Demos Web application Discuss the results after each authentication method is applied Using Anonymous Authentication You might want to mention that Anonymous access plays an important role in forms-based authentication, which is the topic of Module 5, “Securing Web Pages,” in Course 2300, Developing Secure Web Applications Using Basic Authentication Basic authentication is not a secure way of adding authentication to your Web application because the password that is entered by the user is sent to the Web server in Base64 encoding In Module 8, “Protecting Communication Privacy and Data Integrity,” in Course 2300, Developing Secure Web Applications, you will explain Secure Sockets Layer (SSL) and show how the students can secure the Basic authentication method by securing the Basic-protected folder by using SSL Then, the user name and password (in addition to all of the other data on the secured pages) will be sent to the Web server by using SSL Using Digest Authentication Digest authentication is included for a complete look at authentication, but you not need to discuss this authentication method in detail Digest authentication requires the Active Directory® directory service, which is beyond the scope of this course Using Integrated Windows Authentication Although Integrated Windows authentication is a very secure authentication method because it takes advantage of the security features that are built into the Windows operating system, it is important to note its limitations and why is it not appropriate in most Web applications that are designed for use on the Internet Module 4: Internet Information Services Authentication vii Using the Kerberos V5 Protocol vs NTLM The most important difference between the Kerberos V5 protocol and NTLM is that NTLM is limited to impersonation on the Web server, whereas Kerberos can use delegation to access resources across the network It is also important to note that you not have control over which protocol is used IIS will always attempt to use Kerberos first and will use NTLM only if Kerberos is not available Using Multiple Authentication Methods Review the guidelines for using multiple authentication methods so that the students will understand how IIS determines which authentication method to use when multiple authentication methods are specified Practice: Selecting a Web Client Authentication Method In this practice, students will review some common scenarios and decide which authentication method or methods to use in each scenario You can add value to this practice by asking students to determine the order in which IIS will try each of the authentication methods to find a valid one Lesson: Running Services As an Authenticated User Multimedia: User Identity Flow in a Web Application This animation explains how the identity flow can be passed either by using application parameters or the Windows operating system The animation shows all parts of the process; however, only the client authentication in IIS and COM+ pieces are discussed here Microsoft SQL Server™ is covered in Module 7, “Securing Microsoft SQL Server,” in Course 2300, Developing Secure Web Applications COM+ is beyond the scope of this course If students not know what a COM+ component is, start out with a brief description: COM+ was introduced by Microsoft in 2000 COM+ builds on the integrated services and features of the Component Object Model (COM), making it easier for developers to create and use software components in any language, by using any tool For more information about COM+, see the article “COM+ Programming Overview,” which is available at http://msdn.microsoft.com/library/en-us/ cossdk/htm/pgintro_programmingoverview_9kjb.asp Selecting an IIS Application Protection Level Note that the application protection setting applies only to ASP Web applications Demonstrate where you configure this setting in IIS, which is in the Properties dialog box, on the Directory tab, of a Web application Describe the process in which ASP.NET Web applications are run, ASPNet_wp.exe Explain that IIS always runs ASP.NET Web applications in a single instance of the ASPNet_wp.exe process and that developers not have control over this viii Module 4: Internet Information Services Authentication Configuring COM+ Applications to Run Under a Specific User Identity Demonstrate the Component Services dialog box to show where the students can set the identity of a COM+ application: On the Start menu, point to Programs, point to Administrative Tools, and then click Component Services In the Component Services dialog box, expand Component Services, expand Computers, expand My Computer, and then expand COM+ Applications Right-click a COM+ application, such as IIS Out-Of-Process Pooled Applications, and then click Properties In the Properties dialog box, on the Identity tab, show how the IIS Out-OfProcess Pooled applications are configured to run as the IWAM_computername user Click Cancel to close the Properties dialog box Configuring Role-Based Security for COM+ Applications This topic is beyond the scope of this course Direct students to Course 2557, Building COM+ Applications Using Microsoft NET Enterprise Services, to learn more about this topic Lab 4: Authentication and Access Control Introduce the lab with a group brainstorming session about which users need to have access to the TailspinToys and TailpsinToysAdmin Web applications, and therefore, what authentication method should be applied to each Web application: ! The TailspinToys Web application must be available to everyone; therefore, it will be configured to allow Anonymous access ! The TailspinToysAdmin Web application must be available only to the employees of Tailspin Toys; therefore, it will be configured to use Integrated Windows authentication At the end of the lab, reiterate which authentication methods were applied to the two Web applications and why Module 4: Internet Information Services Authentication ix Customization Information This section identifies the lab setup requirements for a module and the configuration changes that occur on student computers during the labs This information is provided to assist you in replicating or customizing Microsoft Official Curriculum (MOC) courseware Lab Setup To complete this lab, students can continue working in the Tailspin Toys Microsoft Visual Studio® NET projects that they used in previous labs, or they can start with new files To start with new files, students must complete the following steps ! Create the Web applications for the ASP exercises Copy all of the contents of the ASP starter folder install_folder\Labfiles\ Lab04\ASP\Starter\TailspinToys to the TailspinToys IIS virtual directory at C:\Inetpub\wwwroot\TailspinToys Copy all of the contents of the ASP starter folder install_folder\Labfiles\ Lab04\ASP\Starter\TailspinToysAdmin to the TailspinToys IIS virtual directory at C:\Inetpub\wwwroot\TailspinToysAdmin ! Create the Web applications for the ASP.NET exercises Copy all of the contents of the ASP.NET folder install_folder\Labfiles\ Lab04\ASPXVB\Starter\TailspinToys.NET to the TailspinToys.NET IIS virtual directory at C:\Inetpub\wwwroot\TailspinToys.NET Copy all of the contents of the ASP.NET folder, install_folder\Labfiles\ Lab04\ASPXVB\Starter\TailspinToysAdmin.NET, to the TailspinToysAdmin.NET IIS virtual directory at C:\Inetpub\wwwroot\TailspinToysAdmin.NET Lab Results Performing the lab in this module introduces the following configuration change: ! The TailspinToys and TailspinToys.NET Web applications should be configured in IIS to only allow Anonymous access ! The TailspinToysAdmin and TailspinToysAmin.NET Web applications should be configured in IIS to allow only Integrated Windows authentication 52 Module 4: Internet Information Services Authentication Set security level for access checks To set the security level for access checks: In the console tree of the Component Services administrative tool, rightclick the COM+ application for which you want to enable access checks, and then click Properties In the COM+ application Properties dialog box, click the Security tab Under Security level, select one of the settings that are shown in the following table Setting Description Perform access checks only at the process level This setting indicates that users who are in roles that are assigned to the application will be added to the process level security descriptor Perform access checks at the process and component level This setting indicates that process-level security descriptor checks and full role-based security checks will be performed Click OK The next time that the application is started, security will automatically be checked at the specified level Only users who are assigned to roles that are assigned to the application will be given access to the application Enable access checks at the component level By default, when you install a component, component-level access checks are enabled However, this setting takes effect only when application-level access checks are enabled and when the security level is set to Perform access checks at the process and component level To turn on security checking at the component, interface, and method levels: In the console tree of the Component Services administrative tool, locate the COM+ application that contains the component for which you want to disable (or enable) role checks Expand the view in the tree to view the components in the Components folder Right-click the component for which you want to enable access checks, and then click Properties In the COM+ component Properties dialog box, click the Security tab Select Enforce component level access checks to enforce component-level access checks, and then click OK The new setting will take effect the next time that the application is started Define roles for an application You determine a security policy for a Web application by defining the security access privileges that the application requires To define security access privileges, you declare a symbolic level of access privilege as a role—that is, you define the role for the application—and then assign that role to specific resources that are within the application This step is completed when the application is deployed and system administrators populate the role with actual users and user groups Module 4: Internet Information Services Authentication 53 To add a role to an application: In the console tree of the Component Services administrative tool, locate the COM+ application to which you want to add the role Expand the tree to view the folders for the application Right-click the Roles folder for the application, point to New, and then click Role In the Role dialog box, type the name of the new role in the box provided, and then click OK The new role is added to the Roles folder in the Component Services administrative tool Expand the new role in the Component Services administrative tool Right-click the Users folder, point to New, and then click User In the Select Users or Groups dialog box, for each user you want to add to the role, click the user and then click Add Click OK The users are added to the Users folder of that role Note After adding roles to the application and users to those roles, you must assign the roles to the appropriate components, interfaces, and methods Otherwise, if role-based security has been chosen and enabled, and if roles have been added but not assigned, all calls to the application will fail Assign roles to components, interfaces, or methods You can explicitly assign a role to any item within a COM+ application that is visible through the Component Services administrative tool Explicitly assigning a role ensures that any users that are members of the role will be permitted access to that item and to any other items that item contains To assign roles to a component, method, or interface: In the console tree of the Component Services administrative tool, locate the COM+ application for which the role has been defined Expand the tree to view the application’s components, interfaces, or methods, depending on the one to which you are assigning the role Right-click the item to which you want to assign the role, and then click Properties In the Properties dialog box, click the Security tab In the Roles explicitly set for selected item(s) box, select the roles that you want to assign to the item, and then click OK 54 Module 4: Internet Information Services Authentication Review ! Introduction to Web Client Authentication ! Configuring Access Permissions for a Web Server ! Selecting a Secure Client Authentication Method ! Running Services As an Authenticated User *****************************ILLEGAL FOR NON-TRAINER USE****************************** What is the difference between authentication and authorization? Authentication is the process of validating identification credentials Authorization is the process of determining whether an authenticated user has access to a specific resource What is the difference between Basic authentication and Digest authentication? Basic authentication sends the user name and password to the Web server in Base64 encoding Digest authentication sends the user data in an encrypted format What is the difference between the IUSR_computername account and the IWAM_computername account? The IUSR_computername account is the Internet Guest Account It is the account that is used for Anonymous authentication The IWAM_computername account is the account that runs the Web application code when the Web application is configured to run at Medium or High protection level When would you set IP address or domain name restrictions on a Web application? If there is a specific computer, such as a proxy server, that you want or not want to access your Web application Module 4: Internet Information Services Authentication 55 How does setting Web-based permissions on a Web application secure it? Web-based permissions are enforced for all users of a Web application For example, if you configure the site for Read only, you secure the site from all users writing to it When would you want to require authenticated access to a Web application? If the Web application is accessing private information and you want only authenticated users to access the private information What are the requirements that must be met before Integrated Windows authentication will use Kerberos V5 instead of NTLM? Which will be used by the Web applications created in the labs of this course? The requirements are as follows: • IIS is configured to use Integrated Windows authentication • The client computer is running Windows 2000 Server and Internet Explorer or later • The server is running Windows 2000 Server and IIS 5.0 or later • The client computer and the server are in the same Windows 2000 domain or in trusted domains • The Web application name matches the Web server name The labs of the course will probably use NTLM because the student computers are not set up in a domain and the name of the Web applications being created (TailspinToys and TailspinToysAdmin) are the same as the Web servers 56 Module 4: Internet Information Services Authentication Lab 4: Authentication and Access Control ! ASP Exercise 1: Configuring IIS Authentication for the TailspinToys Web Application ! ASP Exercise 2: Configuring IIS Authentication for the TailspinToysAdmin Web Application ! ASP.NET Exercise 3: Configuring IIS Authentication for the TailspinToys.NET Web Application ! ASP.NET Exercise 4: Configuring IIS Authentication for the TailspinToysAdmin.NET Web Application *****************************ILLEGAL FOR NON-TRAINER USE****************************** Objectives After completing this lab, you will be able to: ! Set specific authentication methods for a Web application ! Display user information about the authenticated user in an ASP page and an ASP.NET page ! Configure an ASP.NET Web application to use impersonation Note This lab focuses on the concepts in this module and as a result may not comply with Microsoft security recommendations For instance, this lab does not comply with the recommendation that all error conditions and exceptions be handled and that connection strings should not use the sa login account Prerequisites Before working on this lab, you must have: ! An understanding of the differences between Anonymous, Basic, and Integrated Windows authentication ! Experience using Internet Services Manager ! Experience creating ASP and ASP.NET Web applications ! Experience configuring an ASP.NET Web application by editing the Web.config file Module 4: Internet Information Services Authentication Scenario 57 In the labs for Course 2300, Developing Secure Web Applications, you will create two Web applications, TailspinToys and TailspinToysAdmin By accessing the TailspinToys Web application, users will be able to get a list of the products that are created by Tailspin Toys, and resellers will be able to view the status of their orders By accessing the TailspinToysAdmin Web application, employees will be able to create new reseller accounts and update the status of reseller orders In this lab, you will set the authentication mode for the two Web applications The TailspinToys Web application must be accessible to all Internet users; therefore, it will be configured for Anonymous access The TailspinToysAdmin Web site will be used only by company employees, and therefore, it will be configured for Integrated Windows authentication Note The example companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious No association with any real company, organization, product, domain name, e-mail address, logo, person, places, or events is intended or should be inferred Estimated time to complete this lab: 30 minutes 58 Module 4: Internet Information Services Authentication Exercise Lab Setup To complete this lab, you can either continue working in the Tailspin Toys Visual Studio NET projects that you have already created, or you can start with new files If you want to start with new files, you must copy the appropriate starter projects to the lab virtual root directories There are separate starter projects for the ASP and the ASP.NET exercises ! Create the Web applications for the ASP exercises Copy all of the contents of the ASP starter folder install_folder\Labfiles\ Lab04\ASP\Starter\TailspinToys to the TailspinToys IIS virtual directory at C:\Inetpub\wwwroot\TailspinToys Copy all of the contents of the ASP starter folder install_folder\Labfiles\ Lab04\ASP\Starter\TailspinToysAdmin to the TailspinToys IIS virtual directory at C:\Inetpub\wwwroot\TailspinToysAdmin ! Create the Web applications for the ASP.NET exercises Copy all of the contents of the ASP.NET folder install_folder\Labfiles\ Lab04\ASPXVB\Starter\TailspinToys.NET to the TailspinToys.NET IIS virtual directory at C:\Inetpub\wwwroot\TailspinToys.NET Copy all of the contents of the ASP.NET folder install_folder\Labfiles\ Lab04\ASPXVB\Starter\TailspinToysAdmin.NET to the TailspinToysAdmin.NET IIS virtual directory at C:\Inetpub\wwwroot\ TailspinToysAdmin.NET Module 4: Internet Information Services Authentication 59 ASP Exercise Configuring IIS Authentication for the TailspinToys Web Application In this exercise, you will configure the IIS access method for the TailspinToys ASP Web application ! Examine the default configuration of the TailspinToys Web application From the Start menu, run Internet Services Manager in the Administrative Tools group Right-click the TailspinToys Web application, and then click Properties In the TailspinToys Properties dialog box, on the Directory Security tab, under Anonymous access and authentication control, click Edit What authentication methods are enabled? Anonymous and Integrated Windows authentication In Visual Studio NET, open the TailspinToys project in the 2300Labs solution Create a new Web Form named WhoAmI.asp that displays the identity of the user Your code should look like the following: The authenticated user is . The password for this account is . Save your changes 60 Module 4: Internet Information Services Authentication In Internet Explorer, open http://localhost/TailspinToys/WhoAmI.asp What account is the page running as? Anonymous Why does IIS execute the script as the anonymous user when you are logged on as 2300Student and Integrated Windows authentication is enabled? When Anonymous authentication is enabled, IIS will attempt to first connect to the requested resource as the Internet Guest Account If the Internet Guest Account has permissions to gain access to the resource, no other authentication method is attempted ! Configure the TailspinToys Web application to use only Anonymous authentication In Internet Services Manager, right-click the TailspinToys Web site, and then click Properties In the TailspinToys Properties dialog box, on the Directory Security tab, under Anonymous access and authentication control, click Edit Clear the Integrated Windows authentication check box, and then click OK In the TailspinToys Properties dialog box, click OK In Internet Explorer, view the WhoAmI.asp Web page What are the user name and password that are used to run the WhoAmI.asp script? Explain any changes caused by the new IIS configuration Still anonymous There is no change Module 4: Internet Information Services Authentication 61 ASP Exercise Configuring IIS Authentication for the TailspinToysAdmin Web Application In this exercise, you will configure the IIS access method for the TailspinToysAdmin ASP Web application By default, TailspinToysAdmin is configured to use Anonymous access and Integrated Windows security In this exercise, you will change TailspinToysAdmin to use only Integrated Windows authentication ! Configure the TailspinToysAdmin Web application to use Integrated Windows authentication In Internet Services Manager, right-click the TailspinToysAdmin Web application, and then click Properties In the TailspinToysAdmin Properties dialog box, on the Directory Security tab, under Anonymous access and authentication control, click Edit What authentication methods are enabled? Anonymous and Integrated Windows authentication access Clear the Anonymous access check box In the Authentication Methods dialog box, click OK In the TailspinToysAdmin Properties dialog box, click OK 62 Module 4: Internet Information Services Authentication ! Test In Visual Studio NET, open the TailspinToysAdmin project in the 2300Labs solution Copy the WhoAmI.asp page from the TailspinToys project to the TailspinToysAdmin project: a In Solution Explorer, right-click the WhoAmI.asp page in the TailspinToys project, and then click Copy b In Solution Explorer, right-click the TailspinToysAdmin project, and then click Paste In Internet Explorer, open http://localhost/TailspinToysAdmin/ WhoAmI.asp What are the user name and password that are used to run the WhoAmI.asp script? Machinename\2300Student, unknown password Integrated Windows authentication will automatically use the credentials of the user that is currently logged on to gain access to the requested resource The user is authenticated without requiring the password to be sent over the network Consequently, IIS does not actually store or track the user’s password Module 4: Internet Information Services Authentication 63 ASP.NET Exercise Configuring IIS Authentication for the TailspinToys.NET Web Application In this exercise, you will configure the IIS access method for the TailspinToys.NET ASP.NET Web application ! Examine the default configuration of the TailspinToys.NET Web application From the Start menu, run the Internet Services Manager in the Administrative Tools group Right-click the TailspinToys.NET Web application, and then click Properties In the TailspinToys.NET Properties dialog box, on the Directory Security tab, under Anonymous access and authentication control, click Edit What authentication methods are enabled? Anonymous and Integrated Windows authentication In Visual Studio NET, open the TailspinToys.NET project in the 2300Labs.NET solution Create a new Web Form named WhoAmI.aspx In the Page_Load event procedure, add code that displays the identity of the authenticated user and the account that is running the code You will need to import the System.Security.Principal namespace Your code should look like the following: Imports System.Security.Principal Private Sub Page_Load( ) If User.Identity.IsAuthenticated Then Response.Write("Authenticated user: " & _ User.Identity.Name & "") Else Response.Write("Anonymous access") End If Response.Write("Windows identity: " & _ WindowsIdentity.GetCurrent().Name) End Sub Save your changes and build the TailspinToys.NET project 64 Module 4: Internet Information Services Authentication In Internet Explorer, open http://localhost/TailspinToys.NET/ WhoAmI.aspx What is the authenticated user account? What account is the page running as? Anonymous, MachineName\ASPNET Why does IIS authenticate the request as the anonymous user when you are logged on as 2300Student and Integrated Windows authentication is enabled? When Anonymous authentication is enabled, IIS will attempt to first connect to the requested resource as the Internet Guest Account If the Internet Guest Account has permissions to gain access to the resource, no other authentication method is attempted ! Configure the TailspinToys.NET Web application to use only Anonymous authentication In Internet Services Manager, right-click the TailspinToys.NET Web site, and then click Properties In the TailspinToys.NET Properties dialog box, on the Directory Security tab, under Anonymous access and authentication control, click Edit Clear the Integrated Windows authentication check box, and then click OK In the TailspinToys.NET Properties dialog box, click OK In Internet Explorer, view the WhoAmI.aspx Web page What is the user name of the authenticated user? Explain any changes caused by the new IIS configuration Still anonymous There are no changes Module 4: Internet Information Services Authentication 65 ASP.NET Exercise Configuring IIS Authentication for the TailspinToysAdmin.NET Web Application In this exercise, you will configure the IIS access method for the TailspinToysAdmin.NET ASP.NET Web application By default, TailspinToysAdmin.NET is configured to use Anonymous and Integrated Windows authentication In this exercise, you will change TailspinToysAdmin.NET to use only Integrated Windows authentication ! Configure the TailspinToysAdmin.NET Web application to use Integrated Windows authentication In Internet Services Manager, right-click the TailspinToysAdmin.NET Web application, and then click Properties In the TailspinToysAdmin.NET Properties dialog box, on the Directory Security tab, under Anonymous access and authentication control, click Edit What authentication methods are enabled? Anonymous and Integrated Windows authentication Clear the Anonymous access check box In the Authentication Methods dialog box, click OK In the TailspinToysAdmin.NET Properties dialog box, click OK 66 Module 4: Internet Information Services Authentication ! Test In Visual Studio NET, open the TailspinToysAdmin.NET project in the 2300Labs.NET solution Copy the WhoAmI.aspx page from the TailspinToys.NET project to the TailspinToysAdmin.NET project: a In Solution Explorer, right-click the WhoAmI.aspx page in the TailspinToys.NET project, and then click Copy b In Solution Explorer, right-click the TailspinToysAdmin.NET project, and then click Paste Build the TailspinToysAdmin.NET project In Internet Explorer, open http://localhost/TailspinToysAdmin.NET/ WhoAmI.aspx What is the Windows identity that is used to run the WhoAmI.aspx page? Why is this identity used? MachineName\ASPNET ASP.NET always runs as the ASPNET user Turn on impersonation for the Web application by adding the following tag to the section in the Web.config file: Build the TailspinToysAdmin.NET project In Internet Explorer, open http://localhost/TailspinToysAdmin.NET/ WhoAmI.aspx What is account that is used to run the WhoAmI.aspx page? Why is this account used? Machinename\2300Student This account is used because you are impersonating the Integrated Windows authenticated user ... located 10 Module 4: Internet Information Services Authentication How IIS Impersonates a Windows User Account LocalSystem Takes client request Impersonates the Internet Internet Information Information... dnsecure/html/WebsecIISsec.asp Module 4: Internet Information Services Authentication v How to Teach This Module This section contains information that will help you to teach this module Lesson: Introduction... owners Module 4: Internet Information Services Authentication iii Instructor Notes Presentation: 75 minutes Lab: 30 minutes This module provides students with information about the Web client authentication

Ngày đăng: 21/12/2013, 05:18

Từ khóa liên quan

Tài liệu cùng người dùng

  • Đang cập nhật ...

Tài liệu liên quan