Relationship between IIS security and .NET AuthenticationManager

[Manny Vellon]

Is there a good explanation (web page, book, etc.) of how IIS security and
AuthenticationManager security interrelate in the context of Web services? I
am experimenting with this and don't understand why if I call
AuthenticationManager.Unregister() and remove all authentication modules
except NTLM, that it seems that my IIS server is still trying to do
"Negotiate" authentication (as determined by an Ethereal sniff and looking
at the HTTP response headers (the "WWW-Authenticate" header). I've set up my
IIS folder and file security (on my web service directory and .asmx file) to
specify "Integrated Windows Authentication". I have verified that the
Unregister calls are doing the right thing (by iterating through the
RegisteredModules and verifying that only NTLM remains).

thanks.

 

[Joe Kaplan \(MVP - ADSI\)]

IIS actually implements the authentication protocols that it supports
(Basic, Digest, Negotiate, Client Cert), so that behavior is governed by the
settings in the IIS metabase.

I'm not totally clear on what the authentication module in System.Net
actually do, especially in relation to ASP.NET, but Windows authentication
is already "done" by the time ASP.NET sees the request.

If you don't want negotiate (only NTLM), you need to change the appropriate
IIS metabase property. This is done with a script or with a tool like
Metabase Explorer. Inetmgr does not expose UI for this. I generally find
myself doing the exact opposite to get Kerberos support, but some people
want NTLM for some reason.

I'm not sure about books that go into this. I learned most of what I know
from struggling with a vendor SSO product for more than a year.

Joe K.

 

[Dominick Baier [DevelopMentor]]

I'm not totally clear on what the authentication module in System.Net

actually do, especially in relation to ASP.NET,

nothing.

 

[Manny Vellon]

Actually, I was confused about client v. server authentication protocols - I
thought AuthenticationManager helped with server-side authentication. Never
mind.

On a different note, is there any way for .NET to participate in HTTP-level
authentication? If I'm running under Cassini, for example, can I implement
my own NTLM WWW-Authentication protocol?

 

[Dominick Baier [DevelopMentor]]

Implementing NTLM on your own is hard - you have to program against the SSPI
API - which is unmanaged (and not trivial)

But sure, just as IIS implements NTLM - you could write your own implementation
in Cassini -

why??

 

[Manny Vellon]

yes, I've used sspi before.

1) I want to be able to implement Web services on a machine that doesn't
have IIS installed (nor do I want the user to have to deal with installing
and managing IIS), but I also want those Web services to require
authenticated users.

2) I'd like to do the same thing with mono/xsp on Linux, hooking in to other
code that knows how to talk NTLM to AD.

 

[Dominick Baier [DevelopMentor]]

Hi,

well - in this case i would not bother implementing HTTP style authentication
but go directly for WS-Security which already includes all the wrappers needed
for NTLM/Kerberos and Certificates.

This wouldn't even necessarily need Cassini as you can host HTTP based services
in your own host (e.g. using HTTP.sys) - you can even host .asmx endpoints
in arbitrary processes.

Look for WSE3 (Web Service Enhancements)
http://msdn.microsoft.com/webservices/

 

[Manny Vellon]

thanks - I'll take a look. Do you know, offhand, if WS-Security supports
current credentials (Default Credentials) or whether you are required to
pass explicit credentials?

 

[Dominick Baier [DevelopMentor]]

there is a KerberosToken which supports integrated and the default UsernameTokenManager
does clear text windows auth.