IIS 7.5 basic authentication and Active Directory validation

active-directory iis authentication http-basic-authentication
28,092

Solution 1

Basic authentication will work just fine for authenticating against AD - it authenticates against the IIS server's local account database; for a domain member, that includes the Active Directory domains in the forest that it's joined to.

You'll not get any kind of kerberos ticket in return - basic auth simply includes the password in the header of requests sent to the server, and the server does with it what it will - returning either the requested resource or a 401 error.. but if you're looking for user identification within the web application within IIS, then that information (which user/domain they authenticated as) should be available to the code.

Browsers will keep the entered password in memory for the life of the session, so you'll be covered for subsequent requests to that server, but not for any access to other systems or services.

There's information about configuring basic auth, including configuring the default domain and the prompt that users receive, here.

Solution 2

Okay, so an answer's been accepted, but I'm going to say in general:

Don't use Basic.

If there's a question for which Basic-with-domain-credentials seems like it's the right answer, it's almost always not.

Use Integrated Authentication.

Basic allows a malicious web developer to learn a user's AD credentials, and then it's game over.

Integrated allows the user to authenticate that they are who they say they are, and allows the use of Constrained Delegation to limit what a web developer can do with the token. It doesn't directly expose the username and password to interception (if SSL is mis- (i.e. not-) configured, which happens all the freakin' time), and it doesn't allow someone with write access to the web server share to write simple web applications which intercept credentials.

Solution 3

If IIS has the user credentials, those can be used to create a primary token for that user. IIS can use that token and impersonate that user to access resources and applications on other servers.

The IIS machine and application pool identity (service account) would need to be configured for the appropriate level of impersonation or delegation in order to act on behalf of a user with their token, but this scenario is actually quite common in the IIS/ASP.Net world.

If you were to perform constrained delegation - mentioned by Tristan - it is actually possible to create a full delegation-level token for users for access to specific services on specific machines (that's the constrained part), and you do not actually need their password. This is more secure if you have an external authentication mechanism (such as a smart card), and only their identity is passed to the web application. This obviates the need to transmit passwords beyond security boundaries.

Share:
28,092

Related videos on Youtube

jturinetti
Author by

jturinetti

Updated on September 18, 2022

Comments

  • jturinetti
    jturinetti almost 2 years

    I'm not an IIS or Active Directory expert by any means so I want to present a scenario here and see if what we want to accomplish is feasible.

    We have an application hosted on Windows Server 2008 R2 with a series of web services exposed as an API through IIS. These services will be called by multiple external integration systems. If we configure the IIS services to use Basic authentication, will IIS validate the credentials we pass to it against Active Directory by default, is this a special configuration setting, or is this not possible? We'd like for those credentials to be validated against AD so we receive the token/principal in return, which can be sent to the underlying application on that server.

    Thanks in advance. Any help is appreciated.

  • ravi yarlagadda
    ravi yarlagadda over 12 years
    This isn't correct.. Basic auth works just fine for domain users, and even includes an option to set the default login domain so that users don't need to use a UPN or domain\username to log in. It's plaintext over the HTTP channel, but that's what SSL is for.
  • adaptr
    adaptr over 12 years
    ...that would completely expose AD credentials on the wire.
  • ravi yarlagadda
    ravi yarlagadda over 12 years
    If you enter them on an unencrypted link, it certainly would, but it's still an option. Some browsers these days even warn you when you're doing basic auth on an HTTP channel. Again, SSL is the answer to that concern.
  • adaptr
    adaptr over 12 years
    I'm sorry, it's not that I am doubting what you say, but the mere concept of allowing (by nature very secure) Kerberos credentials to be exposed over an HTTP request is.. wow.
  • ravi yarlagadda
    ravi yarlagadda over 12 years
    Well, there's nothing tying it to a user's kerberos session or anything like that - the only difference from non-domain auth is what the server does with the authentication data, validating against the domain instead of local users. Basic auth over SSL is no less secure than, say, forms authentication via a POST request over an SSL channel (as in, for instance, Exchange's Web Access).
  • jturinetti
    jturinetti over 12 years
    Thanks Shane. What exactly is returned from AD after validating credentials using basic auth?
  • ravi yarlagadda
    ravi yarlagadda over 12 years
    I'm not sure what you mean - returned to where?
  • jturinetti
    jturinetti over 12 years
    For example, in the case where a Kerberos ticket is returned from AD to the server's IIS, I think this involves Windows Integrated Auth. In my scenario, a client passes username/password in request to IIS-hosted service. IIS, set up for basic auth, validates those credentials against AD. In the case of basic auth here, does AD return anything to IIS to uniquely identify that user, such as a token of some sort?
  • ravi yarlagadda
    ravi yarlagadda over 12 years
    It authenticates and builds a limited session on behalf of the user; assuming your application's in the ASP world then it can identify the user via User.Identity.Name - see here.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Risks in raising domain Functional Level from 2003 mixed to 2008 native
Non-Domain IIS server authenticate on domain?
IIS Basic Authorization ala .htaccess/.htpasswd in apache
IIS enable authentication for reverse proxy
HTTP Error 500.19 - Error Code 0x80070021
Authenticate Oracle Database with Active Directory Users
IIS7 give ApplicationPoolIdentity access to a network location
C# / ASP.NET / AD - "The specified directory service attribute or value does not exist."
401 - Unauthorized in IE7 only with windows authentication.
HTTP Error 401.0 - Unauthorized