Download Document

The .NET Runtime and IIS
Presented by
Chris Dickey – cdickey.net consulting
www.cdickey.net
Topics







Installing the .NET runtime
The role of IIS as the application server
.NET Remoting and Web Services
How the .NET runtime works with IIS 5.0
Significance of the HTTP Pipeline
Security
Whats coming with IIS 6.0
Installing the .NET Runtime





http://msdn.microsoft.com/netframework/d
ownloads/default.asp
Windows Update Service
.NET Runtime
.NET SDK + Runtime
Visual Studio.NET
IIS is the Application Server







Static Pages
ISAPI
ASP
ASP.NET
Web Services
Remoting
Connection Point to SQL Server
ASP.NET Web Pages




What most people think of as ASP.NET
Compiled web pages
Huge advance over previous ASP version
Lots of well known features
Web Services





Communication between diverse systems
SOAP packets transported using HTTP
and SMTP protocols
Application connectivity protocol
IIS is the client connection point
Takes advantage of the HTTP Runtime
.NET Remoting




Replacement for DCOM
tailored for .NET-to-.NET communications
Can be hosted by ASP.NET runtime
Takes advantage of the HTTP Runtime
.NET compatibility and interoperability





ASP.NET coexists with IIS 5.0 and ASP
Runs in a separate process
Doesn’t use the registry
Routed through IIS ISAPI
Can’t share sessions – 2 separate
systems
IIS 5.0 and ASP.NET Runtime
HTTP Pipeline






general-purpose framework for server-side
HTTP programming
foundation for ASP.NET pages, Web
Services, Remoting
HTTPModules
HTTPHAndlers
HTTPContext, HTTPContext.User
ISAPI: HTTP_FILTER_CONTEXT
ASP .NET Request Processing
ASP.NET ASP.NET
Page
Service
HTTP
Handler
Application
HTTP Module
Http Context
Global.asax
ASP.NET Runtime
Host (IIS)
Native Code .NET Code
HTTP Module
Configuration Files / Accounts






XML configuration files – case sensitive
Can be read by all authenticated users
machine.config
web.config
machine, site, application, folder levels
SYSTEM, ASPNET, IUSR_<machine>,
IWAM_<machine>
Demo




Run .net app – HTTPHandler
Show IIS 5.0 config
Show aspnet_wp.exe process – only 1
*.config files
Security Services

ASP .NET support for authentication and
authorization






Extensible and customizable
Authentication scheme transparency
Simple deployment model
Support for granular declarative and
imperative authorizations
Uses CLR Evidence-Based Security
Supports application layer security
Flow of Security
Process Identity

Windows® 2000: Default is ASPNET


Can also run with SYSTEM account or configured
account using <processModel>
Windows .NET Server



Uses IIS 6 process model
Default is NetworkService
App Pools are configurable, identity is configurable
HTTP Pipeline
Authentication

ASP .NET is an ISAPI extension


Windows Authentication (via IIS)



Basic, Digest, NTLM, Kerberos, IIS Certificate Support
Forms-based (Cookie) Authentication


Only receives requests for mapped content
Application credential verification
Supports Microsoft® Passport Authentication
Custom Authentication
Forms-Based Auth

Easy to implement


ASP .NET provides redirection
Steps




Configure IIS to allow anonymous users (typically)
Use SSL!
Configure ASP .NET cookie authentication
Write your login page
How It Works: Forms Authentication
1. GET default.aspx HTTP/1.1
2. 302 Redirect
Location: login.aspx
3. POST default.aspx HTTP/1.1
<form data containing credentials>
5. 200 OK
Set-Cookie: .ASPXAUTH Auth Ticket
6. GET default.aspx HTTP/1.1
Cookie: .ASPXAUTH Auth Ticket
4. App
authentication
4
IIS/
ASP.NET
1
2
3
5
6
Web Browser
SQL/AD
Custom Web Authentication

Handle AuthenticateRequest event



Application level (global.asax) or
Http Module (implement IHttpModule)
Scenarios:



Custom SOAP authentication
 E.g., application defined scheme based on SOAP headers
Forms authentication for mobile devices without cookies
Customize forms authentication
Authorization Strategies

Windows Security and ACLs







ACLs checked for Windows auth
Independent of impersonation
COM+ Roles
URL Authorization
Custom Authorization
Windows .NET AuthZ Framework
Explicit imperative/declarative checks
Web Apps: Custom Roles


Handle authentication event
Replace HttpContext.User with custom
IPrincipal or GenericPrincipal
public void
WindowsAuthentication_OnAuthenticate(
Object src,
WindowsAuthenticationEvent e)
{
// replace HttpContext Principal
e.Context.User = new MyPrincipal(e.Identity);
}
Use Custom Roles


Application defines roles
Strategies:


Define Windows/AD groups and use
WindowsPrincipal
Use GenericPrincipal or IPrincipal
//System.Security.Principal.IPrincipal
public interface IPrincipal {
IIdentity {get;}
bool IsInRole(string role);
}
Custom Web Authorization

Handle AuthorizeRequest event



Application level (global.asax) or
Http Module (implement IHttpModule)
Scenarios:



Implement per-request billing system
Restrict access based on business rules
Restrict access based on dynamic behaviors (e.g.,
implement a per-day access limit, etc).
Internet Information Services 6




Complete rearchitecture
Kernel-mode HTTP
Web server security lockdown wizard
Worker process application pools
IIS 6.0 Architecture
IIS 6.0 Application Pools
IIS 6.0 Process Recycling
References






MSDN Magazine - September 2002
www.WindowsWebSolutions.com
Keith Brown - portals.devx.com/SummitDays/Article/6666
Tim Ewald msdn.microsoft.com/msdnmag/issues/02/09/HTTPPipeline
s/default.aspx
Technical Overview of IIS 6.0 www.microsoft.com/windows.netserver/techinfo/overview/ii
s.mspx
Windows.NET Server Devcon www.microsoft.com/misc/external/serverdevcon/