. NET Web Identity authentication

Source: Internet
Author: User
Tags md5 hash

Baidu "ASP", you will get a lot of relevant information, which usually come up to introduce such as "Form Authentication" "Windows Authentication" and other content, but did not give a complete process. Beginners to this often confused, I have been pit too many back, so write down this article, is a review.

Modern Windows Server systems are based on strict user mechanisms, which require account password verification when you want to operate the server. When we deploy a well-developed Web application to the server, the user accesses the site through a browser, which is actually the process by which the user operates the server through HTTP, essentially the user's operating server (or at least read). This creates a problem that is ignored by most people: network users do not know the server's account password, how can read and write server permissions? The answer can be given in one of the following simple graphs:

After a user initiates a request, the authorization mainly goes through the IIS phase and the ASP. A SYSTEM account-related permission identifier (or ticket) is passed through IIS, which is used to enter the site, which is a user entity object that will be translated into. NET when the ASP is run, and we can process the entity in its own code. Through a concrete example to understand, first we create a "No Authentication" MVC Project (WebForm Project also), in order to facilitate the description, called Webauth bar!

The project defaults to HomeController and three action:index/about/contact. Compile the build and deploy it to IIS to facilitate my deployment directly into http://localhost. Start your identity certification journey here!

IIS phase one, anonymous authentication

This is the way the general company or individual develops the website for ASP. For example, the web we just deployed, we turned on authentication in the features view of IIS:

You can see that anonymous authentication is the default. In this case, no authentication is required and we can access the content on the server. It's so easy to access the contents of the server because IIS is doing a lot of things for us in the background. When we install IIS, the Setup program automatically creates the IUSR_computername account (where ComputerName is the name of the computer that is running IIS), which is used to operate the server directly when a normal user accesses the site using a browser. We often encountered in the development process read and write Server A file does not have permissions, then Baidu, will tell you to modify the IUSR_computername user rights, that is the reason.

Second, basic identity certification

Do not modify any code. We disable "Anonymous Authentication" in IIS, enable "Basic Authentication", when we revisit the project's project, the browser will pop up a dialog to ask the user to enter their own user name and password, such as:

This account must be the account of the server system, and have access to the root directory of the site read (write). You can set it on security on the folder properties of the directory. I have added a specific account test, as follows:

Return to the browser, enter the user name test and set the password to access all pages of the project. Using this method in a project that does not require complex user logic, you can implement authentication without modifying any code.

However, basic identity authentication has a very serious security problem, in this way the user name and password are sent in clear text between the network, it is easy to intercept access. And to know that this account is the server account! You can use SSL encryption to solve this problem.

Three, digest type identity authentication

Digest authentication provides the same functionality as Basic authentication, which also pops up a dialog box that enters the account and password when the user accesses http://localhost. However, this authentication method improves security in terms of sending user credentials over the network. The specific process is as follows:

    1. The client requests the file from the server that is running IIS.
    2. IIS rejects the request, tells the client that it is using Digest authentication, and sends the realm name.
    3. Internet Explorer Prompts the user to enter credentials (user name and password). Internet Explorer then merges these credentials and realm names to create a MD5 hash and resubmit the file request from the server that is running IIS, at which point the MD5 hash is sent.
    4. The server running IIS receives the hash and sends a hash of the client to the domain controller for validation.
    5. The domain controller notifies the server running IIS of the validation results.
    6. If the client is authenticated, IIS sends the requested document or data to the client.

Here's a special note: What is active Directory? It is a common Windows service, through the database of the system's network object information stored, such as the system account, user groups, shared resources. It is convenient for users to find and use this information conveniently.

Four Windows identity authentication

Ibid., this authentication method for the client user and Basic authentication is no different, but in fact it is more complex than the basic authentication. This method hashes the user name and password before sending it over the network. When integrated Windows authentication is enabled, the user's browser proves that it knows the password by exchanging a password (including a hash) with the WEB server. Integrated Windows authentication is the default authentication method used in members of the Windows Server 2003 family.

There are two main ways of Windows authentication: NTLM and Kerberos V5. If the Active Directory service is installed on a Windows 2000 or later domain controller and the user's browser supports the Kerberos V5 authentication protocol, Kerberos V5 authentication is used, otherwise NTLM authentication is used. These two ways of detailed explanation can refer to a large article: http://www.cnblogs.com/artech/archive/2011/01/24/kerberos.html

ASP. NET Phase

The above four are the authentication methods provided by the IIS server, and when the user authenticates with IIS, they can get the identity of a windows, which will be uploaded to our own project Webauth. Open the project's Web. config file with an authentication configuration:

<authenticationmode= "Windows"/>

Windows Authentication in Windows and IIS is different here. This refers to the use of the Windows user acquired by IIS directly to the Web site, which can be accessed in index.cshtml by adding the following code:

Current logon Status: @Request .isauthenticated<br/> current logged on User: @User. identity.name

IIS uses any authentication with an input box other than anonymous authentication, with the following effects:

Usually this is not the case, and most of the situation is that our IIS only uses the "Anonymous Authentication" method. Then in their own site to develop their own user logic, the authentication mode is set to forms, that is, we are familiar with the form certification.

Form Certification Core principle is very simple, the user in the request information to carry their own identification (user name & password), the site after the verification passed, to the user issued a proof of identity of the ticket, the client through a cookie way to store the ticket, in a subsequent request, Proof of identity by attaching a ticket to the request. There's a great God in the garden. It is clear from the example of the series: Http://www.cnblogs.com/fish-li/archive/2012/04/15/2450571.html, Microsoft Official for form certification provides a full range of support and extension----membership and identity! On both of these ways, brother Fei in his blog is also very detailed explanation: http://www.cnblogs.com/jesse2013/p/membership.html

. NET Web Identity authentication

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.