Methods and basic principles of IIS Server Authentication

BKJIA exclusive Article] We previously introduced how to ensure IIS security when attacks come quietly. The IIS server is a powerful server launched by Microsoft. It can implement multiple user authentication. Many administrators fail to understand the related methods and principles. You can master the user verification principles of the IIS server to avoid such tragedies.

The IIS server has the authentication function and can be authenticated in the following ways:

Anonymous Access

In this way, the access user's identity is not verified, and the client does not need to provide any authentication creden. The server uses such access as anonymous access, and map these access users to a server account. Generally, this user is IUSER_MACHINE. You can modify the user mapped:

Integrated windows Authentication

This authentication method can be divided into two situations.

NTLM Verification

This authentication method transfers the user name and password to the server. The server verifies that the user name and password are consistent with the password of the server. The user name is transmitted in plaintext. However, after the password is processed, an 8-byte key encryption question code is derived and then transmitted.

Kerberos Authentication

This authentication method only sends the verification ticket sent by the client to the IIS server. When IIS receives this ticket, it can determine the identity of the client without transmitting the user password. The user that requires kerberos authentication must be a domain user.

Every login user is verified by the Verification server in the domain to generate a ticket authorization ticket TGT) as the credential for this user to access other services to verify the ticket. This is the so-called single sign-on SSO function for accessing all resources in the domain that need to be verified at one login ), the ticket to access the IIS server is obtained from IIS through the user's ticket authorization ticket TGT. This verification ticket will be used when this customer accesses this IIS. Access to other services that require verification is also based on the TGT to obtain the verification ticket for this service.

The following describes the detailed principles of kerberos.

Kerberos principles:

The workstation runs a ticket Authorization Service called Kinit, which is used for identity authentication between the workstation and the Authentication Server Kerberos.

1. the user starts logging on, enters the user name, verifies that the server receives the user name, searches for the user in the user database, and finds the user.

2. the verification server generates a Session key shared by the Verification server and the login user. This password is used only between the authentication server and the login user for mutual authentication. At the same time, the verification server generates a ticket authorization ticket (ticket-granting ticket) for the login user, and the workstation can then request other tickets from the verification server with this ticket authorization ticket, instead of verifying your identity again. The verification server encrypts {Session key + ticket-granting ticket} with the login user's password and then returns it to the workstation.

3. the workstation uses its own password to decrypt the data packets returned by the server. If the decryption is correct, the verification is successful. After decryption, you can obtain the Session key shared by the login user and the verification server and a ticket-granting ticket. At this point, the login user did not send a password on the network. by verifying that the server uses the user password encryption to verify the authorization ticket, the user has established a relationship with the authentication server, the ID card is also saved on the workstation. If you use other services on the network in the future, you can use this ID card to apply for a service ticket from the verification server to obtain the Service identity verification.

4. If the user visits the IIS server for the first time, kinit of the workstation will check that there is no verification ticket to access the IIS server on the local machine. Then kinit will send a request to the verification server to request a verification ticket to access the IIS service. Kinit must first generate a validators. The validators are like this: {User name: workstation address} encrypted with the Session key between the verification server. Kinit verifies that the authorization ticket is valid by verifying the validators, ticket authorization tickets, your name, your workstation address, and the verification server sent by the IIS service name, then, use the Session key you shared with you to unbind the validators and obtain the username and address, which are compared with the user and address that sent the request. If they are consistent, the verification is passed and the request is valid.

5. the server authenticates the Session key password between the user and the IIS server, and then generates a verification ticket for the IIS server according to the user request. It looks like this: {Session password: User Name: user Machine address: Service name: Validity Period: Timestamp}. This verification ticket is encrypted to form the final verification ticket. Finally, the verification server {session password + encrypted verification ticket} is encrypted with the user password and then sent to the user.

6. the workstation receives the data packet returned by the Verification server and decrypts it with its own password to obtain the Session key of the IIS server and the verification ticket of the IIS server.

7. the workstation kinit also generates a validators. The validators are like this: {User name: workstation address} encrypted with the Session key between the IIS server. Send the validators and IIS verification tickets together to the IIS server.

8. the IIS server uses its own server password to unbind the IIS verification ticket. If the decryption is successful, the verification ticket is valid and valid. Then, check whether the verification ticket is within the validity period, use the session password in the verification ticket to decrypt the validator and obtain the username and workstation address, if it matches the user name and address in the verification ticket, it means that the user who sent the verification ticket is the owner of the verification ticket, thus verifying the validity of this request.

Basic Authentication

This authentication method uses base64 to encode the user name and plain text. However, base64 encoding is not encrypted and can be converted to the original plain text after conversion. The server directly verifies whether the local server matches the user name and password provided by the client. If yes, the server passes verification.

BKJIA exclusive Article. For details about the cooperation site, please indicate the original author and source .]