This paper introduces several techniques for managing secure Web access while addressing business-to-employee (B2E), business-to-customer (B2C), and business-to-business (B2B) extranet requirements. The paper also includes prescriptive implementation details for B2E Web single sign on (Web SSO) using certificates and B2C Web SSO using Microsoft® Passport.
For the purposes of this paper, extranet is defined as follows according to the entry for the term in the Microsoft Computer Dictionary, Fifth Edition:
Extranet — An extension of a corporate intranet using World Wide Web (WWW) technology to facilitate communication with the corporation's suppliers and customers. An extranet allows customers and suppliers to gain limited access to a company's intranet in order to enhance the speed and efficiency of their business relationship.
As demand for access to business resources continues to increase, organizations require internal applications and information to be accessible in a secure fashion to an increasing number of employees, customers, and partners. The challenge of managing extranets that provide such access increases with the levels of access granted. At the same time, the requirements for controlling the levels of access granted to users grow more complex.
In addition to securing sessions over the Web, organizations need a robust authentication and access control mechanism that allows users to gain easy entry to business resources they need to do their work. However, these same organizations need to restrict user access to proprietary business resources without imposing complex and costly management requirements that call for separate entitlement and authentication services.
Many organizations also need to apply a common security model that includes authentication, Web SSO, authorization, and personalization for both existing and planned applications. In addition, many organizations today have multiple applications for employees, partners, and customers. Forcing any of these users to repeatedly log on to access multiple applications within a single browser session creates frustration and a less-enjoyable user experience.
In order to realize your return on the investment made in extranet applications, it is essential that users have a secure, seamless, and transparent experience when browsing to multiple applications within a single browser session. This capability protects extranet assets while encouraging additional partners, customers, and employees to participate in automated processes that will either save money or increase revenue for your organization.
This user experience can be provided by consolidating application identity stores and standardizing authentication and authorization, using platform services that require less management while improving security. The business benefits that an organization might achieve with a well thought-out extranet strategy include:
The intended audience for this paper includes architects, IT professionals and managers, technical decision makers, and consultants involved in identity and access management efforts.
This paper assumes the reader has a moderate knowledge of identity and access management concepts and technologies, as described in the "Fundamental Concepts" paper in this series. Optional additional reading on related topics can be found in the "Intranet Access Management" paper in this series.
To implement the solutions in this paper, readers should have an understanding of the infrastructure described and implemented in the "Platform and Infrastructure" paper in this series, plus the following areas and technologies:
This paper includes seven chapters. It focuses on the following issues and concepts that are essential to an effective external-facing access management strategy:
Chapter 1: Introduction
This chapter provides an executive summary, defines the recommended audience for the paper, and provides reader prerequisites and an overview of the chapters in the paper.
Chapter 2: Approaches to Extranet Access Management
This chapter builds on the information provided in the "Fundamental Concepts" paper. There are many approaches to developing an extranet with strong authentication, SSO services, roles-based authorization, and personalization to meet the needs of your organization. The chapter discusses how you can apply these approaches to extranet scenarios.
Chapter 3: Issues and Requirements
This chapter defines the background, issues, and requirements for the B2E and B2C scenarios for Contoso Pharmaceuticals, a fictitious company.
Chapter 4: Designing the Solution
This chapter focuses on identifying and highlighting key elements that address the initial requirements for a sound design. The Contoso requirements for the B2E and B2C extranet access scenarios are used to specify the solution architecture.
Chapter 5: Implementing the Solution
This chapter focuses on implementing the B2C and B2E solutions for Contoso. The chapter includes step-by-step instructions to configure the Contoso extranet to support both B2E and B2C applications.
Chapter 6: Testing the Solution
This chapter provides guidance on how to troubleshoot and validate the Contoso solution scenarios implemented in the previous chapter.
Chapter 7: Operational Considerations
The final chapter of the paper provides an overview of some core operational procedures required for day-to-day management of the extranet access management solutions.
In addition to a general discussion of extranet access management approaches, this paper also provides detailed prescriptive guidance for implementing an extranet identity and access management solution for organizations operating B2E and B2C scenarios. The prescriptive guidance builds on the Contoso Pharmaceuticals scenario introduced in the "Platform and Infrastructure" paper in this series.
The scenarios in this paper have been developed by Microsoft to illustrate the typical challenges organizations face in providing extranet access management and SSO services. The guidance includes information about how Microsoft technologies can address them. Chapters 3 through 7 of this paper focus entirely on these two solution scenarios.
B2E extranet scenarios are driven by the requirements for a mobile workforce to access data and applications while not connected to the internal network.
This scenario is designed to provide you with the information you need to implement secure and scalable extranet access based on x.509 certificates, and the following Microsoft products and technologies:
Contoso has aggressive plans to provide Web applications in its extranet that will provide important information and services for specific customers beyond those on the company's Internet site. Chief among these planned applications is an over-the-counter (OTC) drug trial feedback application that will provide Contoso with a very efficient way of gathering critical customer feedback about upcoming products.
The application must improve customer satisfaction through a better user experience; while improving administration processes and reducing customer support costs associated with public access to their data and applications. This scenario will demonstrate the use of:
Web SSO through Passport Services meets the organizational challenge of reducing support costs for customer remote access to your environment.
Note For a B2B solution scenario that implements Forms-based authentication using sample code, see the "Developing Identity-Aware ASP.NET Applications" paper in this series.
This chapter continues the discussion of the authentication, authorization, and user management technologies in the "Fundamental Concepts" paper, and their relevance in fulfilling extranet requirements.
Approaches for integrating applications and providing a Web single sign on (SSO) experience may differ for an extranet; they are not equally applicable to business-to-employee (B2E), business-to-business (B2B), and business-to-customer (B2C) scenarios. This chapter discusses the various techniques available and their suitability in each scenario.
A number of vendors also provide extranet-focused authentication and authorization technologies that complement the Microsoft Identity and Access Management Platform for providing extranet access management services. This chapter concludes with a few of these offerings that you may wish to consider.
Before discussing the approaches and solutions available for providing extranet access, it is worthwhile to understand some of the technical areas for consideration that will influence your decision on the approach you select, including:
Many organizations are rapidly adopting a Web-based extranet strategy to provide access to remote employees (and partners and customers) because of the challenges of establishing and maintaining access through a virtual private network (VPN).
VPN technology has long been used for remote access and can provide a secure, user-friendly experience when it is possible to use such technology. Unfortunately, many remote locations do not permit outbound VPN for security reasons.
In addition, VPN access often places additional software or hardware requirements on the client, further limiting access only to clients that have been preconfigured for VPN from locations that allow VPN connections.
Deploying Web-based applications and data portals directly to the extranet solves the fundamental problem of VPN access because all access is over HTTP ports, which almost all organizations and networks allow. Doing this while providing the same security and user experience that VPN provides presents the typical challenge that many organizations face.
When VPN access to extranet resources is the preferred approach for employee access or trusted business partners, Microsoft Internet Authentication Service (IAS) is a great choice. IAS is described in the following section.
Internet Authentication Service (IAS) is the Microsoft implementation of the industry standard Remote Authentication Dial-In User Service (RADIUS) protocol. IAS provides authentication, authorization, accounting, and auditing of remote access (dial-up and VPN) and both wireless and wired 802.1x LAN network connections.
IAS uses identities from Active Directory to provide SSO, and prevents access by unauthorized identities (users or devices) to the network. In addition, the technology offers the following features:
For more information about IAS, see the Internet Authentication Service page.
The remainder of this paper focuses on providing Web-based extranet access solutions.
There are several Microsoft technology choices available to provide extranet directory services, including the following in order of preference:
Some of the advantages of Active Directory over ADAM for extranet use include:
Using a custom database to store identities is a popular mechanism that developers often use. Because they can apply the database skills they are comfortable with in this way — many extranet applications are based on custom databases. Unfortunately, the effort required to develop, test, and support custom database-based identity stores for extranet applications is misguided. Platform directory and security services are easy to use, require less development effort, provide a wide range of flexible capabilities, and help reduce the number of identity stores the organization needs.
The remainder of this paper discusses the possibilities and techniques available when using Active Directory as the extranet directory service.
In many cases, the design and capabilities of current applications deployed by the organization in the extranet will dictate what kind of identity and access management infrastructure should be deployed to support them. For example, if the organization has an existing independent software vendor (ISV) application that only supports a custom authentication mechanism, then little can be done at the application level to use a different authentication mechanism — unless the ISV commits to providing additional functionality via an upgrade.
Organizations creating new applications should carefully weigh the options for an application development platform and make choices based on the level of integration with an evolving extranet access management infrastructure. For more information about how Microsoft Visual Studio® .NET provides a rich application development environment for creating applications that integrate well with an extranet access management infrastructure, see the " Developing Identity-Aware ASP.NET Applications" paper in this series.
Extranet access management solutions require identity life-cycle management services such as provisioning, and user, credential, and entitlement management.
When choosing various techniques for an extranet access management solution, be sure to reflect on the following business and technology considerations:
The techniques discussed in this paper are influenced by the identity life-cycle management choices your organization should make.
Before considering each authentication technique, be aware that passwords are often the weakest elements of security systems and frequent targets for attack. It is important to understand which authentication techniques are password-based, because they create larger attack surfaces in your extranet.
The way a password is used for authentication is also something to consider. Some authentication protocols (such as Basic and Forms-based authentication) require a plaintext password to authenticate a user. This means that the server itself must have a plaintext password to authenticate the user even though the communications channel between the browser and server is encrypted. Today's viruses and worms can take advantage of plaintext password authentication mechanisms to capture hundreds or thousands of passwords before an organization realizes what has happened.
Other protocols may use a secure, one-way hash (such as Digest authentication), meaning that the server does not require any knowledge of the plaintext password. And some authentication protocols do not use passwords at all (such as SSL and TLS Certificate authentication).
For these reasons, many companies choose not to use password-based authentication techniques in their extranet, particularly for employee access. This approach helps limit the possibility of employee password attacks from outside the intranet.
There is a wide range of authentication technologies and techniques that Web applications can use on the extranet. Because of this greater variety across extranet scenarios, extranet authentication is typically more complex and varied compared to the authentication technology an organization uses for its intranet. The method you choose will often be dictated by:
Authentication methods applicable to extranet scenarios include:
Nearly all data that is transmitted over the Internet between an organization's extranet applications and the employees, partners, and customers who use them should be protected from unauthorized individuals viewing the communications channel. For this reason, SSL or TLS is almost always used in extranet scenarios to provide data security, which these protocols do by encrypting all client/server traffic.
SSL and TLS are well-known mechanisms that provide this secure communication channel between client and server applications. Less well understood is how the protocols also provide robust authentication for both the server and the client.
Organizations commonly use SSL and TLS 1.0 to secure Web application data and to verify the identity of the organization's Web applications. This is typically referred to as server authentication.
SSL and TLS over HTTP, commonly referred to as Hypertext Transfer Protocol Secure (HTTPS), automatically authenticate server applications to clients using a server's X.509 certificate.
SSL server authentication occurs because the client browser application, such as Microsoft Internet Explorer, validates the server's certificate according to PKI policy maintained on the client system. In order to achieve SSL and TLS server authentication, X.509 certificates only need to be installed and configured on a Web application server, such as one running IIS. No client configuration is required in most cases.
Another possibility is to use SSL and TLS to provide strong, mutual authentication (the combination of server and client authentication) by configuring the Web application server to require client authentication using X.509 certificates.
Client authentication requires that clients are issued X.509 certificates. X.509 certificates may be stored on the user's computer as software certificates, on a smart card, or in a hardware token as a hardware certificate.
The client browser application (such as Internet Explorer) attempting to authenticate the user to the server using SSL or TLS, must provide the server with the user's X.509 certificate, and also prove that it has access to the private key associated with the certificate. After it has been validated, the Web application server can map the client's certificate to a corresponding account in Active Directory in order to create an authorization context.
SSL client authentication, because it is based on strong public key technology, provides extremely strong authentication for high-value applications and data.
For more information about SSL client authentication, see the Step-by-Step Guide to Mapping Certificates to User Accounts.
Note While X.509 digital certificates offer the possibility of strong authentication without using a password, the private key material associated with the certificate must be well protected. An attacker who gains access to the key material will be able to authenticate as the user. Workstations should be protected by security policy and workstation owners should take the normal precaution of locking workstations when they are not in use. Additional security can be gained by storing the certificate on a smart card or other protected hardware token.
For more information about workstation security please see the Windows XP Security Guide.
SSL and TLS client authentication does not require the user to provide a password to authenticate to a Web site. Instead, the user must have access to an X.509 digital certificate stored on either the user's computer or a separate hardware device. Not only is authentication using digital certificates more secure then password-based authentication, it also provides a single sign on (SSO) experience for the user if one of the following conditions is met:
The Microsoft Windows Server platform provides built-in, no-cost certificate services for issuing both server and client X.509 certificates that will meet the security and business requirements of many organizations. However, a significant amount of additional effort is required to deploy, operate, and manage a certificate services infrastructure and not every organization will decide that the security characteristics of strong, mutual authentication over SSL and TLS are worth the expense. However, when the environment includes a manageable number of internal or external users, and the Web application delivers very sensitive information, a certificate services infrastructure can be a worthwhile business investment.
For the reasons discussed above, SSL and TLS 1.0 are perhaps best suited for use in B2E and some B2B scenarios. On the other hand, it is better to design B2C and the other B2B scenarios around alternative techniques for client authentication.
Microsoft Passport presents a number of authentication service advantages for organizations that are deploying extranet applications. First among these advantages is that Microsoft Passport accounts are issued and managed outside the organization that is hosting the extranet application. This external management means that the hosting organization has no responsibility to provide account life-cycle management for customers or other users that use Passport for application authentication.
For certain scenarios (primarily B2C and B2B) in which the numbers of users can be in the hundreds of thousands or even millions, Passport provides organizations with the ability to avoid millions of dollars of identity management-related overhead. Users handle forgotten passwords and user identities directly with the Passport service.
For more information about Microsoft Passport Services, see the following resources:
Another advantage provided by Passport authentication is that the Passport authentication protocol can provide a Web SSO user experience. In Passport terms, this means that a user authenticates once (per browser session) to Passport Services, and then can authenticate to different Passport-enabled applications without entering their credentials again (if the application permits Passport SSO). Because Web SSO is a Passport-wide feature, cross-site Web SSO can be achieved through Passport, including to the organization's extranet and other Passport sites as well.
Windows Server 2003 and IIS 6.0 offer a powerful new feature that allows for Passport accounts to be mapped to Active Directory accounts. This feature is important because it allows applications to be developed to a common security standard that focuses on Active Directory for authorization and entitlement management, while Passport is used for authentication.
Note Because Microsoft Passport Services offer the possibility of SSO authentication to many different sites and applications, the Passport password must be well protected. An attacker who gains access to the Passport password or a Passport-authenticated workstation will be able to authenticate to Passport sites as the user. Workstations should be protected by security policy and workstation owners should take the normal precaution of locking workstations when they are not in use.
For more information, see Setting Up .NET Passport in IIS 6.0 (IIS 6.0).
Passport is perhaps best suited for organizations running B2E, B2C, and B2B applications in environments where large volumes of users need to authenticate to your applications. The value of the data exposed by these applications should at the same general level as the security characteristics of the Passport authentication services.
For example, Microsoft provides a Web site for employee classified advertisements that any Microsoft employee (as well as employee spouses, friends, and acquaintances designated by the employee) can use to list personal items for sale. This classified ad service uses Passport authentication, which meets the Microsoft requirement for maintaining some control over access to the service, but makes it accessible for a large group of individuals without the need to maintain credentials for those users.
On the other hand, using Passport for authentication may not always be the most suitable alternative. The three main issues to adopting Passport for B2C and B2B authentication are:
The first issue is due to the fact that Passport accounts are conceptually tied to an e-mail account. The e-mail account might be a Hotmail account (a Passport partner), but it also might be an e-mail account that belongs to an organization. Passport Services today do not provide the ability for an organization to manage all of the accounts in the e-mail namespace that it owns. The ability to do so would provide an opportunity to build authorization and business logic around the Passport account e-mail attribute.
The second issue is due to the fact that today there is no ability to require (at the application level) that a Passport account be managed by strong security and password policies. Common customer requirements are for Passport to enforce the same type of strong password policy that organizations apply to their own networks. Again, future versions of Passport plan to have this feature.
The third issue is that the Passport authentication protocol is based on the cookie mechanisms defined for HTTP state management as defined in RFC 2965. When sent over the Internet unencrypted, authentication cookies can be captured and replayed, thereby allowing an attacker to access an application as a valid user. To prevent replay attacks, Passport has the capability to enforce the application to require that all cookies it receives for Passport authentication are protected by SSL, which completely mitigates the threat of cookie theft and replay.
Note Initial authentication of the user to Passport, which includes the credentials of the user, is always protected by SSL or TLS.
Basic and Digest authentication are part of the HTTP 1.1 protocol as defined in RFC 2617, "HTTP Authentication: Basic and Digest Access Authentication".
Note Digest authentication has improved in Windows Server 2003. Windows Server 2003 comes with an authentication package for Windows Digest Authentication, which is used by IIS 6.0. IIS 5.0 in Windows 2000 Server implemented a form of digest authentication, but its implementation was flawed in that it required user passwords to be stored in Active Directory using reversible encryption.
Digest Authentication in Windows Server 2003 (incorrectly called Advanced Digest Authentication in some documentation) stores user credentials on the domain controller as an MD5 hash (a one-way hash) and does not require reversible encryption for user passwords.
There are a few common issues with the use of Digest and Basic authentication for extranet applications that include:
The first issue is due to the fact that Digest and Basic authentication are session-based authentication mechanisms that are specifically prohibited from using the same credentials to establish a new session. In HTTP terms, this means that when the user browses to a new URL, the Digest or Basic authentication credentials will not be reused and the user will receive a new login prompt. For extranets that have more than one application, this produces a poor user experience.
The second problem is that both Digest and Basic authentication are integrated in Internet Explorer through a similar dialog box that is displayed to the user when the server issues a Digest or Basic (or NTLM) authentication challenge. The Internet Explorer dialog does not provide much information to the user about what they are about to do or what to do if it doesn't work.
The final problem worth noting is specific to Basic authentication. While Digest uses cryptographic techniques to hide the user's password from the Web server, Basic authentication transmits the plaintext password to the Web server. The security risk is that a Web server is not particularly trusted and should not be permitted to see the plaintext credentials. Even if the Web server is highly trusted (managed by the same group in the organization that manages Active Directory, for example), there is still a security risk if the server is compromised. If the server is compromised, there is a possibility that malicious code could be installed on the server to capture plaintext passwords and transmit this information back to the attacker. Any service that uses Basic authentication should switch to Digest authentication as soon as possible.
Note Digest authentication uses cryptography to protect user credentials (the password) during the client-to-server authentication step. Basic authentication, however, transmits all sign-on credentials in plaintext, and for this reason this method of authentication is vulnerable to interception unless SSL and TLS 1.0 are used to protect all URLs that use Basic authentication.
For those sites that enable Basic or Digest authentication, the user can create an SSO experience by selecting Remember My Password during logon in Internet Explorer. This only caches credentials for a specific Web site, so it is not a full Web SSO experience.
The lack of Web SSO is a limited concern when users only need to access a single application or URL. Microsoft recommends that organizations deploying multiple extranet applications look for more robust authentication methods to provide Web SSO.
Basic authentication, even over SSL, is not recommended for any extranet scenarios because of its security limitations.
Digest authentication has better security characteristics than Basic authentication because the Web server doesn't receive a plaintext password. However, because the user experiences are the same, Digest authentication is best reserved for specific scenarios where users trust how applications have been established in the extranet.
The implementation of Digest and Basic authentication in IIS 6.0 is closely integrated with Active Directory. Although this approach makes centralized management of accounts possible, the application architect must consider how accounts for employees, partners, and customers are provisioned and maintained. Because these authentication methods are user name and password-based, some thought has to be given to how the user will manage their account and perform such actions as password changes and password resets, as well as how entitlements will be managed on an ongoing basis.
Forms-based authentication uses Web forms to collect user credentials such as user names and passwords. After these credentials are collected, it is typically up to the application to validate the credentials using a choice of mechanisms and then establish session state through HTTP cookies. One common use of cookies in this scenario is to provide Web SSO. Applications can be developed using this approach so that authenticated users are able to move freely between cooperating services. Application development platforms such as Microsoft ASP.NET provide interfaces that can validate the client credentials as well as write cookies containing information about the user.
The main advantage of Forms-based authentication is that it does not provide a generic logon dialog as described previously for Digest and Basic authentication. Using the state information in cookies and the rich UI possible in Forms-based authentication, the developer has the ability to manage the client's logon experience. Aids to the logon experience can include hints about what credentials to use, helpful error messages about what to do if authentication fails, and where to go for more information.
Another advantage of Forms-based authentication — in some scenarios — is that Forms-based authentication is easy to implement against non-directory identity stores. The application developer has a choice of any identity store to authenticate against, including directories that use Lightweight Directory Access Protocol (LDAP), SQL Server databases, or even flat files that contain user names and passwords. This wide-open approach to identity authentication, however, has created many of the problems that organizations face with identity life-cycle management, so only make such choices carefully.
Forms-based authentication can provide an SSO experience to users, depending on how all participating applications have been designed.
The disadvantage of Forms-based authentication (and the associated Web SSO cookies) is that there is no common standard for creating the cookies. In order to enable Web SSO between applications, each application must be able to understand the cookie content. To create a secure Web SSO mechanism, it is also necessary that cookies be protected from tampering by potential attackers. It is possible to protect cookies and meet security requirements using shared key or public key cryptographic techniques, but such mechanisms usually imply configuration and management of the keys by application administrators. Third party SSO products usually handle key rotation automatically.
Note The "Developing Identity-Aware ASP.NET Applications" paper in this series includes sample code for implementing Forms-based authentication and Web SSO.
Forms-based authentication is appropriate for B2E, B2C, and B2B scenarios as long as the application architect fully understands the issues and the trade-offs relative to other authentication options.
Note Like Basic authentication, Forms-based authentication transmits all sign on credentials in plaintext, making it vulnerable to interception unless SSL or TLS are used to protect the application logon page, and all pages where authentication cookies are sent. If possible, the architecture should isolate and protect the servers that accept and process plaintext credentials from the servers that deliver the Web applications.
Security Assertion Markup Language (SAML) is an industry standard for creating XML-style security tokens. SAML tokens can be used as authentication "tickets" much like HTTP cookies can be used, with the advantage that a standard format allows applications, platforms, and operating systems from different vendors to interoperate with respect to authentication and authorization.
However, SAML is not a complete authentication mechanism in that it does not define client-to-server protocols. For more information about SAML, see the Organization for the Advancement of Structured Information Standards (OASIS) home page.
XML Web services are the fundamental building blocks in the move to distributed computing on the Internet. Open standards and the focus on communication and collaboration among people and applications have created an environment where XML Web services are becoming the platform for application integration. Applications are constructed using multiple XML Web services from various sources that work together regardless of where they reside or how they were implemented.
Web Services include a number of standards that apply to identity and access management. The main standards that affect Authentication are Web Services – Security (WS–Security) and Web Services–Federation (WS–Federation).
WS–Security is a multi-vendor open specification for implementing security in Web services. WS–Security Version 1.1 is now an OASIS standard. Related specifications such as WS–Trust, WS–Federation and WS–SecureConversation combine with WS – Security to create an end-to-end protocol for Web services authentication and data protection.
For more information about Web services, see Web Services and Other Distributed Technologies, on MSDN and the article "New Technologies Help You Make Your Web Services More Secure" on the Web Services Developer Center.
WS – Federation is a multi-vendor open specification that covers establishing federation trusts across public networks. These federation trusts can link organizations or link external users to an organization. WS–Federation builds on the foundations and mechanisms specified in WS–Security, WS–Policy, and WS–Trust, by using the concepts of claims and security tokens to enable richer trust realm mechanisms across and within federations.
For more information about the WS–Federation definition, see "Web Services Federation Language", on the MSDN Web site.
WS–Security and WS–Federation can enable single sign on to multiple applications, if those applications are hosted by one federated organization. Signing in to an application that is hosted by another organization with a separate trust relationship would require the user to log on again.
WS–Security and WS–Federation give the flexibility to address B2E, B2B, and B2C scenarios, depending on which federation setup is in use. The next section illustrates how Windows Server 2003 R2 provides federation topologies for each scenario.
Windows Server 2003 R2 implements WS–Federation as part of the Active Directory Federation Service (ADFS). ADFS enables organizations that use Windows Server 2003 R2 to implement one of three federation topologies:
For more information about ADFS, see "Overview of Active Directory Federation Services (ADFS) in Windows Server 2003 R2".
The following table summarizes the extranet authentication techniques discussed above.
Table 2.1. Summary of Extranet Scenarios and Authentication Techniques
Authentication Method | B2E | B2B | B2C | SSO | x-Platform Browsers |
SSL and TLS X.509 Client Authentication | | º | | | * |
Passport Services | | º | | | |
Digest | º | º | | û | |
Basic (over SSL) | | | | û | |
Forms-based (over SSL) | º | º | º | * | |
WS – Security and WS – Federation through ADFS | º | | º | | |
Legend:
Recommended
º Optional
Not recommended
Fully Supported
* Supported with some customization
û Not Supported
Extranet applications can employ the same range of authorization techniques as intranet applications. The list of possible techniques includes:
The "Fundamental Concepts" paper in this series provides a full discussion of the first two techniques. The solution scenarios in this paper describe the use of Authorization Manager to implement URL authorization, while additional guidance on authorization is available in the "Developing Identity-Aware ASP.NET Applications" paper in this series.
For more information about Windows Authorization Manager, see Role-Based Access Control for Multi-tier Applications Using Authorization Manager.
ADFS in Windows Server 2003 R2 provides a new authorization technique that uses claims to establish whether a user is authorized to access a resource. Claims are statements (for example, name, identity, key, group, privilege, or capability) made about users and understood by both partners in an ADFS federation.
A claims-aware application is a Microsoft ASP.NET application that has been written by using the ADFS library. This type of application is fully capable of using ADFS Claims to make authorization decisions directly.
A claims-aware application accepts claims that the Federation Service sends in ADFS security tokens. Claims-aware authorization consists of a Hypertext Transfer Protocol (HTTP) module and objects for querying the claims that are carried in the ADFS security token.
For more information about how the Federation Service uses security tokens and claims, see the Federation Service Web Page, on Microsoft TechNet.
The "Intranet Access Management" paper in this series describes how trust can enable SSO in the Windows platform on the intranet. Many of the same concepts apply to trust relationships between intranet and extranet forests, however, there are a few additional issues to consider.
Many organizations are satisfied (even if they cannot achieve SSO) if a user can use their intranet Active Directory password-based credentials to log on to the extranet. This can be implemented using a one-way external or cross-forest trust from the extranet to the intranet. A few points to consider when evaluating the use of Windows trusts between an extranet and intranet include:
Many organizations choose not to establish a Windows trust between the intranet and extranet because of one these factors or because they wish to achieve greater logical separation between the external and internal-facing networks.
Creating "shadow" accounts in the extranet that mirror accounts in the intranet is one way that works with most kinds of authentication using the same identity (username) and possibly even the same password. The B2E scenario in this paper describes how to use shadow accounts along with X.509 client digital certificates to enable strong authentication without passwords, trusts, or open ports connecting the internal and external networks.
A good solution for automatically managing shadow account identities is described in the "Identity Aggregation and Synchronization" paper in this series. Microsoft does not recommend whether Windows trust or shadow accounts should be used — organizations should choose a model that they are most comfortable with.
Password synchronization is a more contentious issue and Microsoft does not recommend synchronizing intranet account passwords to the extranet unless no better option exists.
When using shadow accounts without synchronized passwords, there is usually some other form of trust used to link the intranet identity with the extranet identity. The B2E scenario in this paper describes how digital certificates are used to authenticate employee access to the extranet. Before this scenario can be implemented, a PKI trust must be established between the intranet certificate services and the extranet Web servers. The PKI trust allows the extranet Web servers to trust the contents of the intranet digital certificates in order to perform the mapping from digital certificate to shadow account in the extranet Active Directory.
The B2C scenario in this paper describes how Passport identities can be mapped to accounts in the extranet Active Directory. Before this can happen, the tickets must first be validated as coming from Passport. The process of performing the validation is based on the keys that were exchanged between the organization and Passport during the establishment of the contract, or trust, between the two entities.
The federated identity mechanisms in products such as Windows Server 2003 R2 enable the establishment of trust between two organizations. The parties of the trust will agree on which identities will be federated and what claims about those users can be made as they navigate from one organization's resources to another.
Personalization is an interesting topic for discussion because it means many different things to different people. Personalization could be data that is stored relative to some identity. The data could be specific to a single application and, for example, could include information such as a relationship level between an organization and a customer such as "Gold," "Premier," "Silver," or other such designations.
The challenge of storing personalization data is where to put it. In general, Microsoft recommends that user identity information such as credentials, entitlements, and other security-related data should be stored in Active Directory, but storing personalization information in Active Directory typically requires schema extensions. It should be noted that frequent changes to personalization data types or attributes could significantly burden the Active Directory service and the Active Directory administrators.
Accordingly, application developers should evaluate Active Directory Application Mode (ADAM) or SQL Server databases for storing highly-volatile or application-specific personalization data. See the "Intranet Access Management" paper in this series for more information about ADAM.
Personalization can also indicate the manner in which information or options are displayed to a Web application user through a portal. For example, if an organization has six applications or resources for all of its users but only three of these are represented as links that a customer can use, the portal implementation design requirements could state that only the customer-relevant links should be displayed to a user with the role of "customer."
This kind of personalization can be implemented in the portal application using a roles-based authorization mechanism such as Windows Server Authorization Manager or ASP.NET roles.
Personalization is a feature that ships in many commercial applications as well. Examples of Microsoft products that support personalization include:
Microsoft products currently do not provide an end-to-end solution for some aspects of extranet access management. The key gaps in Microsoft product offerings include:
For more information, visit the Web sites of the following independent software vendors (ISV) listed in alphabetical order for products designed to fill these gaps:
This chapter introduces the Contoso Pharmaceuticals scenario, including background, issues, and requirements for the company's business-to-employee (B2E) and business-to-customer (B2C) needs.
Note For a B2B solution scenario that implements Forms-based authentication using sample code, see the "Developing Identity-Aware ASP.NET Applications" paper in this series.
The sales personnel at Contoso work both in the office and on the road, visiting customers and building the company's business. One of their primary tasks is capturing sales and contacts information in a centralized database at corporate headquarters. Creating this information requires the sales force members to have access to Web applications that allow them to enter and modify customer contact information while they are out of the office. Additional applications are planned for the in the near future.
Contoso maintains a legacy B2E Web application that allows its sales employees to log on remotely and manage customer information. The application authenticates users against an external directory that is separate from the organization's intranet directory. Because there is no synchronization between the two directories, sales employees were forced to create additional user accounts and passwords. This situation created management problems and security concerns because sales employees frequently either forgot their additional passwords (for accessing the application) or taped written reminders to their laptops.
The legacy Contoso Sales and Contacts application is a Web-based application hosted on Microsoft® Internet Information Services (IIS) 6.0. The Web server performs Basic authentication over Secure Sockets Layer (SSL) by authenticating the user against an application directory using Lightweight Directory Access Protocol (LDAP) simple bind.
After the user has been authenticated, the application queries a group attribute on the user object in order to perform authorization. The application determines whether the group attribute contains a value equal to Sales. The presence of the Sales value in the group attributes authorizes the user to access all sales and contact information in the application. There is no specific control implemented in the authorization mechanism — any user with access is allowed to create, delete or edit any information in the database.
The application provides no auditing functionality to track what changes were made to the database or who made them.
The accounts in the external directory are created manually as part of the hiring process for new Sales department employees, which increases IT administrative costs because administrators must create accounts in the organization directory and "shadow" accounts in the external directory.
In addition, there have been problems with new members of the sales force not getting access to the application because the manual process is not executed. When this occurs, the new employee must call the Helpdesk to determine why they don't have access.
The following issues have been identified as adversely affecting the business strategy for Contoso:
The following technical issues affect Contoso:
The following security issues negatively impact the security strategy for Contoso:
Contoso must satisfy the following requirements before the company can complete this portion of its identity and access management solution:
Contoso currently has a B2C application that allows customers to provide feedback on trial products. The user population for the Customer Trial feedback application includes members of the general public who agree to participate in the trial.
For Contoso customers to access the Customer Trial feedback application, accounts are matched in Active Directory to service authentication and authorization requests. Providing Helpdesk services for account creation, maintenance, and password reset requests requires a large staff available 24 hours a day while the trial is running.
The Customer Trial feedback application uses HTTPS as its communication protocol. The Web server uses Basic authentication to authenticate users against an application directory using LDAP 3.0. The registration process that users follow to join the trial automatically creates customer accounts. After completing the registration process, each user receives a user name and password that they use to log on to the Customer Trial feedback application and submit a weekly trial report.
The B2C Customer Trial feedback application for Contoso, and the processes that directly relate to it, present the following major business issues:
The B2C Customer Trial feedback application, and the processes that directly relate to it, present the following major technical issues for Contoso:
The B2C Customer Trial feedback application, and the processes that directly relate to it, also present the following major security issue for Contoso:
Contoso must satisfy the following requirements to complete this portion of its identity and access management solution:
The previous chapter considered the business, technology, and security issues for two extranet access management scenarios, and listed the solution requirements for each. Designing the appropriate solution is the next part of the overall process.
The following sections in this chapter present a solution concept, the solution prerequisites, and a solution architecture for each of the extranet access management scenarios. After the design is complete, the last sections describe how each of the solutions will work.
One highly secure choice for providing access to employees is to integrate X.509 digital certificate authentication into the Contoso extranet platform to create an easy to manage SSO environment for Web-based applications. Web single sign on (SSO) using client certificate authentication provides a solution that addresses the security challenges faced by organizations with business to employee (B2E) initiatives, while meeting growing business requirements such as telecommuting and support for a mobile workforce.
The following figure illustrates the solution concept by providing a high-level overview of the identity and access management solution for Contoso, which is designed to meet the company's B2E requirements. To secure access to the Sales and Contacts application, the Web server uses digital certificates as the authentication method. The system authenticates employees with valid certificates, and provides them with the appropriate access based on their credentials in the directory.
Figure 4.1. The solution concept of the Contoso B2E extranet access scenario
The B2E solution in this paper requires you to install and configure the following:
The "Identity Aggregation and Synchronization" paper in this series explains how to maintain the certificate mapped shadow accounts automatically through Microsoft Identity Integration Server 2003, Enterprise Edition with Service Pack 1 (MIIS 2003 with SP1), and the "Platform and Infrastructure" paper in this series creates shadow accounts in the extranet Active Directory with the user certificates mapped. Either approach is acceptable.
Figure 4.2. Certificate auto-enrollment
Mobile employees receive client certificates via certificate services and auto-enrollment as show in Figure 4.2. Auto-enrollment policy is defined in Active Directory Group Policy, which indicates to workstations during logon that they must contact the issuing certificate authority (CA) to receive an SSL client certificate.
The following figure shows the logical design of the Contoso B2E extranet access solution:
Figure 4.3. The logical design of the Contoso B2E extranet access solution
The solution architecture of the B2E Sales and Contacts application has the following characteristics:
Figure 4.4 shows the network design for the Contoso B2E extranet access solution:
Figure 4.4. The network design of the Contoso B2E extranet access scenario
This section details how the B2E extranet access solution works after it has been implemented and validated as described in Chapter 5, "Implementing the Solution," and Chapter 6, "Testing the Solution."
Along with their intranet Active Directory account, "shadow" accounts are also set up for sales employees in the extranet Active Directory forest. The extranet shadow accounts map to digital certificates that are installed on the employees' computers.
Digital certificates are automatically issued to each employee through Microsoft Windows Server™ 2003 Certificate Services auto-enrollment policy when they first log on to the organization's domain. They are stored on each employee's desktop computer so that they are only accessible by the employee while they are logged on to the computer.
When employees access the Sales and Contacts application through the Internet using HTTPS, the workstation uses their issued X.509 client certificate to authenticate. If the workstation fails to provide a valid certificate, the user is denied access to the Sales and Contacts application. If the workstation provides a valid certificate, the Web server maps the credentials in the digital certificate to an account in the extranet directory.
Microsoft Internet Information Services (IIS 6.0) maps the user's identity contained in the user principal name (UPN) value of the subject alternate name attribute in the certificate to the external Active Directory account, which IIS then impersonates for authorization.
The IIS 6.0 virtual directory that contains the Sales and Contacts application is configured to use Windows Authorization Manager for authorization. IIS requests authorization to the application from Authorization Manager by providing the user's identity and the application (scope) that is being accessed.
Authorization Manager determines whether the user has a role that is allowed to access the application. In this case, the role is derived from membership in the Sales group, which is maintained in Active Directory. Authorization Manager passes the result of the access check back to IIS 6.0, which will then grant or deny access to the application.
A core component of the logical design for this scenario is Authorization Manager, which is used to provide Uniform Resource Locator (URL) authorization. The key components of Authorization Manager are a policy store in the external Active Directory and an Internet Server Application Programming Interface (ISAPI) filter in IIS 6.0 that invokes the Authorization Manager APIs to determine access.
Contoso modified the IIS 6.0 metabase to indicate which resources — represented by a URL in the scenario — are protected by Authorization Manager.
The policy store in Active Directory contains the authorization policies, which consist of application groups, roles, and tasks. Application groups can contain Active Directory users based on membership in organizational units (OU), groups, or Lightweight Directory Application Protocol (LDAP) 3.0 queries based on user attributes. Role definitions include permissions that apply to sets of objects associated with users assigned to their roles. Tasks define what users can do in the B2E application, for example, "Access URL."
Contoso created and configured the instance of Active Directory in the perimeter network as a separate forest from the internal directory, with no trust configured between the intranet and extranet forests, to achieve the greatest degree of isolation between the intranet and extranet networks, and to simplify the port configuration of the firewall that separates the networks.
The extranet Active Directory is used to authenticate any user accessing an extranet-based application, including employees authenticating from the Internet. This directory can be synchronized with the internal directory by using MIIS 2003 with SP1. For more information, see the "Identity Aggregation and Synchronization" paper in this series.
Contoso plans to fully automate the creation and synchronization of shadow accounts for employees in the extranet directory through a system built on Microsoft Identity Integration Server 2003, Enterprise Edition. For more information, see the "Identity Aggregation and Synchronization" paper in this series.
The business to consumer (B2C) extranet access scenario describes a possible solution for implementing a secure, scalable Web SSO infrastructure for customers in the Contoso extranet. The uses for Microsoft Passport and Microsoft Authorization Manager are highlighted in this scenario. The scenario addresses requirements for Web SSO self-registration and security challenges faced by organizations with B2C initiatives.
This solution centers on using Windows Server 2003 to provide authentication and authorization services for applications in a B2C environment through Microsoft Passport and Microsoft Authorization Manager.
Contoso has the following technologies in their environment to enable this scenario:
Figure 4.5 shows the logical design for the Contoso B2C extranet access solution.
Figure 4.5. The logical design of the Contoso B2C extranet access scenario
The capabilities of the B2C Customer Trial feedback application for the Contoso extranet access scenario include the following:
For security reasons, Contoso created and configured the instance of Active Directory in the perimeter network as a separate forest from the internal directory. This external Active Directory authenticates and stores entitlements for all users of the organization's extranet applications. The following figure shows the network design for the Contoso B2C extranet access solution.
Figure 4.6. The network design of the Contoso B2C extranet access scenario
Contoso uses two servers running Windows Server 2003 to implement the B2C solution for this scenario. To centralize its user identity store, Contoso uses the same external Active Directory account to store customer accounts and employee accounts.
This section details how the B2C extranet access solution works for Contoso, after completing the implementation and validation activities in Chapter 5, "Implementing the Solution," and Chapter 6, "Testing the Solution."
When customers access the Customer Trial feedback application, they are prompted to provide valid Passport account information. They can use pre-existing Passport accounts to authenticate with the system. For customers who do not have a Passport account, they must click a hyperlink to launch a self-registration wizard to create an account through the Passport graphical user interface (GUI).
After a user authenticates through Passport, IIS 6.0 maps the user's Passport identity to the external Active Directory account, which IIS 6.0 impersonates for authorization purposes.
The IIS 6.0 virtual directory that contains the Contoso Customer Trial feedback application is configured to use Authorization Manager. IIS 6.0 requests authorization to the application from Authorization Manager by providing the user's identity (obtained through the IIS impersonation mechanism) and the application (scope) that is being accessed.
Authorization Manager determines whether the user has a role that is allowed to access the application. In this case, the role is derived from membership in the Trial Users group, which is maintained in Active Directory. Authorization Manager passes the result of the access check back to IIS 6.0, which will then grant or deny access to the application.
Contoso modified the IIS 6.0 metabase to indicate which resources — represented by an URL in the scenario — are protected by Authorization Manager.
The previous chapters in this paper provide you with information about the typical issues, requirements, and the solution designs that address the extranet access solution scenarios for business to employee (B2E) and business to consumer (B2C). This chapter provides prescriptive guidance on how to implement these solutions, and introduces the tools and templates provided for each scenario.
The prerequisites and implementation guidance in this chapter can be verified by following the guidance in Chapter 6, "Testing the Solution."
The Identity and Access Management download package includes Identity and Access Management Tools and Templates.msi, which is the Tools and Templates installer file. The Tools and Templates that are part of this download include text-based scripts, code samples, and configuration files that are related to identity and access management, but do not include any executable programs or compiled code.
Note These samples are provided as examples only. Be sure to review, customize, and test these tools and templates before you use them in a production environment.
When you run the installer file, the resulting folder structure will look similar to the one shown in Figure 5.1, depending on where you install it.
Figure 5.1. The Tools and Templates folder structure
This guide assumes that you have installed the Tools and Templates into the default location of %UserProfile%\My Documents\Identity and Access Management Tools and Templates. If you use a different installation location, ensure that you use the same path in all the steps in this document.
Note The Tools and Templates MSI package can sometimes produce an error during the installation process. See the Identity and Access Management Series Readme.htm file for more information.
Table 5.1. The B2E Extranet Access Example Folder
File name | Purpose |
Default.asp | A sample Web page for the B2E application. |
SetURLAuth.vbs | A Microsoft Visual Basic® script that configures URL authorization in IIS 6.0. |
Table 5.2. The B2C Extranet Access Example Folder
File name | Purpose |
Default.asp | A sample Web page for the B2C application. |
SetURLAuth.vbs | A Visual Basic script that configures URL authorization in IIS 6.0. |
Subscribe.asp | A sample Microsoft ASP application that associates a Passport user with a Microsoft Active Directory® directory service account. |
Implementing the Contoso B2E solution for the Sales and Contacts application primarily requires configuring components already installed with Microsoft® Windows Server™ 2003. To implement its solution, Contoso will use the server's existing digital certificate infrastructure for authentication and Authorization Manager in Windows Server 2003 for authorization. Finally, the Contoso solution requires some minor modifications to the Sales and Contacts application.
For these implementation details to work correctly, you need to first implement basic Contoso infrastructure as introduced in the "Platform and Infrastructure" paper in this series, and as described in Chapter 4, "Designing the Infrastructure," and Chapter 5 "Implementing the Infrastructure." In particular, this implementation requires the following prerequisites:
The extranet server running IIS needs to be configured according to the information in the following Microsoft Knowledge Base articles:
The high-level tasks that will be performed in order to implement this scenario are:
In addition to installing the appropriate certification authorities (CA), Contoso has also enabled user certificate auto-enrollment policy (a new feature in Windows Server 2003) in Active Directory to further improve the manageability of the solution. The steps needed to enable certificate auto-enrollment are documented in the product help documentation.
To enable client certificate auto-enrollment in the NA domain Active Directory, use the following steps in the product documentation
Contoso modified the default user template using the following steps:
To create the Contoso user authentication certificate template
Ensure that Email name and User principal name (UPN) are selected under Include this information in subject alternate name.
To map client certificates to corresponding Active Directory users using Microsoft Identity Integration Server 2003, Enterprise Edition with Service Pack 1 (MIIS 2003 with SP1) for this scenario, see the "Identity Aggregation and Synchronization" paper in this series. Alternatively, the infrastructure setup activities in the "Platform and Infrastructure" paper creates employee shadow accounts in the extranet Active Directory with the client certificate mapping in place.
Due to a security feature in Microsoft IIS 6.0, you must install the root certification authority (CA) certificates in the local computer's Trusted Root Certification Authorities certificate store. You also must install all intermediate certification authority certificates in the user certificate chain in the local computer's Intermediate Certification Authorities certificate store.
IIS 6.0 verifies certificates based on the rules specified in the crypto application programming interface (API). The crypto API rejects certificates if the root CA and intermediate CA certificates are not installed in the local computer's Trusted Root Certification Authorities and Intermediate Certification Authorities certificate stores, respectively.
Contoso obtained the root CA and intermediate CA certificates from certificates issued to Contoso users. The following tasks were performed on the root CA and the intermediate CA in the Contoso environment so an administrator can obtain the CA certificate.
Configuration Overview
Contoso used the following tasks to establish Certificate Authority Trust in IIS 6.0. You can tailor these tasks to meet the requirements of your organization.
Task 1: Export a CA Certificate
Complete the following steps to export a certificate from the CA server.
To export a CA certificate
Note A confirmation message will appear saying the certificate export was successful.
Task 2: Import the Certificate to the Local Computer's Trusted Root Certification Authorities Certificate Store
Complete the following steps to install the root CA certificate on the server running IIS that hosts the Sales and Contacts application for Contoso.
To import the certificate to the local computer's Trusted Root Certification Authorities certificate store
Task 3: Import the Certificate to the Local Computer's Intermediate Certification Authorities Certificate Store
Complete the following steps to install the intermediate CA certificates on the server running IIS that hosts the Sales and Contacts application for Contoso.
To import the certificate to the local computer's Intermediate Certification Authorities certificate store
Contoso wants to use its existing Active Directory and digital certificate infrastructure to map user certificates to corresponding user accounts in Active Directory for authentication to the Sales and Contacts application. To do this, Contoso must first configure Active Directory Mapper.
Configuration Overview
Contoso used the following tasks to enable Active Directory mapping in IIS 6.0. You can tailor these tasks to meet the requirements of your organization.
Task 1: Enable Active Directory Mapper in the Web Server Hosting the Sales and Contacts Application
Complete the following steps to enable Active Directory Mapper in IIS 6.0.
To enable Active Directory Mapper in the Web server hosting the Sales and Contacts application
Task 2: Enable Client Certificate Mapping in the Sales and Contacts Application
In addition to enabling Active Directory Mapper in IIS 6.0, you must also ensure that the option for client certificate mapping is enabled in your B2E application. Contoso completed the following steps to verify this in the Sales and Contacts application.To enable client certificate mapping in the Sales and Contacts application
Task 3: Verify That Client Certificates Map to Corresponding Users in Active Directory
The next task requires mapping the client certificate to the corresponding extranet Active Directory user. You can either do this manually or automate the task using MIIS 2003 with SP1. Contoso used MIIS 2003 with SP1 for its new hire process (see the "Identity Aggregation and Synchronization" paper in this series for details on this process), which automatically maps certificates to the company's employees.
To verify that client certificates map to corresponding users in Active Directory
Note For instructions on manually mapping certificates to Active Directory accounts, see the Knowledge Base Article 272175, "HOW TO: Configure Active Directory Certificate Mapping".
In Windows Server 2003, Authorization Manager introduces a new model for application authorization. Authorization Manager provides an easy-to-use authorization framework for line-of-business (LOB) applications that you can use to provide access for users according to their role in your organization or application. Configuring Authorization Manager to work properly requires you to complete the following series of tasks in the order that they are presented here.
Contoso used the following tasks to configure Authorization Manager. You can tailor these tasks to meet the requirements of your organization.
The Sales Administrator user in Active Directory is responsible for configuring authorization policy in Authorization Manager and enabling Authorization Manager while logged on to the Web server.
To create a user account in Active Directory for Authorization Manager
First name: Sales Admin
Full name: Sales Admin
User logon name: salesadmin@perimeter.contoso.com
Authorization Manager requires a "container" to hold its policy information. There are two choices for storing this information: in an Active Directory container, or in an Extensible Markup Language (XML) file. Because Contoso plans to use Active Directory as the company's centrally accessible authorization store, the company chose to create an Authorization Manager policy storage container in Active Directory.
Note The Active Directory Service Interfaces (ADSI) Edit snap-in does not install in Windows Server 2003 by default. If this snap-in is not installed on your server, you must install the ADMINPAK.msi file for the Windows Server 2003 Administration Pack located on your installation CD.
For detailed instructions on installing the administration pack, download the Windows Server 2003 Administration Tools Pack.
To create an Authorization Manager policy storage container in Active Directory
Note If you cannot view this folder, click View, and then Advanced Features from the main menu.
Figure 5.2. The Tasks to Delegate page in the Delegation of Control Wizard
Figure 5.3. The assigned permissions for the Sales Admin group on the Security tab for Contoso properties
Because Contoso is using Active Directory as its central authorization store, the company chose to create its Authorization Manager store in Active Directory. An authorization store is a database that contains the authorization policy in Authorization Manager.
To create the authorization policy store in Active Directory
The distinguished name (DN) of the Program Data will appear under Store Name.
In this scenario, the following were used.
CN=ContosoStore,CN=Contoso,CN=Program Data,DC=perimeter,DC=contoso,DC=com.
Figure 5.4. Using the New Authorization Store dialog box to create a new authorization store in Active Directory
IIS 6.0 integrates with Authorization Manager to implement IIS 6.0 URL Authorization, a new feature in Windows Server 2003. Creating an Authorization Manager "application" is the first step in using Authorization Manager to protect your Web-based application. An Authorization Manager application identifies the operations or tasks that the application can perform by declaring them in the authorization store at the time you install the application.
Contoso is protecting Web-based applications on the Web server running IIS. For this reason, the company needs to create and define a specific IIS Authorization Manager application name to hold all IIS – based resources that Authorization Manager will protect.
To create an application name in IIS 6.0
Note You must type IIS 6.0 URL Authorization exactly as shown in the following figure in the Name box of the New Application dialog box or Authorization Manager will not operate with IIS 6.0.
Figure 5.5. Using the New Application dialog box to create a new application
An operation is a low-level permission that a resource manager uses to identify security procedures. A meaningful task may require several operations. Operations are often not exposed or meaningful to administrators. An example of an operation could be WriteAttributes or ReadAttributes. Contoso created an operation definition to allow access to the Sales and Contacts application URL for its sales employees. This operation definition links to an IIS directory (or virtual directory) when the Microsoft Visual Basic® script for SetUrlAuth is run later in this chapter.
To create an operation
Important It is critical that you type AccessURL exactly in the Name box and 1 in the Operation number box of the New Operation Definition dialog box as shown in the following figure.
Figure 5.6. Using the New Operation Definition dialog box to create an operation definition
In Authorization Manager, a role definition is a collection of permissions for a particular role. Permissions for the role can be tasks or operations. Because Contoso is using operations to define permissions, that is how the roles in this scenario are configured.
To create a role definition
Figure 5.7. Using the Role Definition dialog box to create a role definition
Figure 5.8. Using the Add Definition dialog box to define a role
Now you are ready to create an Authorization Manager scope and role assignment for the Sales and Contacts application. Use the following tasks to accomplish this.
In addition to creating the authorization policy store in Active Directory, the Sales Administrator also must configure the server running IIS 6.0. To do this, the Sales Admin user in Active Directory must be a member of the Local Administrators group on the Web server.
To add the Sales Admin user to the Local Administrators Group
Authorization Manager scopes exist directly under Authorization Manager applications in the Active Directory console tree. A scope allows an administrator to collect similar resources within an authorization policy. These collections map the requested resource to its scope when the application validates an employee's access rights. A scope can represent a physical collection, such as a folder, or a more flexible collection of resources, such as Active Server Pages (ASP). Applications use scope as necessary to group similar resources.
Note IIS 6.0 URL Authorization scopes always map to virtual directories or URLs to protect Web applications.
To create a scope in Authorization Manager
Figure 5.9. Using the New Scope dialog box to create a new scope
Creating an Authorization Manager role assignment simply requires linking the role created in Authorization Manager to a subset of users in the external Active Directory.
You can do this in one of two ways:
Contoso used the first approach, assigning Active Directory users to an Authorization Manager role based on Active Directory group membership.
To link a role to a group in Active Directory
Note A dialog box will prompt you to select the salesadmin account or the Sales group. Ensure that you select the Sales group.
Figure 5.10. Using the Select Users, Computers, or Groups dialog box to create a role assignment
After Authorization Manager is configured, the final step is to associate the Sales and Contacts application with it to perform authorization. To complete this task, you need to make some configuration changes to ensure that IIS 6.0 can communicate with Authorization Manager, and that a specific URL (or directory) is associated with the Scope and Operation created in Authorization Manager.
Contoso completed the following tasks to configure the Sales and Contacts application. You can tailor these tasks to the requirements of your organization.
There is a simple sample Web page that has been included with this document that represents the real Sales and Contacts application in the Contoso environment. This sample application must be installed and configured before completing the remainder of the tasks in this scenario.
To install the sample Sales and Contacts application
An application pool is configured to link one or more applications to a single worker process to isolate the process. Contoso associated an application pool with the virtual directory in which the Sales and Contacts application resides.
For reliability and security purposes, Contoso created an application pool on the IIS server to protect other Web applications. Selecting a security account for the application pool allows administrators to constrain the pool with more permissions control.
To create an application pool
Figure 5.11. Using the Add New Application Pool dialog box to add a new application pool in IIS 6.0
By default, application pools run under the Network Service account. For security purposes, Microsoft recommends selecting a different security account for the application pool than the one created in this scenario. You can use a domain account to constrain access to a greater degree than use of the Network Service account would allow.
To check your application pool for the user authority under which it runs
Figure 5.12. Using the SalesAppPool Properties dialog box to change the account under which an application pool runs to a different domain security account.
This procedure simply creates a link between the application pool created in Task 2 and the virtual directory for the Sales and Contacts application created in Task 1. The Contoso Sales and Contacts application runs exclusively under one virtual directory, but you can associate your application pool with more than one if necessary.
To assign an application pool to a virtual directory
Note If the Application Pool list is not available, click Create to create the application pool for the Contoso Sales and Contacts application.
Figure 5.13. Using the contacts Properties dialog box to assign an application pool to the virtual directory for a Web application
As mentioned previously, IIS 6.0 runs under the Network Service account by default. Because you have reconfigured the service account that the application pool runs under, you must use this account for the Authorization Manager Reader role. This ensures that the service account will enforce the appropriate Authorization Policy.
Note If you use a remote authorization store (such as Active Directory or a remote XML file-based store) and run IIS 6.0 in the default Network Service context, then you must add the Active Directory account of the Web server running IIS 6.0 to the Store Reader role.
To add the IIS Worker Process to the Authorization Manager Store Reader role
Figure 5.14. Using the Contosostore Properties dialog box to add the IIS Worker process to the Authorization Manager Store Reader role
When you configure an application, virtual directory, or URL to use IIS 6.0 URL Authorization, each request to a URL is routed to the URL Authorization Internet Server Application Programming Interface (ISAPI) interceptor. The IIS 6.0 URL Authorization ISAPI interceptor uses the Authorization Manager runtime to authorize access to the requested URL. To do this, the URL (application, virtual directory, or single URL) must be associated with an Authorization Manager policy store that contains the authorization policy for the URL. After the client has been authorized to access the URL, the IIS 6.0 URL Authorization ISAPI passes the request to the appropriate handler for the URL, such as ASP or the static file handler.
The name of the file that must execute as the URL Authorization ISAPI interceptor is URLAUTH.dll. You must associate this file with each virtual directory (or directory) that you want associated with Authorization Manager.
To associate the URLAuth.dll file with the Sales and Contacts application
Note If an error message appears that begins "This executable path is already used…" the URLAuth.dll file is already configured as a wildcard for application extension mapping.
Figure 5.15. Using the Application Configuration dialog box to set the Web application configuration properties to point to URLAuth.dll
You must allow the server running IIS to execute the Web service extension for URL authorization. This is required to use Authorization Manager for URL authorization.
To configure IIS to add URLAuth.dll as a new Web service extension
The IIS 6.0 metabase is a database similar in structure to the Microsoft Windows® registry. The metabase is optimized for IIS to provide a hierarchal storage system and fast retrieval of IIS configuration properties for Web sites, virtual directories, and sites configured to use File Transfer Protocol (FTP), Simple Mail Transfer Protocol (SMTP), and Network News Transfer Protocol (NNTP).
Each virtual directory is assigned a unique identifier. You can find this information easily using the Metabase Explorer utility. Use this utility when running the SetUrlAuth.vbs script in the following procedure.
To install and use Metabase Explorer
The value should match the name of your Web site.
Note The virtual directory path will be used when you execute the SetUrlAuth.vbs script in Task 9.
Figure 5.16. The contact list view in IIS Metabase Explorer
Contoso uses a Visual Basic script file to modify IIS metabase properties, which assign the appropriate Authorization Manager policy to the virtual directory. A sample script called SetURLAuth.vbs is included in the Tools and Templates folder that downloads with this paper. Complete the following steps to run the SetUrlAuth.vbs script.
To run the SetURLAuth.vbs script
Note By default, the InetPub directory is in the root of the drive containing IIS 6.0.
CScript SetUrlAuth.vbs <your virtual directory> B2E
"msldap://CN=ContosoStore,CN=Contoso,CN=Program
Data,DC=perimeter,DC=contoso,DC=com" true 1
IIS URL Authorization is now configured to run for the Sales and Contacts application in this scenario. Users assigned to the Viewer role can browse to pages within the application.
Note The syntax for the SetUrlAuth.vbs file script is:
CScript SetUrlAuth.vbs <VirtualDirPath> <AuthMgrScopeName> <AuthMgrStoreName> <Enabled True/False> <ImpersonationLevel>
Implementing the B2C extranet access solution for the Contoso Customer Trial application primarily requires configuring components previously installed with Windows Server 2003. As part of the implementation process for its solution, Contoso used infrastructure from Microsoft Passport for the authentication process, and Authorization Manager for the authorization process. Finally, the B2C solution for Contoso requires some minor modifications to the Customer Trial application.
For these implementation details to work correctly, you need to have the basic Contoso infrastructure implemented as introduced in the "Platform and Infrastructure" paper in this series as described in Chapter 4, "Designing the Infrastructure," and Chapter 5, "Implementing the Infrastructure."
In particular, an extranet Active Directory forest is required. The forest should contain the provided Contoso OUs, Groups, and Users.
You also need to have access to the Microsoft Passport Web site.
The implementation activities for this solution scenario include the following:
With Windows Server 2003 and IIS 6.0, you can integrate Passport authentication services into your solution to store user credentials in Active Directory. Contoso did this to offer users single sign on (SSO) features across multiple Passport-enabled Web sites.
You can tailor the following tasks in this section to the requirements of your organization. Contoso completed these tasks to integrate Passport with the B2C extranet access solution.
Verify that the following three environments exist while setting up Passport authentication for IIS 6.0:
Use the following steps to verify that you are in the default installation environment.
To verify your server is in the default installation environment
Note The value 1 indicates that the current Passport configuration is in the default installation environment. Any number other than 1 indicates that the current environment is in either the PREP environment or the production environment.
Before you can test and deploy Passport authentication on your site, you must register your server configuration and request a site ID and encryption key from Microsoft. After obtaining a site ID and encryption key, you can switch your environment to the PREP environment to test it against your preproduction servers without accessing live Passport services.
To request a Microsoft Passport site ID
Web Site Title: Contoso Pharmaceuticals
Domain Name: www.contoso.com
Default Return URL: www.contoso.com/defaultreturn.html
Customer Support Phone number: <Optional field>
Customer Support email: <Optional field>
Privacy Policy URL: www.contoso.com/privacy.html
Note This information provides examples of data you could type in the application at this point in the application process. The information you supply will be unique to your implementation of .NET Passport.
Cobrand Image URL*: www.contoso.com/logo.gif
Other fields on this page are optional for you to complete according to your requirements.
Expire Cookie URL*: www.contoso.com/clearcookies.asp.
After Microsoft approves your application, you will receive an e-mail from the Microsoft compliance team containing a site ID and a Passport encryption key for your Web site. Download and install the encryption key to promote your PREP environment.
Note If IIS 6.0 is running on the same server you are configuring for Passport authentication, disable the IIS admin process before proceeding to the next step.
To install the encryption key and set up the Microsoft Passport site ID
Partner1000_1.exe /addkey
Partner1000_1.exe /makecurrent /t 0
Note Site ID 1000_1 is an example. Make the file name specific to your site ID.
After you have installed the encryption key, use the following task to confirm that the site ID is properly set up and verify that your environment has switched to the PREP environment.
After you have installed your Passport encryption key, your site will be set up with a unique Passport site ID. It is a best practice to verify that the site ID is properly set up to ensure your server can communicate with the preproduction Passport servers.
To configure the proper setup of the site ID and encryption key
To verify the proper setup of the site ID and encryption key
To create Passport users in Active Directory, Contoso created a domain with privileges to create child objects in the Trial Users OU. The Trial Administrator account serves as the IIS anonymous account to create users in Active Directory.
To create the account in Active Directory
To create the group in Active Directory and delegate rights
For the trialadmin account to create users in the Trial User OU, you must configure the security setting for the Trial Users OU container.
To delegate control of the Trial Users OU
Figure 5.17. Assigning security permissions for the Trial Users OU
In addition to creating users in the Trial Users OU, the Customer Trial administrator is also responsible for managing the authorization policy store in Active Directory.
To delegate control of the Program Data OU to the Customer Trial Application Administrator
Note If you cannot view the Contoso folder, from the main menu click View, and then click Advanced Features.
The Trial Administrator also needs to configure the IIS 6.0 server. For this reason, the trialadmin user in Active Directory must be a member of the Local Administrators group on the server running IIS.
To add the Trial Administrator user to the Local Administrators group
Active Server Pages (ASP) and ASP.NET are not enabled by default in IIS 6.0. Because you will be using ASP to map Passport accounts with Active Directory, you must allow ASP and ASP.NET to run Web extensions on the IIS 6.0 Server.
To enable ASP and ASP.NET Web Extensions on IIS 6.0
To integrate Passport with Active Directory, you must map the PUID (a unique identifier in a Passport account) to a corresponding account in Active Directory. The ASP files map Passport users in Active Directory using the Active Directory Service Interfaces (ADSI) API.
Note The default.asp and subscribe.asp files that are included in the Tools and Templates folder are sample ASP files you can use to demonstrate mapping the Passport PUID to Active Directory. You can customize this code based on how you implement Passport.
Table 5.3.ASP for PUID Mapping with Active Directory
File name | Description |
default.asp | The default.asp file resides in a virtual directory, and is used by Passport to protect applications by default. When users successfully authenticate to Passport, the default.asp file invokes the Passport Manager API to retrieve and display user profile information. |
subscribe.asp | The subscribe.asp file also invokes the Passport Manager API to obtain user passport information. The Passport Manager API generates a page that prompts the user for information, which ADSI then uses to create user profiles in Active Directory. |
To enable mapping Passport users to Active Directory
Note Configuring Passport authentication for a virtual directory disables all other authentication methods for that virtual directory.
Note Make sure you update the hyperlink to the B2C application on the main page so that your company will point to the default.asp file in the trialentry directory. For example, in this scenario for Contoso, the hyperlink would be www.contoso.com/trialentry/default.asp.
To configure Passport authentication on the Customer Trial application
Based on the settings of the trialentry directory, the default.asp file challenges the user to authenticate using Passport. After Passport authenticates the user, the default.asp file attempts to map the PUID to Active Directory.
If the PUID is not mapped (that is, the user account is not created in Active Directory), information in the default.asp file is used to offer the user a link to the subscribe.asp file (in the subscribe virtual directory) that displays information the user can use to define a Passport profile. The subscribe.asp file prompts the user for information that Passport requires (for example, e-mail address), and then uses ADSI to create the account in Active Directory.
After the PUID is mapped, IIS creates an impersonation token for the user. IIS will run in the impersonation context of the user, which allows Authorization Manager to authorize user access.
The Trial Administrator account needs to be able to view and modify the ContosoStore Authorization Manager policy, which is accomplished by adding them to the Administrator role.
Note This B2C solution scenario requires an Authorization Manager store and policy. If you have not already completed the previous B2E solution scenario or do not have an Authorization Manager policy in place, follow the instructions for Configuring Authorization Manager in the above B2E solution scenario, replacing the SalesAdmin account with TrialAdmin before completing this task.
To add the Trial Administrator account to the Administrator role
Previously in this chapter you created an authorization store in Active Directory, the IIS 6.0 URL Authorization Application, and an operation definition based on the B2E scenario. After installing and configuring the components for the B2E scenario, the remaining tasks to complete the solution configuration for the B2C scenario are as follows:
Complete the following steps to create a new scope for the B2C extranet access scenario.
To create a new scope
Creating an Authorization Manager role assignment simply requires linking the role created in Authorization Manager to a subset of users in the external Active Directory account. You can accomplish this in one of two ways: The first way to do this is to link Authorization Manager roles manually to a group in Active Directory. The second way is to create an application group in Authorization Manager, and then assign users statically or dynamically using an LDAP query. Contoso used the first method for this scenario.
To link a role to a group in Active Directory
After Authorization Manager is set up, the final step is to associate the Customer Trial application with Authorization Manager to perform authorization. To complete this task, you must configure some settings to ensure that IIS will communicate with Authorization Manager and that a specific URL (or directory) is associated with the appropriate authorization scope.
Contoso completed the following tasks to install and configure the Customer Trial application. You can tailor these tasks to the requirements of your organization.
By default, application pools run under the Network Service account on the server running IIS. However, to make Passport authentication work, you need to use the LocalSystem account to run application pools. Doing so ensures that IIS has the appropriate rights to create impersonation tokens for authenticated users. IIS uses these tokens when requesting authorization from Authorization Manager. Complete the following steps to accomplish this task.
To create an application pool using the LocalSystem account
This task creates a link between the application pool created in an earlier procedure and the virtual directory associated with it. The Contoso Customer Trial application runs exclusively under one virtual directory, but you can select more than one if necessary.
To assign an application pool to a virtual directory
Note If the Application Pool list is not available, click Create to create the application.
Note To enable a Windows XP client to sign in to a Passport Preproduction (PREP) mode, see the instructions in the following Microsoft Knowledge Base article, "A User Cannot Sign in to Microsoft Passport by Using Microsoft Windows XP in the Preproduction Environment".
As mentioned in Task 1, IIS application pools run under the Network Service account by default. Now that you have changed the service account that the application pool runs under to the LocalSystem account, you also must make this account a member of the Authorization Manager Reader role. This task ensures that the service account can read the appropriate Authorization Policy.
To add the IIS Worker Process to the Authorization Manager Store Reader role
Figure 5.18. Using the ContosoStore Properties dialog box to add the IIS Worker process to the Authorization Manager Store Reader role
When you configure an application, virtual directory, or URL to use IIS 6.0 URL Authorization, each request to a URL is routed to the URL Authorization ISAPI interceptor. The IIS 6.0 URL Authorization ISAPI interceptor uses the Authorization Manager runtime to authorize access to the requested URL. To do this, the URL (application, virtual directory, or single URL) must be associated with an Authorization Manager policy store that contains the authorization policy for the URL. After the client has been authorized to access the URL, the IIS 6.0 URL Authorization ISAPI interceptor passes the request to the appropriate handler , such as ASP or the static file handler.
The name of the file that must execute as the URL Authorization ISAPI interceptor is URLAuth.dll. You must associate this file with each virtual directory (or directory) that you want to associate with Authorization Manager.
To associate the URLAuth.dll file with the Customer Trial application
Note If an error message appears that starts with "This executable path is already used…", the URLAuth.dll file is already configured to map wildcard application extensions.
You must configure IIS 6.0 to execute files that have a dynamic link library (.dll) extension.
To configure IIS 6.0 to execute .dll extension files
The IIS metabase is a database similar in structure to the Microsoft Windows registry. The metabase is optimized for IIS to provide hierarchal storage and fast retrieval of IIS configuration properties for Web sites and virtual directories, including Web sites that use FTP, SMTP, and NNTP.
Each virtual directory is assigned a unique identifier that you can find easily using the Metabase Explorer. Use this identifier when running the SetUrlAuth.vbs script in the following task. To install Metabase Explorer, follow the steps in the B2E scenario under Task 8: Install and Run Metabase Explorer to Find the Application URL.
To use the Metabase Explorer
Figure 5.19. The IIS 6.0 metabase properties in the IIS Metabase Explorer
Contoso uses a Visual Basic script file to modify IIS metabase properties by assigning the appropriate Authorization Manager policy to the virtual directory. A sample script, called SetURLAuth.vbs, is included in the Tools and Templates folder that downloads with this series. Use the following procedure to run the SetUrlAuth.vbs script.
To run the SetURLAuth.vbs script file
Note By default the InetPub directory is in the root of the drive containing IIS 6.0.
CScript SetUrlAuth.vbs <your virtual directory> B2C
"msldap://CN=ContosoStore,CN=Contoso,CN=Program
Data,DC=perimeter,DC=contoso,DC=com" true 1
IIS URL Authorization is now configured to run for the Customer Trial application in this scenario. Users in the Viewer role can browse to pages within the application.
Note The syntax for the SetUrlAuth.vbs script is:
CScript SetUrlAuth.vbs <VirtualDirPath> <AuthMgrScopeName> <AuthMgrStoreName> <Enabled True/False> <ImpersonationLevel>
Before deploying a Passport-enabled Web site, participating sites must sign the Passport License and Service Agreement.
For more information about the Passport License and Service Agreement, see the Passport License and Service Agreement page on Microsoft MSDN®.
This chapter describes how to validate the implemented solution scenarios from the previous chapter. It also provides some troubleshooting steps to help with common implementation challenges. Comprehensive guidance for testing the end-to-end user and administrator experience is not provided.
After the B2E extranet access scenario implementation is complete, you are ready to validate your implementation to ensure that the B2E Web single sign on (SSO) application meets the requirements for Contoso.
Before testing the implementation guidance in this paper, there are a few basic verification tests that you should perform to ensure that you have correctly configured the required infrastructure for the solution. Use the following tests to validate these prerequisites.
Tests to validate the prerequisites include:
Complete the following steps to verify that the sales users in the intranet Contoso domain will receive user authentication certificates through auto-enrollment.
To verify auto-enrollment for sales users in the Contoso intranet domain
These steps should confirm that the domain user received the user authentication certificate through auto-enrollment from the Contoso issuing certification authority (CA).
Complete the following steps to verify that members of the intranet domain can access the Contoso extranet Web page.
To verify intranet domain users can access the Contoso extranet Web page
This test should confirm that the user can view the Contoso HTML page in the browser.
Complete the following steps to verify that extranet users via the Internet can access the Contoso Web page.
To verify extranet users via the Internet can access the Contoso Web page
This test should confirm that the user can view the HTML page in the browser.
Complete the following steps to verify that intranet and extranet users can access the certificate revocation list (CRL) site on the Contoso perimeter Web server.
To verify that intranet and extranet users can access the CRL site
This test should confirm that users in the Contoso intranet domain and extranet users can view the CRL site on the perimeter Web server.
Complete these steps to verify that the CRL is updated on the perimeter Web server.
To verify that the CRL is updated on the perimeter Web server
This test should confirm that the CRL on the issuing CA has not expired, and that it is the latest list.
Complete the following steps to verify that the Contoso B2E application is enabled to use Hypertext Transfer Protocol, Secure (HTTPS).
To verify the Contoso B2E application is enabled to use HTTPS
This test should enable the client computer on the Internet to access the B2E Web page using the HTTPS protocol.
Complete the following steps to verify that the Sales and Contacts application runs correctly.
To verify that the Sales and Contacts application runs correctly
This test should confirm that the Sales and Contacts application runs on the extranet Web server.
Complete the following steps to verify that the Sales and Contacts application users are provisioned in the extranet Microsoft Active Directory® directory service.
To verify these users are provisioned in the extranet Active Directory
This test should confirm that Sales and Contacts application users are provisioned in the extranet Active Directory.
Complete the following steps to verify that users in the Sales group provisioned in the extranet Active Directory have their accounts mapped to their user certificates.
To verify Sales group user accounts are mapped to their user certificates
Performing this test should confirm that the value in altSecurityIdentities matches the subject value in the user's authentication certificate. For example:altSecurityIdentities equals X509<I>DC=com,DC=contoso,DC=corp,DC=na,CN=Users,CN=user01,E=user01@corp.contoso.com.
You can use the information in the following sections to test the B2E access management scenario and validate your implementation of the guidance.
Tests to validate the implementation include:
Complete the following steps to verify that a sales employee can access the Sales and Contacts application via the Internet using SSO.
To verify SSO access to the Sales and Contacts application
This test should confirm that the user can successfully access the Sales and Contacts application using his or her user certificate.
Complete the following steps to verify that employees who are not in the Sales group cannot access the Sales and Contacts application via the Internet.
To verify non-Sales Group employees cannot access the application
This test should confirm that this user cannot access the Web page for the Sales and Contacts application.
Complete the following steps to verify that the extranet Web server intercepts Sales employee authentication requests via HTTPS, and that the server uses client authentication certificates from the issuing CA to authenticate users to the extranet Active Directory.
To verify the extranet Web server intercepts authentication requests via HTTPS
This test should confirm that the Web server intercepts the authentication request, and then displays a message prompting for a user certificate.
Complete the following steps to verify that Sales employee authentication requests fail when users attempt to authenticate from the Web server to the extranet Active Directory, and that the user certificates are revoked.
To verify Sales employee attempts to authenticate from the Web server fail
This test should confirm that the user receives an error message saying that his or her certification has been revoked, and that the user cannot access the Sales and Contacts application Web page.
Complete the following steps to verify that authenticated users attempting to access the Sales and Contacts application are authorized based on their membership profile for the User, Group, Roles, and Application Objects in the extranet Active Directory using the Authorization Manager application.
To verify authenticated users with the Authorization Manager application
This test should confirm that the user can access the Sales and Contacts Web page, unless he or she specifies a valid user certificate.
Complete the following steps to verify that authenticated but unauthorized users attempting URL access to the Sales and Contacts application are denied access based on their membership profile for User, Group, Roles and Application Objects in the extranet Active Directory using the Authorization Manager application.
To verify authenticated but unauthorized users are denied access
This test should confirm that the user cannot log on to the site because he or she is not a member of the Sales group.
Complete the following steps to verify that users in the Sales group can access the Sales and Contacts application from the Contoso intranet.
To verify Sales Group user access via the Contoso intranet
This test should confirm that the user can access the Sales and Contacts application on the organization's extranet Web server from the internal network with no issues.
Complete the following steps to verify that deprovisioned users in the Sales group cannot access the Sales and Contacts application from the Internet.
To verify deprovisioned users cannot access the application
This test should confirm that the user is blocked from accessing the site, the application, and cannot view the page.
This section of the chapter provides information about some common errors that you may encounter while testing this scenario and how to most likely resolve them. However, the information in the following table is not an exhaustive list of errors and troubleshooting procedures.
Table 6.1. Troubleshooting Information for the B2E Extranet Access Scenario
Error | Troubleshooting procedure |
HTTP Error 401.1 – Unauthorized: Access is denied due to invalid credentials. | Verify the Internet user accessing the Sales and Contacts application is a member of the Sales Group in the extranet Active Directory. |
HTTP Error 401.1 – Unauthorized: Access is denied due to invalid credentials. | Verify the mapping between the altsecurityIdentities account attribute in Active Directory and the user's subject name in the certificate is correct. |
HTTP Error 401.1 – Unauthorized: Access is denied due to invalid credentials. | Verify that client certificates is set to the option for Require client certificates in the Sales and Contacts application's virtual directory.To browse to this location, click Properties on the virtual directory, click Directory Security, click Secure communications, and then click Edit to verify the information. |
HTTP Error 401.1 – Unauthorized: Access is denied due to invalid credentials. | Verify the Sales group has been added as a Viewer role in the B2C role assignments in the Azman.msc file.To browse to this location, open the Azman.msc file and then under ContosoStore, click IIS 6.0 URL Authorization, click B2C, click Role Assignments, and then click Viewer. |
HTTP Error 401.1 – Unauthorized: Access is denied due to invalid credentials. | Verify that Internet users can access the CRL hosted on the Contoso extranet Web server. Also verify that the user's authentication certificate is not revoked by the issuing CA. |
HTTP Error 403.7 – Forbidden: SSL client certificate is required. | Verify that the user has a valid Contoso user authentication certificate in the user account certificate store. |
HTTP Error 403.7 – Forbidden: Client certificate is ill formed or is not trusted by the Web server. | Verify that the steps given in the "Establishing Certificate Authority Trust in IIS 6.0" section have been followed correctly. |
Service Unavailable. | Restart IIS on your Web server. |
After the implementation section for the B2C extranet access scenario is complete, you are ready to validate your implementation to ensure that the B2C Web SSO application meets the requirements for Contoso.
Before testing the implementation guidance in this paper, there are a few basic verification tests that you should perform to ensure that you have correctly configured the required infrastructure for the solution.
Tests to validate the prerequisites include:
Complete the following steps to verify that extranet users via the Internet can access the Contoso Web page.
To verify extranet users can access the Contoso Web page
This test should confirm that the user can view the HTML page in the browser.
Complete the following steps to verify that the Contoso B2C application is enabled to use the HTTPS protocol.
To verify the Contoso B2C application is configured to use the HTTPS protocol
This test should confirm that the client computer on the Internet can access the B2C Web page using the HTTPS protocol.
You can use the information in the following sections to test the B2C extranet access scenario and validate your implementation of this guidance.
Tests to validate the implementation include:
Complete the following steps to verify that a new customer participating in the Contoso Customer Trial undergoes a self-registration process to obtain a new Preproduction Passport Environment (PPE) account.
To verify new customers can self-register for PPE accounts
This test should confirm that the new customer undergoes a self-registration process to obtain a PPE account that he or she can use to access the Contoso Customer Trial application.
Complete the following steps to verify that verify that the PPE self-registration process completes, that the Web SSO application's default.asp and subscribe.asp files create a customer user account in the external Active Directory under the Trial Users OU (OU=Trial Users,OU=Accounts,DC=perimeter,DC=Contoso,DC=com), and that the user account is added as a member of the Trial Users group.
To verify the PPE self-registration process completes successfully
Complete the following steps to verify that a customer participating in the Contoso Customer Trial requires a Preproduction Microsoft Passport account to access the Customer Trial application Web page.
To verify customers require a Preproduction Passport account
This test should confirm that on the welcome page, the customer is required to sign in to their preproduction Passport account before they can access the Customer Trial application.
Complete the following steps to verify that the following information is provisioned in the extranet Active Directory for the trial user from the Preproduction Passport database:
To verify information is provisioned in the extranet Active Directory
This test should confirm that the user account in the extranet Active Directory is provisioned with the information details retrieved from the user's PPE account.
Complete the following steps to verify that the self-registration process generates the following information for users:
To verify the self-registration process generates the required information
This test should confirm that the user's password property is not set to expire, and that the user's PUID sets the value for sAMAcountName and cn.
Complete the following steps to verify that the extranet Web server intercepts customer authentication requests via HTTPS, and that it uses Passport to authenticate customers to the extranet Active Directory.
To verify the extranet Web Server intercepts requests via HTTPS
This test should confirm that the page redirects the customer to the Passport site because the customer cannot access the Contoso site without a valid Passport account.
Complete the following steps to verify that authenticated customers are authorized to access the Customer Trial application based on their User, Group, and Roles and Application Objects profile in the extranet Active Directory using Authorization Manager.
To verify authenticated customers have access with Authorization Manager
This test should confirm that the account can access the Customer Trial application page seamlessly.
Complete the following steps to verify that authenticated but unauthorized customers attempting URL access to the Customer Trial application are denied access based on their User, Group, Roles and Application Objects profile in the extranet Active Directory using Authorization Manager.
Verify that authenticated, but unauthorized customers have no access
This test should confirm that the customer account cannot access the page because it is not a member of the Trial Users group.
Complete the following steps to verify that the Root user can successfully log in to the UNIX workstation using his or her local account password.
To verify the root user can log on to the UNIX Workstation
This test should confirm that the Root user can successfully log on to the workstation using his or her local account.
Complete the following steps to verify that logon fails for UNIX users if they enter local account credentials while logging on to the UNIX workstation.
To verify UNIX users cannot log on using local account credentials
This test should confirm that users cannot log on to their UNIX workstations using their local account credentials.
This section provides information about some common errors that you may see while testing this scenario and how you can likely resolve them. However, the information in the following table is not an exhaustive list of errors and troubleshooting procedures.
Table 6.2. Troubleshooting Information for the B2C Extranet Access Scenario
Error | Troubleshooting procedure |
HTTP Error 401.1 – Unauthorized: Access is denied due to invalid credentials. | Verify that the Trial Users group has been added in the Viewer role of B2E Role Assignments.To verify this, open the AZMAN.msc file, navigate to ContosoStore, click IIS 6.0 URL Authorization, click B2E, click Role Assignments, and then click Viewer properties. |
HTTP Error 401.2 – Unauthorized: Access is denied due to server configuration. | Verify that the check box for Passport Authentication is selected in the customer application virtual directory. To verify this information, open the IIS MMC snap-in, browse to the Customer Trial feedback application virtual directory, right-click and select Properties, click Directory Security, click Authentication and access control, and then click Authentication methods. |
HTTP Error 403.20 – Forbidden: Passport logon failed. | Verify that the user trying to access the site has a valid Passport account. |
The user on the Internet fails to see the Passport logon wizard prompt when he or she accesses the Contoso Customer Trial feedback application Web site at https://www.contoso.com/b2c. | Verify that the instructions have been followed, and that the suggested registry settings have been configured according to the instructions in Microsoft Knowledge Base article 816417, "A User Cannot Sign in to Microsoft Passport by Using Microsoft Windows XP in the Preproduction Environment". |
The first name, last name and e-mail address fields on the Subscribe.asp page are blank. | Verify that the user's Passport profile information can be used by other applications on the Passport registration site. |
The page does not appear. | In the Passport Manager Administration utility, verify the site ID you received from .NET Services Manager. |
The user does not receive an encryption key to the site after registering for one to the site at .NET Services Manager. | Repeat the steps to obtain a Passport site ID and Encryption Key in Chapter 5, "Implementing the Solution." |
After the provided solution scenarios have been implemented and validated, a number of ongoing operational activities must happen to ensure continued success. The "Platform and Infrastructure" paper in this series provides information and references for how each service in the infrastructure should be operated. This chapter introduces a few additional operational considerations for the specific solution scenarios in this paper.
The business-to-employee (B2E) extranet access scenario needs to manage the public key infrastructure (PKI) in addition to the general operational considerations described in this chapter.
There are a number of operational issues to consider with any PKI, including backup and recovery, auditing and monitoring, and certificate management.
Microsoft recommends backing up all certification authorities (CA) regularly to ensure that the CA database, the CA certificates, and the CA keys are protected. This is particularly important for your CAs, as they are not readily retrievable outside of the backup recovery process.
Microsoft Certificate Services records notable items in the Windows Event log. Review these logs regularly to track CA activity, particularly for issued certificates, and for changes to the certificate revocation list (CRL).
Take great care with certificate management to ensure that the CRL is accurate and up to date. You should also ensure that user certificates are correctly managed to prevent them from expiring while users are out of the office. In addition, you should ensure that the CA and Microsoft® Internet Information Services (IIS 6.0) certificates are maintained, current, and reissued at regular intervals so that users are not locked out from the services they need to access.
For more information about maintaining a PKI in your environment, see the Windows Server 2003 PKI Operations Guide on Microsoft TechNet.
The business-to-customer (B2C) extranet access scenario needs to manage Microsoft Passport in addition to the general operational considerations described in this chapter.
You can monitor the Microsoft Passport system using a combination of the Microsoft Windows Event log and performance counters. The Event log contains the system level events (Passport start and stop events), and you can use the Performance Monitor to track more comprehensive statistics such as the number of login attempts (failed or successful) on a total and per-second basis.
Tracking Passport activity will enable administrators in your organization to: