Extranet applications are those that share resources or applications across two different companies or divisions. The applications and resources are exposed over the Internet. One of the main challenges associated with extranet applications is developing an authentication approach that both parties agree to. Your choices may be limited in this respect because you may need to interoperate with existing authentication mechanisms.
Extranet applications generally share some common characteristics:
You have tighter control over user accounts, compared to Internet scenarios.
You may have a higher level of trust for the user accounts, compared to applications that have Internet users.
The scenarios presented in this chapter that are used to illustrate recommended authentication, authorization, and secure communication techniques include:
Exposing a Web Service
Exposing a Web Application
Note
The scenarios described in this chapter change the password of the default ASPNET account used to run ASP.NET applications to allow duplicated accounts to be created on remote computers for network authentication purposes. This requires an update to the <processModel> element of Machine.config. <processModel> credentials should not be stored in plain text in machine.config. Instead use the aspnet_setreg.exe utility to store encrypted credentials in the registry. For more information, see Chapter 8, and article Q329290, "HOWTO: Use the ASP.NET Utility to Encrypt Credentials and Session State Connection Strings" in the Microsoft Knowledge Base.
Consider a business to business partner exchange scenario where a publisher company publishes and sells its services over the Internet. It exposes information to selected partner companies using a Web service. Users within each partner company access the Web service using an Intranet-based internal Web application. This scenario is shown in Figure 6.1.
This scenario has the following characteristics:
The publisher company exposes a Web service over the Internet.
Partner company (not individual user) credentials (X.509 client certificates) are validated by the publisher to authorize access to resources. The publisher does not need to know about the user’s individual logins in the partner company.
Client certificates are mapped to Active Directory® directory service accounts within the publisher company.
The extranet contains a separate Active Directory from the (internal) corporate Active Directory. The extranet Active Directory is in a separate forest, which provides a separate trust boundary.
Web service authorization is based on the mapped Active Directory account. You can use separate authorization decisions based on partner company identity (represented by separate Active Directory accounts per company).
The database is accessed by a single trusted connection that corresponds to the ASP.NET Web service process identity.
The data retrieved from the Web service is sensitive and must be secured while in transit (internally within the publisher company and externally while flowing over the Internet).
In this scenario, each partner company’s internal Web application retrieves data from the publisher company through the Web service and then presents the retrieved data to its users. The publisher requires a secure mechanism to authenticate partner companies, although the identity of individual users within partner companies is not relevant.
Due to the sensitive nature of the data sent between the two companies over the Internet, it must be secured using SSL while in transit.
A firewall that permits only inbound connections from the IP address of extranet partner companies is used to prevent other unauthorized Internet users from opening network connections to the Web service server.
Table 6.1. Security measures
Category | Detail |
|---|---|
Authentication |
|
Authorization |
|
Secure Communication |
|
Figure 6.2 on the next page shows the recommended security configuration for this scenario.
Before you begin, you’ll want to see the following:
Creating custom ASP.NET accounts (see "Appendix " in the Reference section of this book)
Creating a least privileged database account (see Chapter 12)
Configuring SSL on a Web server (see "Appendix " in the Reference section of this book)
Configuring IPSec (see "Appendix " in the Reference section of this book)
Configuring IPSec through firewalls (see article Q233256, "How to Enable IPSec Traffic Through a Firewall," in the Microsoft Knowledge Base).
Calling a Web service using SSL (see "Appendix " in the Reference section of this book); this solution technique is required within the partner company
The discussion of certificate management and the infrastructure is beyond the scope of this topic, for more information search for "Certificates and Authenticode" on Microsoft TechNet.
This chapter does not go into details about the partner application and its security configuration. However, the following points needs to be considered to facilitate communication between the partner application and Web service:
The partner company’s Web application can choose an authentication mechanism that allows it to authenticate and authorize its internal users. Those users are not passed to the Web service for further authentication.
The partner company’s Web application makes calls on behalf of its user to the Web service. Users cannot directly call the Web service.
The partner company’s Web application uses a client certificate to prove its identity to the Web service.
If the partner application is an ASP.NET Web application, then it must use an intermediate out of process component (an Enterprise Services application or Windows service) to load the certificate and forward it to the Web service.
For more information about why this is necessary and the steps to achieve this, see "Appendix " in the Reference section of this book.
Configure IIS | |
|---|---|
Step | More Information |
Disable Anonymous access for the Web service’s virtual root directory | To work with IIS authentication settings, use the IIS MMC snap-in. Select your application’s virtual directory, right-click and then click Properties. Click the Directory Security tab, and then click Edit within the Anonymous access and authentication control group. |
Enable certificate Authentication for your Web application’s and Web service’s virtual root | See "Appendix " in the Reference section of this book. See "Appendix " in the Reference section of this book. |
Step | More Information |
|---|---|
Set up Active Directory accounts to represent partner companies | A separate extranet Active Directory is used. This is located in its own forest, and is completely separate from the corporate Active Directory. |
Configure certificate mapping | See the "Step-by-Step Guide to Mapping Certificates to User mapping Accounts" on Microsoft TechNet. Also see article Q313070, "HOW TO: Configure Client Certificate Mappings in IIS 5.0," in the Microsoft Knowledge Base. |
Configure ASP.NET (Web Service) | |
|---|---|
Step | More Information |
Configure the ASP.NET Web service to use Windows authentication | Edit Web.config in the Web service’s virtual root directory Set the <authentication> element to: <authentication mode="Windows" /> |
Reset the password of the ASPNET account (used to run ASP.NET) to a known strong password | This allows you to create a duplicate local account (with the same username and password) on the database server. This is required to allow the ASPNET account to respond to network authentication challenges from the database server when it connects using Windows authentication. |
An alternative here is to use a least privileged domain account (if Windows authentication is permitted through the firewall). For more information, see "Process Identity for ASP.NET" in Chapter 8. | |
Edit Machine.config located in %windir%Microsoft.NETFrameworkv1.0.3705CONFIG | |
Set your custom account username and password attributes on the <processModel> element | |
Default <!-- userName="machine" password="AutoGenerate" --> | |
Becomes <!-- userName="machine"
password="YourStrongPassword" --> | |
More Information | |
|---|---|
Create a Windows account on the computer running Microsoft SQL Server™ that matches the ASP.NET process account used to run the Web service (by default ASPNET) | The user name and password must match your ASP.NET process account. Give the account the following privileges:
|
Configure SQL Server for Windows authentication | |
Create a SQL Server Login for the ASPNET account | This grants access to the SQL Server. |
Create a new database user and map the login name to the database user | This grants access to the specified database. |
Create a new user-defined database role within the database and place the database user into the role | |
Establish database permissions for the database role | Grant minimum permissions See Chapter 12. |
ASP.NET on the Web server is running as a least privileged local account (the default ASPNET account), so potential damage from compromise is mitigated.
The ASP.NET Web applications within the partner companies use Windows Integrated authentication and perform authorization to determine who can access the Web service.
The ASP.NET Web application within the partner company uses an intermediate Enterprise Services application to retrieve client certificates and make calls to the Web service.
The publisher company uses the partner organization name (contained in the certificate) to perform certificate mapping within IIS.
The Web service uses the mapped Active Directory account to perform authorization, using PrincipalPermission demands and .NET role checks.
Windows authentication to SQL Server means you avoid storing credentials on the Web server and it also means that credentials are not sent across the internal network to the SQL Server computer. If you use SQL authentication, it is important to secure the connection string (containing a user name and password) within the application and as it is passed across the network. Use DPAPI or one of the alternative secure storage strategies discussed in Chapter 12, to store connection strings and use IPSec to protect the connection string (and sensitive application data) as it is passed between the Web service and database.
SSL between partner companies and Web service protects the data passed across the Internet.
IPSec between the Web service and database protects the data passed to and from the database on the corporate network. In some scenarios where the partner and publisher communicate over a private network, it may be possible to use IPSec for machine authentication in addition to secure communication.
The use of a duplicated local Windows account on the database server (one that matches the ASP.NET process account local to IIS) results in increased administration. Passwords must be manually updated and synchronized on a periodic basis.
Because .NET role-based security is based on Windows group membership, this solution relies on Windows groups being set up at the correct level of granularity to match the categories of users (sharing the same security privileges) who will access the application. In this scenario, Active Directory accounts must be a member of a Partner group.
The publisher company might publish non sensitive data such as soft copies of magazines, newspapers, and so on. In this scenario, the publisher can provide a unique username and password for each partner to connect with to retrieve the data from the Web service.
In this related scenario, the publisher’s Web site is configured to authenticate users with Basic authentication. The partner application uses the username and password to explicitly set the credentials for the Web service proxy.
For more information about configuring Web service proxies, see Chapter 10.
In this scenario the publisher company gives its partners exclusive access to its application over the Internet and provides a partner-portal application; for example, to sell services, keep partners updated with product information, and provide online collaboration and so on. This scenario is shown in Figure 6.3.
This scenario has the following characteristics:
The partner Web application accepts credentials either by using a Forms login page or it presents a login dialog using Basic authentication in IIS.
The credentials are validated against a separate Active Directory within the extranet perimeter network (also known as DMZ, demilitarized zone, and screened subnet). The extranet Active Directory is in a separate forest, which provides a separate trust boundary.
The database is accessed by a single trusted connection that corresponds to the ASP.NET Web application process identity.
Web application authorization is based on either a GenericPrincipal object (created as part of the Forms authentication process) or a WindowsPrincipal object (if Basic authentication is used).
The data retrieved from the Web application is sensitive and must be secured while in transit (internally within the publisher company and externally while flowing over the Internet).
Due to the sensitive nature of the data sent between the two companies over the Internet, it must be secured using SSL while in transit.
A firewall that permits only inbound connections from the IP address of extranet partner companies is used to prevent other unauthorized Internet users from opening network connections to the Web server.
Table 6.2. Security measures
Category | Detail |
|---|---|
Authentication |
|
Authorization |
|
Secure Communication |
|
Figure 6.4 shows the recommended security configuration for this scenario.
Configure IIS | |
|---|---|
Step | More Information |
To use Forms authentication, enable Anonymous access for the Web application’s virtual root directory | |
- or - | |
To use Basic authentication, disable Anonymous access and select Basic authentication | |
Step | More Information |
Set up Active Directory accounts to represent partner users | A separate extranet Active Directory is used. This is located in its own forest and is completely separate from the corporate Active Directory. |
Configure ASP.NET | |
|---|---|
Step | More Information |
Configure the ASP.NET Web application to use Windows authentication (for IIS Basic) - or - Configure ASP.NET to use Forms authentication | Edit Web.config in the Web service’s virtual root directory Set the <authentication> element to either: <authentication mode="Windows" /> - or - <authentication mode="Forms" /> |
Reset the password of the ASPNET account (used to run ASP.NET) to a known strong password | This allows you to create a duplicate local account (with the same user name and password) on the database server. This is required to enable the ASPNET account to respond to network authentication challenges from the database server, when it connects using Windows authentication. |
An alternative here is to use a least privileged domain account (if Windows authentication is permitted through the firewall). For more information, see "Process Identity for ASP.NET" in Chapter 8. | |
Edit Machine.config located in %windir%Microsoft.NETFrameworkv1.0.3705CONFIG | |
Set your custom account username and password attributes on the <processModel> element | |
Default <!-- userName="machine" password="AutoGenerate" --> | |
Becomes <!-- userName="machine" password="YourStrongPassword" --> | |
More Information | |
|---|---|
Create a Windows account on the SQL Server computer that matches the ASP.NET process account used to run the Web service (by default ASPNET) | The user name and password must match your ASP.NET process account. Give the account the following privileges:
|
Configure SQL Server for Windows authentication | |
Create a SQL Server Login for the ASPNET account | This grants access to the SQL Server. |
Create a new database user and map the login name to the database user | This grants access to the specified database. |
Create a new user-defined database role within the database and place the database user into the role | |
Establish database permissions for the database role | Grant minimum permissions See Chapter 12. |
ASP.NET on the Web server is running as a least privileged local account (the default ASPNET account), so potential damage from compromise is mitigated.
SSL is used between browser and Web application to protect the Forms or Basic authentication credentials (both passed in clear text, although Basic uses Base64 encoding). SSL also protects the application-specific data returned from the Web application.
For Forms authentication, SSL is used on all pages (not just the logon page) to protect the authentication cookie passed on all subsequent Web requests after the initial authentication.
If SSL is used only on the initial logon page to encrypt the credentials passed for authentication, you should ensure that the Forms authentication ticket (contained within a cookie) is protected, because it is passed between client and server on each subsequent Web request. To encrypt the Forms authentication ticket, configure the protection attribute of the <forms> element as shown below and use the Encrypt method of the FormsAuthentication class to encrypt the ticket.
<authentication mode="Forms"> <forms name="MyAppFormsAuth" loginUrl="login.aspx" protection="All" timeout="20" path="/" > </forms> </authentication>The protection="All" attribute specifies that when the application calls FormsAuthentication.Encrypt, the ticket should be validated (integrity checked) and encrypted. Call this method when you create the authentication ticket, typically within the application’s Login button event handler.
string encryptedTicket = FormsAuthentication.Encrypt(authTicket);
For more information about Forms authentication and ticket encryption, see Chapter 8.
Similarly, SSL is used on all pages for Basic authentication because the Basic credentials are passed on all Web page requests and not just the initial one where the Basic credentials are supplied by the user.
For Basic authentication, ASP.NET automatically creates a WindowsPrincipal object to represent the authenticated caller and associates it with the current Web request (HttpContext.User) where it is used by .NET authorization including PrincipalPermission demands and .NET roles.
For Forms authentication, you must develop code to validate the supplied credentials against Active Directory and construct a GenericPrincipal to represent the authenticated user.
Windows authentication to SQL Server means you avoid storing credentials on the Web server and it also means that credentials are not sent across the internal network to the SQL Server computer.
IPSec between the Web service and database protects the data passed to and from the database on the corporate network.
The use of a duplicated local Windows account on the database server (one that matches the ASP.NET process account local to IIS) results in increased administration. Passwords must be manually updated and synchronized on a periodic basis.
Basic authentication results in a pop-up dialog within the browser. To provide a more seamless logon experience, use Forms authentication.
For additional security, the extranet application can be built to require no connectivity back into the corporate network. In this scenario:
A separate SQL Server database is located in the extranet and replication of data occurs from the internal database to the extranet database.
Routers are used to refuse connections from the extranet to the corporate network. Connections can be established the other way using specific high ports.
Connections from the corporate network to the extranet should be performed through a dedicated server that has strong auditing and logging and through which users must authenticate before accessing the extranet.
See the following Microsoft TechNet articles:
"Extending Your Network to Business Partners"
"Deploying SharePoint Portal Server in an Extranet Environment"
For more information about using Forms authentication with Active Directory, see "Appendix " in the Reference section of this book.