Browse DevX
Sign up for e-mail newsletters from DevX


Implementing Secured Web Applications with IIS5  : Page 2

This article goes behind the basics, and describes what the X.509 protocol (IETF standard) is and how IIS implements it, how server certificates and the CRL (certificate revocation list) work, and many non-obvious details of IIS client authentication security options. Enrico also explains IIS mapping and AD mapping, and its two flavors: UPN mapping and explicit mapping. Finally, the article contains a discussion on flowing identity in COM+ based internet apps, including IIS integrated security, IIS Basic security, and 1-to-1 client certificate mapping.




Building the Right Environment to Support AI, Machine Learning and Deep Learning

By default proprietary  IIS mapping is activated. You can switch to AD mapping just enabling the Windows Directory Service Mapper checkbox, as shown below (in this picture the checkbox is disabled because IIS is not registered in a Windows 2000 domain).

There are two kinds of AD mapping; UPN (Unique Principal Name) mapping and explicit mapping. 
The former is an implicit mapping done by Windows Security services when it finds a matching between the UPN field of the certificate (if present) and the UPN of a user (expressed in the form <username>@<domain name>) registered in the domain.
The latter must be defined explicitly on the Active Directory administrative snap-in. 
IIS proprietary  mapping involves more overheads if compared to AD mapping, but it offers more flexibility over the type of many to 1 mapping you can define (see figure below).

Flowing Identity in COM+ based Internet applications

If you want to provide an Internet entry point to an application based on configured COM+ components, what you need is to set up proper IIS client authentication options so that each client identity flows transparently from IIS to the COM+ application. In this way the identity of the client is used when applying role based security (if not role based security would be pretty useless).
To do so you have three options:

  • IIS Integrated security: as already said, this works for Intranet scenario only. 
    Note that if IE5 is used as client browser and IIS5 is running on a server registered in a W2K domain, you can hop the client identity to other servers (thank to the delegate impersonation level available when using Kerberos); if it's not the case (e.g. the web server is IIS4 on Windows NT), you are forced to deploy COM components in an MTS package residing on the same server where IIS runs, otherwise the IIS process identity will be used when applying role based security.
  • IIS Basic Security (requiring interactive or batch logon) over HTTPS: this works with any browser
  • 1-to-1 client certificate mapping

The second option is the most widely used at present days, but expect secured solutions based on certificates getting more and more common in the future.


As you can see, IIS5 provides you different authentication options. I suggest you to find the one that best fits your application security requirements and use it, instead of implementing some custom security mechanism based on a proprietary user account database. A custom solution will likely be less robust and will augment the administrative burden required (nevertheless, I recognize that, if you host your application at an ASP site, this is unfortunately the only option you have).


[1] Security For the Global Internet - vb2themax - Enrico Sabbadin
[2] Web Security part 2, MSDN magazine - June 2000, Keith Brown

Enrico Sabbadin is a software developer (MCP) that works, since 1995, on distributed and Internet based applications design on the Microsoft platform. He is an author for several Italian programming magazines and for the ASPToday web site, and occasionally speaks at Microsoft MSDN conferences in Italy. Enrico maintains at his own site a MTS FAQ (http://www.sabbasoft.com).
Comment and Contribute






(Maximum characters: 1200). You have 1200 characters left.



Thanks for your registration, follow us on our social networks to keep up-to-date