Implementing Secured Web Applications with IIS5

Implementing Secured Web Applications with IIS5

You may have read my previous articles on the VB2TheMax site where I described COM+ and the basics of Internetsecurity [1]. In the last article of this series I willdiscuss about implementing a secured Internet based application usingthe security options provided by IIS5 to achieve:

  • Secured data transmission and integrity

  • Client and server authentication.

IIS Server authentication and data protection

The X.509 protocol (IETF standard) is the standard server authentication mechanism used over the Internet. IIS, of course, adheres to this standard. This protocol is based on certificates signed by a CertificationAuthority. 
When the client requires server authentication the web server passes its certificate to the browser. Server authentication will succeed if all the following steps will complete successfully:

  • The client computer trusts the certification authority that signed the provided certificates.
  • The client uses the Certification authority public key to open the certificate and then verifies that the common name within the certificate match the URL the browser is pointing to.
  • The client verifies that the certificate is not expired.

Eventually the browser may check the CRL (certificate revocation list), whose URL is contained within the certificate, to see if the certificate has been revoked before its expiry date.
If the client accepts the server certificate, then it will start the handshake phase of theSecure Sockets Layer (SSL) protocol to set up secured data transmission (the SSL -aka TLS- protocol is a private key algorithm based on a session key).
During the handshake phase the client sends a session key to the server encrypted using the server public key. Only the server can decrypt the session key knowing the corresponding private key.
When the server and the client have shared the session key securely, the communicationcan proceed protected as desired. 
Asymmetric encryption (based on certificates) is limited to the handshake phase onlybecause symmetric algorithms (like SSL) are far more efficient in encrypting and decrypting data if compared to asymmetric ones.
Note that server authentication and data encryption are tightly coupled. TheoreticallySSL can be used without server authentication, but in the real world this never happens since it’s pretty useless to require data protection when you are possibly talking to a rogue server. 
The use of certificates and SSL in the way described above is commonly referred as the HTTPS protocol.

IIS client authentication security options

IIS client authentication is all about mapping identities that hit the web server via the HTTP protocol to an identity recognized within awindows domain. According to the IIS application security setting, the IIS thread serving the request will impersonate a particular identity, thus all access checks (file access, ASP scripts, etc) will be done against the thread identity, not the IIS process identity.
This identity will be used to apply access checks for:

  • File system access checks on NTFS drives when requesting HTML or ASP pages
  • Access checks required during the execution of ASP scripts (the identity flows transparently to the ASP execution context)
  • Activation and access checks for standard and configured COM+ components
  • Apply Role based security for configured COM+ components (use Server.CreateObject, not CreateObject or the process (IIS) identity will be used instead) 
  • Database access executed within the ASP script when connecting to SQL Server using Windows integrated security.

There are 5 possible security settings you can define for your IIS application to provide client authentication:

  • Anonymous: All requests are mapped to a single domain user. The default user is IUSR_ but you change it if you like.
  • Basic: When you request a resource (HTML or ASP page) residing in a virtual directory that requires Basic authentication, the browser prompts you for username and password. The thread that IIS picks up to fulfill the request tries to perform a logon into a domain defined in the virtual directory settings (not necessarily the one where the IIS server is registered in) using the information typed by the client. This security mechanism works with IE and Netscape but has a big drawback: the user password is sent in clear text. This issue is generally solved requiring HTTPS communication; in this way the whole communication, hence the password as well, is sent encrypted.
    The IIS thread can be configured to perform different logon types into the domain, that is, you can instruct IIS to call LogonUser with Interactive -the default-, Batch logon or Network logon. These settings cannot be configured using the IIS administrative snap-in; they are accessible only through the IIS ADSI. Programming interface. For further details see [2].
  • Digest (not available under IIS4): It’s a new standard security protocol based on a challenge response mechanism. It’s supported on IE5 and IIS5 only. Digest authentication is not so appealing because the Web Server must reside on the PDC to work.
  • Integrated (SPNEGO): This Microsoft proprietary authentication protocol performs a standard logon session over http (just like when you hit ALT+CTRL+DEL); you are asked for a username, a password AND a domain. The actual protocol used is negotiated between NTLM and Kerberos. Kerberos will be used if the browser is IE 5 running on a Windows 2000 computer and the web server is IIS5 running on a computer registered in a Windows 2000 domain. Integrated authentication is supported only in IE and doesn’t work across proxies, hence it can be used only in Intranet scenario.
  • Client Certificate Mapping: a virtual directory is configured to run over a HTTPS connection, you can instruct IIS to require client authentication via client certificates.If you do so, when connecting to the virtual directory the user is prompted to provide acertificate. This certificates is mapped then by IIS to a domain account in a 1-to-1 or many-to-1 way. 
    There are two ways to setup certificate mapping: 
    • Proprietary IIS mapping
    • Active directory (AD) mapping

    By default proprietary  IIS mapping is activated. You can switch to AD mapping just enabling the Windows Directory Service Mapper checkbox, as shown below (in this picture the checkbox is disabled because IIS is not registered in a Windows 2000 domain).

There are two kinds of AD mapping; UPN (Unique Principal Name) mapping and explicit mapping. 
The former is an implicit mapping done by Windows Security services when it finds a matching between the UPN field of the certificate (if present) and the UPN of a user (expressed in the form @) registered in the domain.
The latter must be defined explicitly on the Active Directory administrative snap-in. 
IIS proprietary  mapping involves more overheads if compared to AD mapping, but it offers more flexibility over the type of many to 1 mapping you can define (see figure below).

Flowing Identity in COM+ basedInternet applications

If you want to provide an Internet entry point to an application based on configured COM+ components, what you need is to set up proper IIS client authentication options so that each client identity flows transparently from IIS to the COM+ application. In this way the identity of the client is used when applying role based security (if not role based security would be pretty useless).
To do so you have three options:

  • IIS Integrated security: as already said, this works for Intranet scenario only. 
    Note that if IE5 is used as client browser and IIS5 is running on a server registered in a W2K domain, you can hop the client identity to other servers (thank to the delegate impersonation level available when using Kerberos); if it’s not the case (e.g. the web server is IIS4 on Windows NT), you are forced to deploy COM components in an MTS package residing on the same server where IIS runs, otherwise the IIS process identity will be used when applying role based security.
  • IIS Basic Security (requiring interactive or batch logon) over HTTPS: this works with any browser
  • 1-to-1 client certificate mapping

The second option is the most widely used at present days, but expect secured solutions based on certificates getting more and more common in the future.


As you can see, IIS5 provides you different authentication options. I suggest you to find the one that best fits your application security requirements and use it, instead of implementing some custom security mechanism based on a proprietary user account database. A custom solution will likely be less robust and will augment the administrative burden required (nevertheless, I recognize that, if you host your application at an ASP site, this is unfortunately the only option you have).


[1] SecurityFor the Global Internet – vb2themax – Enrico Sabbadin
[2] Web Security part 2, MSDN magazine -June 2000, Keith Brown



Share the Post:
Remote Learning

Revolutionizing Remote Learning for Success

School districts are preparing to reveal a substantial technological upgrade designed to significantly improve remote learning experiences for both educators and students amid the ongoing

Revolutionary SABERS Transforming

SABERS Batteries Transforming Industries

Scientists John Connell and Yi Lin from NASA’s Solid-state Architecture Batteries for Enhanced Rechargeability and Safety (SABERS) project are working on experimental solid-state battery packs

Build a Website

How Much Does It Cost to Build a Website?

Are you wondering how much it costs to build a website? The approximated cost is based on several factors, including which add-ons and platforms you

Iran Drone Expansion

Iran’s Jet-Propelled Drone Reshapes Power Balance

Iran has recently unveiled a jet-propelled variant of its Shahed series drone, marking a significant advancement in the nation’s drone technology. The new drone is poised to reshape the regional

Solar Geoengineering

Did the Overshoot Commission Shoot Down Geoengineering?

The Overshoot Commission has recently released a comprehensive report that discusses the controversial topic of Solar Geoengineering, also known as Solar Radiation Modification (SRM). The Commission’s primary objective is to

Remote Learning

Revolutionizing Remote Learning for Success

School districts are preparing to reveal a substantial technological upgrade designed to significantly improve remote learning experiences for both educators and students amid the ongoing pandemic. This major investment, which

Revolutionary SABERS Transforming

SABERS Batteries Transforming Industries

Scientists John Connell and Yi Lin from NASA’s Solid-state Architecture Batteries for Enhanced Rechargeability and Safety (SABERS) project are working on experimental solid-state battery packs that could dramatically change the

Build a Website

How Much Does It Cost to Build a Website?

Are you wondering how much it costs to build a website? The approximated cost is based on several factors, including which add-ons and platforms you choose. For example, a self-hosted

Battery Investments

Battery Startups Attract Billion-Dollar Investments

In recent times, battery startups have experienced a significant boost in investments, with three businesses obtaining over $1 billion in funding within the last month. French company Verkor amassed $2.1

Copilot Revolution

Microsoft Copilot: A Suit of AI Features

Microsoft’s latest offering, Microsoft Copilot, aims to revolutionize the way we interact with technology. By integrating various AI capabilities, this all-in-one tool provides users with an improved experience that not

AI Girlfriend Craze

AI Girlfriend Craze Threatens Relationships

The surge in virtual AI girlfriends’ popularity is playing a role in the escalating issue of loneliness among young males, and this could have serious repercussions for America’s future. A

AIOps Innovations

Senser is Changing AIOps

Senser, an AIOps platform based in Tel Aviv, has introduced its groundbreaking AI-powered observability solution to support developers and operations teams in promptly pinpointing the root causes of service disruptions

Bebop Charging Stations

Check Out The New Bebob Battery Charging Stations

Bebob has introduced new 4- and 8-channel battery charging stations primarily aimed at rental companies, providing a convenient solution for clients with a large quantity of batteries. These wall-mountable and

Malyasian Networks

Malaysia’s Dual 5G Network Growth

On Wednesday, Malaysia’s Prime Minister Anwar Ibrahim announced the country’s plan to implement a dual 5G network strategy. This move is designed to achieve a more equitable incorporation of both

Advanced Drones Race

Pentagon’s Bold Race for Advanced Drones

The Pentagon has recently unveiled its ambitious strategy to acquire thousands of sophisticated drones within the next two years. This decision comes in response to Russia’s rapid utilization of airborne

Important Updates

You Need to See the New Microsoft Updates

Microsoft has recently announced a series of new features and updates across their applications, including Outlook, Microsoft Teams, and SharePoint. These new developments are centered around improving user experience, streamlining

Price Wars

Inside Hyundai and Kia’s Price Wars

South Korean automakers Hyundai and Kia are cutting the prices on a number of their electric vehicles (EVs) in response to growing price competition within the South Korean market. Many

Solar Frenzy Surprises

Solar Subsidy in Germany Causes Frenzy

In a shocking turn of events, the German national KfW bank was forced to discontinue its home solar power subsidy program for charging electric vehicles (EVs) after just one day,

Electric Spare

Electric Cars Ditch Spare Tires for Efficiency

Ira Newlander from West Los Angeles is thinking about trading in his old Ford Explorer for a contemporary hybrid or electric vehicle. However, he has observed that the majority of

Solar Geoengineering Impacts

Unraveling Solar Geoengineering’s Hidden Impacts

As we continue to face the repercussions of climate change, scientists and experts seek innovative ways to mitigate its impacts. Solar geoengineering (SG), a technique involving the distribution of aerosols

Razer Discount

Unbelievable Razer Blade 17 Discount

On September 24, 2023, it was reported that Razer, a popular brand in the premium gaming laptop industry, is offering an exceptional deal on their Razer Blade 17 model. Typically

Innovation Ignition

New Fintech Innovation Ignites Change

The fintech sector continues to attract substantial interest, as demonstrated by a dedicated fintech stage at a recent event featuring panel discussions and informal conversations with industry professionals. The gathering,

Import Easing

Easing Import Rules for Big Tech

India has chosen to ease its proposed restrictions on imports of laptops, tablets, and other IT hardware, allowing manufacturers like Apple Inc., HP Inc., and Dell Technologies Inc. more time

Semiconductor Stock Plummet

Dramatic Downturn in Semiconductor Stocks Looms

Recent events show that the S&P Semiconductors Select Industry Index seems to be experiencing a downturn, which could result in a decline in semiconductor stocks. Known as a key indicator

Anthropic Investment

Amazon’s Bold Anthropic Investment

On Monday, Amazon announced its plan to invest up to $4 billion in the AI firm Anthropic, acquiring a minority stake in the process. This decision demonstrates Amazon’s commitment to

AI Experts Get Hired

Tech Industry Rehiring Wave: AI Experts Wanted

A few months ago, Big Tech companies were downsizing their workforce, but currently, many are considering rehiring some of these employees, especially in popular fields such as artificial intelligence. The

Lagos Migration

Middle-Class Migration: Undermining Democracy?

As the middle class in Lagos, Nigeria, increasingly migrates to private communities, a PhD scholar from a leading technology institute has been investigating the impact of this development on democratic