Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

How Web Api/ASP.NET windows authentication works?

Tags:

c#

asp.net

asp.net-mvc

According to official asp.net site

Integrated Windows authentication enables users to log in with their Windows credentials, using Kerberos or NTLM. The client sends credentials in the Authorization header

But it advantages of this approach on the same page

Built into IIS. Does not send the user credentials in the request.

It's a little confusing. So how Windows Authentication really works in http requests to Web Api / ASP.NET?

like image 301
Anton Avatar asked Nov 19 '22 13:11

Anton

1 Answers

ASP.NET Windows Authentication leverages a few technologies to make its implementation relatively transparent and seamless. The base authentication modes that are used are Kerberos and/or NTLM, which are explained below. Once the base authentication process is completed, IIS passes the results to ASP.NET. The results are either an authenticated or anonymous user. ASP.NET then starts building out an IPrinciple object which your application uses.

Kerberos

--------------             --------------
-            - ----(1)---> -            -  
-   Client   - <---(2)---- -   Domain   -  
-            - ----(3)---> - Controller -  
-            - <---(4)---- -            -  
--------------             --------------
     \     /\
     (5)    \
       \    (6)
       \/     \
     --------------
     -            -
     -     Web    -
     -   Server   -
     -            -
     --------------

(1) - Client requests TGT from KDC
(2) - KDC sends TGT to client
(3) - Client requests resource access from TGS with TGT
(4) - TGS sends session key and ticket to client
(5) - Client sends ticket to web server
(6) - Web server sends response to client

NTLM

--------------             --------------
-            - ----(1)---> -            -  
-   Client   - <---(2)---- -     Web    -  
-            - ----(3)---> -    Server  -  
-            - <---(6)---- -            -  
--------------             --------------
                              \     /\
                              (4)    \
                               \    (5)
                               \/     \
                            --------------
                            -            -
                            -   Domain   -
                            - Controller -
                            -            -
                            --------------

(1) - Client requests access with username from web server
(2) - Web server sends challenge message to client
(3) - Client encrypts challenge with password hash (NTLM response) and sends to web server
(4) - Web server sends username, challenge, and NTLM response to the domain controller
(5) - Domain controller checks NTLM response
(6) - Web server sends response to client

References:
https://learn.microsoft.com/en-us/windows/desktop/secauthn/microsoft-kerberos
https://learn.microsoft.com/en-us/windows/desktop/secauthn/microsoft-ntlm

like image 87
Matt Rowland Avatar answered Dec 18 '22 18:12

Matt Rowland
Sign in to Comment

Related questions

Is there any practical benefit of using await-async in action methods [duplicate]
Linq Extension Methods Not available in Visual Studio 2015 Immediate Window

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!