Microsoft Solutions for Security and Compliance Microsoft Identity and Access Management Series

Size: px
Start display at page:

Download "Microsoft Solutions for Security and Compliance Microsoft Identity and Access Management Series"

Transcription

1 Microsoft Solutions for Security and Compliance Microsoft Identity and Access Management Series Developing Identity-Aware ASP.NET Applications

2 2006 Microsoft Corporation. This work is licensed under the Creative Commons Attribution-NonCommercial License. To view a copy of this license, visit or send a letter to Creative Commons, 543 Howard Street, 5th Floor, San Francisco, California, 94105, USA.

3 Table of Contents iii Contents Chapter 1: Introduction to the Developing Identity-Aware ASP.NET Applications Paper... 1 Executive Summary... 1 The Business Challenge... 1 The Business Benefits... 1 Who Should Read This Paper... 2 Reader Prerequisites... 2 Feedback... 2 Paper Overview... 2 Solution Scenarios... 3 Chapter 2: Approaches to Developing Identity-Aware ASP.NET Applications... 5 Considerations and Best Practices... 5 Authentication... 6 Windows-Integrated Authentication... 7 Forms-based Authentication... 7 Authorization... 9 The Access Control List Model... 9 The Role-Based Access Control Model Identity Flow The Delegation Model The Trusted Subsystem Model Choosing a Model for Identity Flow and Authorization Combining the Models Security Auditing Chapter 3: Issues and Requirements ASP.NET Intranet Applications Background Business Issues Technical Issues Security Issues Solution Requirements ASP.NET Extranet Applications Background... 27

4 iv Developing Identity-Aware ASP.NET Applications Business Issues Technical Issues Security Issues Solution Requirements Chapter 4: Designing the Solution ASP.NET Intranet Applications Solution Concept Solution Prerequisites Solution Architecture How the Solution Works ASP.NET Extranet Applications Solution Concept Solution Prerequisites Solution Architecture How the Solution Works Chapter 5: Implementing the Solution Tools and Templates Folders: CS and VB ASP.NET Intranet Applications Implementation Prerequisites Implementation Overview Launching the Sample Intranet ASP.NET Application ASP.NET Extranet Applications Implementation Prerequisites Implementation Overview Launching the Sample Extranet ASP.NET Application Chapter 6: Testing the Solution Validating the Implementation Prerequisites Basic Test 1: Verify Your Domain Controller Functionality Basic Test 2: Verify Your Web Server Functionality Basic Test 3: Verify Your SQL Server Functionality Basic Test 4: Verify Your Network Connectivity ASP.NET Intranet Applications Validating the Intranet Application Scenario Troubleshooting the Intranet Application Scenario... 77

5 Table of Contents v ASP.NET Extranet Applications Validating the Extranet Application Scenario Troubleshooting the Extranet Application Scenario Authentication Configuration Summary Stress and Unit Testing The Trusted Subsystem Model The Delegation Model Unit Testing Stress and Load Tests Chapter 7: Deployment Considerations Deploying the Intranet and Extranet Applications Configure Anonymous Access Authorization Manager Links Acknowledgments... 91

6

7 Chapter 1: Introduction to the Developing Identity-Aware ASP.NET Applications Paper Executive Summary Organizations today are looking for guidance on how to avoid introducing new directories and authentication schemes that increase complexity and undermine the goals of a successful identity and access management strategy. This paper provides guidelines for developing applications that use the directory and security services of the Microsoft Windows platform. Specifically, the paper discusses identity considerations and guidelines when developing Microsoft ASP.NET multitier extranet and intranet Web applications. You can develop these applications using Microsoft Visual Studio.NET and Microsoft Windows Server 2003 directory and security services. This paper is part of the Microsoft Identity and Access Management Series. The Business Challenge Most organizations accumulate legacy applications that do not integrate well with each other or with enterprise directory services. The challenge for these organizations is to create an architectural model that will better integrate their applications. The goals of this model could include one or more of the following: The ability to develop line-of-business (LOB) applications more rapidly. Achieve greater security. Capitalize on a consistent authorization policy model and data. Effectively use existing provisioning mechanisms. Provide secure access for different types of users. Meet the authentication, authorization, and audit requirements of new industry and government regulations. The Business Benefits A strategy and architecture for developing identity-aware applications helps organizations achieve the following benefits: Reduce application development costs for faster time to market. Develop more robust applications. Confront fewer vulnerabilities. Reuse existing mechanisms and solutions.

8 2 Developing Identity-Aware ASP.NET Applications Obtain more secure access control. Comply with regulatory requirements. Who Should Read This Paper The intended audience for this paper includes architects, developers, technical decision makers, and consultants involved in identity and access management efforts. Reader Prerequisites This paper assumes the reader has a moderate knowledge of identity and access management concepts and technologies, as described in the Fundamental Concepts paper in this series. Understanding and implementing the solutions in this paper requires a good familiarity with the Intranet Access Management and Extranet Access Management papers in this series Microsoft strongly recommends reading both papers before continuing with this one. Readers who wish to use the code samples provided with this paper should be familiar with developing ASP.NET applications in Visual Studio.NET. Note This paper does not cover all of the details you should consider for writing secure code and ensuring application security. It only covers topics that are specifically concerned with the use of digital identities in ASP.NET applications within a Windows Server 2003 environment. For more information about end-to-end application security and writing secure code, see the following resources: Building Secure ASP.NET Applications: Authentication, Authorization, and Secure Communication on MSDN. Writing Secure Code, Second Edition. Feedback Please direct questions and comments about this guide to Paper Overview This paper consists of the following seven chapters: Chapter 1: Introduction to the Developing Identity-Aware ASP.NET Applications Paper This chapter provides an executive summary, the recommended audience for the paper, and an overview of each chapter in the paper. The chapter also introduces the specific solution scenarios that will be discussed in chapters 3 7. Chapter 2: Approaches to Developing Identity-Aware ASP.NET Applications This chapter provides background information about several authentication approaches for clients using browsers in intranet and extranet applications for business-to-business (B2B), business-to-employee (B2E), and business-to-consumer (B2C) scenarios. It discusses authorization and the various ways that you can flow identity across application tiers, including the pros and cons of each method. The chapter also discusses auditing, and how to ensure that the appropriate security events are logged for each of the techniques described.

9 Chapter 1: Introduction to the Developing Identity-Aware ASP.NET Applications Paper 3 Chapter 3: Issues and Requirements This chapter introduces the business problems that Contoso Pharmaceuticals (the fictitious company used in this series) faces, and then outlines the business issues, technology issues, and security issues that Contoso has identified for each solution scenario. It then highlights the key requirements of each solution that Contoso will build. Chapter 4: Designing the Solution This chapter discusses the solution concept, architecture, necessary prerequisites, and how each of the scenario solutions work. Chapter 5: Implementing the Solution This chapter describes the tools and templates that are available for this paper, and provides the prescriptive steps required to implement the solutions that Contoso built for each scenario. Chapter 6: Testing the Solution This chapter describes how to validate the implemented solution scenarios and includes some troubleshooting steps and testing techniques to help you with common implementation challenges. Chapter 7: Deployment Considerations This chapter discusses several topics for consideration specific to deploying identityaware ASP.NET solutions, such as using setup applications and custom installers. Solution Scenarios The scenarios in this paper are based on Contoso Pharmaceuticals, the fictitious company introduced in this series in the Platform and Infrastructure paper. In addition to a general discussion of identity-aware development approaches, this paper also provides detailed prescriptive guidance for implementing intranet and extranet ASP.NET applications that are integrated with Active Directory. The scenarios were compiled to illustrate the typical challenges organizations face, and include guidance on how you can use Microsoft technologies to address them. Chapters 3 through 7 focus entirely on the ASP.NET intranet and extranet solution scenarios. ASP.NET Intranet Applications This solution scenario discusses the solution template that Contoso Pharmaceuticals built to ensure that all of the company's intranet ASP.NET applications properly use Windows Server 2003 directory and security services. This scenario discusses Contoso employees who need to access Contoso applications using a Web browser and Windows-integrated authentication. The sample code for this scenario shows two ways to pass identity information between tiers, how to implement different types of authorization, and how to access back-end resources. The Windows platform provides security event logging for auditing purposes.

10 4 Developing Identity-Aware ASP.NET Applications ASP.NET Extranet Applications This solution scenario discusses the solution template that Contoso Pharmaceuticals built to ensure that all of the company's extranet ASP.NET applications properly use Windows Server 2003 directory and security services. This scenario discusses client authentication mechanisms for the following types of extranet access for users who must access the same application: B2B. Partners access the extranet application using a Web-browser and Formsbased authentication. B2E. Employees access the extranet application using Microsoft Internet Explorer and X.509 certificates. B2C. Customers access the extranet application using a Web-browser and Microsoft Passport authentication. Note See the Identity Aggregation and Synchronization paper in this series for more information about how Contoso provisions employee certificates. The sample code for this scenario shows two ways to pass identity information between tiers, how to implement different types of authorization, and how to access back-end resources. Security event logging for auditing purposes is provided by the Windows platform in the B2E and B2C scenarios for both authentication and authorization. The B2B scenario uses custom Forms-based authentication, and the application provides auditing for authentication. Authorization auditing is provided by the Windows platform.

11 Chapter 2: Approaches to Developing Identity-Aware ASP.NET Applications There are four fundamental areas that application architects and developers need to consider when developing identity-aware ASP.NET applications. These areas are: Approaches for authentication. These approaches focus on determining which authentication method is appropriate. These methods are described later in this chapter and in the Intranet Access Management and Extranet Access Management papers in this series. Approaches for authorization. These approaches focus on determining which of the two fundamental models for authorization is appropriate for your organization, or whether they can be combined. These models are described later in this chapter. Approaches for passing identity information between application tiers. These approaches focus on determining which of the three identity flow models are appropriate, or whether they can be combined. These models are described later in this chapter. Approaches for security auditing. These approaches focus on determining where and how to implement security auditing. The choices you make in these areas also affect testing and deployment of the identityaware code. On the Microsoft Windows platform, well-integrated applications require implementation of little or no identity-aware code. This paper provides information about what application developers need to write by providing common scenarios to illustrate how they and application architects can integrate applications with your infrastructure. Considerations and Best Practices The application developer and architect have the greatest potential to directly influence how applications integrate with the organization's identity and access management infrastructure. In general, applications that rely on either platform or widely-deployed middleware security services integrate well with the larger infrastructure. Applications that integrate well also are: Easier to manage because they do not introduce additional user identity stores. More secure than one-off application developer-designed security mechanisms. Easier to integrate with other software systems; because it is easier to find a common ground for interoperability. For these reasons, this paper will focus on integrating applications with Windows security services for both authentication and authorization. Because Windows security services operate by default with the Microsoft Active Directory directory service, it is a derivative best practice to authenticate users against Active Directory. Although you could use other types of identity stores in certain scenarios, for example Active Directory Application

12 6 Developing Identity-Aware ASP.NET Applications Mode (ADAM) or Microsoft SQL Server, these are not recommended in general because they offer less flexibility in how you can perform user authentication. The application architect should, as a rule, design systems that are robust and modular. Application changes should not be required to take advantage of new ways to authenticate or authorize users. The security services provided by the Windows platform were designed with exactly this requirement in mind, and these services will evolve over time to support and integrate seamlessly with emerging industry standards, such as Web Services-Security and Security Assertion Markup Language (SAML). Authentication The Windows platform supports many different authentication mechanisms. The general characteristics of these mechanisms are described in Chapter 6, Access Management, of the Fundamental Concepts paper in this series. The Intranet Access Management paper in this series also describes how the Kerberos version 5 authentication protocol works on the Windows platform, as well as how Windows-integrated authentication works between Microsoft Internet Explorer and Microsoft Internet Information Services (IIS). This chapter also introduces a few additional authentication considerations that are specific to ASP.NET applications. When designing an ASP.NET application, it is important to understand that authentication occurs at many levels. For example, authentication happens when each of the following events take place: A browser client authenticates to a Web server. The Web server authenticates to an application server. The application server authenticates to a back-end resource server. Figure 2.1. Relationships in the role-based access control (RBAC) model It is equally important for the application architect to understand the differences between intranet and extranet environments. For example: Some authentication mechanisms cannot be used in the extranet environment due to network and firewall configuration. Intranet and extranet environments are connected through different means. The Extranet Access Management paper in this series discusses approaches for connecting these environments using domain trust, PKI trust, and shadow accounts.

13 Chapter 2: Approaches to Developing Identity-Aware ASP.NET Applications 7 Because of these constraints and differences, application architects need to carefully choose, and sometimes combine, authentication mechanisms for their applications. Windows-Integrated Authentication For most intranet scenarios the recommended approach is to choose Windowsintegrated authentication and the Kerberos authentication protocol as an end-to-end solution. This approach works well on the Windows platform, and when you are integrating with other platforms that support the Kerberos version 5 protocol. The Intranet Access Management paper in this series describes this type of integration with third-party applications and platforms, such as UNIX, SAP R/3 Application Server, mainframes, J2EE, and so on. For applications hosted in the extranet there are several "integrated" authentication mechanisms that you can use other then the Kerberos protocol or NTLM. The available authentication protocols include Microsoft Passport, Secure Sockets Layer (SSL) client authentication, Basic, and Digest authentication. These mechanisms are fully described in the Extranet Access Management paper in this series. This paper will describe in more detail how ASP.NET applications in particular can take advantage of the authentication mechanisms that are implemented in and integrated with IIS. The important aspect of IIS-integrated authentication mechanisms for developers is that the ASP.NET application does not need any additional code in order to perform authentication. The IIS host provides all authentication. This is a tremendous advantage when an organization is trying to standardize the development process. Because all authentication is controlled by configuration on the Web server, there is no code in the application to standardize. An additional important aspect of IIS-integrated authentication mechanisms is that a Windows security context (in the form of an "impersonation token") is created as a result of every successful authentication. Depending on the configuration of the ASP.NET application, IIS will attach the impersonation token to the current request before invoking the ASP.NET application. Generally, this approach provides a simple and efficient way to make authorization decisions using a variety of mechanisms. Forms-based Authentication Another authentication option that is especially suitable and appealing for the extranet is Forms-based authentication, which is conceptually straightforward. The Web application presents a "form" to the user that asks for credentials, most often a user name and password. After this information is collected, the application is then responsible for validating that the credentials provided match the user object in some identity store. Forms-based authentication differs from IIS-integrated authentication in that the application implements the collection and verification of credentials. This approach gives the application more flexibility in how to validate the credentials themselves, as well as the opportunity to handle authentication failures more gracefully by providing additional information to the user. Although it is possible to validate credentials (passwords) collected through Forms-based authentication by using an identity store other than Active Directory, this approach will not be discussed in this paper. When authenticating against Active Directory, there are two basic approaches to validating user credentials that apply: Credential validation using Lightweight Directory Access Protocol (LDAP). Credential validation using Windows security services.

14 8 Developing Identity-Aware ASP.NET Applications Credential Validation Using LDAP One approach is to authenticate the user using LDAP bind. Within the context of ASP.NET applications, this approach offers a couple of advantages: The application is not bound to Active Directory because other LDAP v3-compliant directories support this method. The application programming interface (API) used to validate credentials through this mechanism is part of a managed class called System.DirectoryServices. The disadvantages of the LDAP bind approach include: If the application requires access to local resources using the security context of the user (impersonation), then the application must be given extensive local privileges ("Act as Part of the Operating System") in order to generate an impersonation token for the authenticated user using the LsaLogonUser() API. Note The application could use the LogonUser() API to generate an impersonation token if it saved the password in memory or shared state (if the application runs in a Web farm) and if it was running on Windows Server 2003 or later. If both of these conditions are met, then elevated privileges would not be required. However, it is strongly recommended that applications do not persist passwords in application memory or shared state. Because it is assumed that a password is not available, then only the Protocol Transition approach (described later in this chapter) can be used. This approach requires elevated privileges for the application. "One-hop" delegation (described in the "Identity Flow" section of this paper) will not be possible because there are no credentials associated with the authenticated user context. There are two additional points to consider when discussing credential validation using LDAP bind: The.NET Framework System.DirectoryServices class implements LDAP bind in the most secure manner. If the application developer uses another interface for LDAP bind, such as the native Win32 API, then they must ensure that plaintext passwords are not transmitted over the network. See the Intranet Access Management paper in this series for more information about security considerations when using LDAP bind. The recommended mechanism in this paper for acquiring and using authorization information related to the authenticated user is Windows Authorization Manager. While this is discussed in detail below, the reader should note that Windows Authorization Manager takes advantage of Windows platform services in order to generate and cache authorization information from Active Directory in a very efficient and carefully designed manner regardless of how authentication is accomplished. If the application developer chooses to use some other authorization approach, then the developer will likely need to revisit how authentication is implemented by the application in order to ensure that the application does not overload the domain controller by repeated authentication and authorization data requests.

15 Chapter 2: Approaches to Developing Identity-Aware ASP.NET Applications 9 Credential Validation Using Windows Security Services Another approach to consider is the use of Windows security services. Specifically, the native Win32 LogonUser() API, to validate the credentials. On the Windows platform, this approach has several advantages: The application does not require any additional privileges in order to create an impersonation token that can be used to access local server resources in the user's context. Note This represents a modification between Microsoft Windows 2000 Professional and Windows Server On the Windows 2000 platform, applications require the Act as part of the operating system privilege to be enabled in order to call the LogonUser() API. One-hop delegation (described in the Identity Flow section of this paper) works by default. Application authorization code often depends on the authentication mechanism. By using LogonUser(), the starting point for authorization is identical for Forms-based authenticated users, and users who are authenticated using Windows Integrated Authentication in IIS. The disadvantage of the Win32 API LogonUser() approach is: ASP.NET applications need to invoke the Windows native code since there is no managed class that provides this functionality. Finally, the application developer should consider the performance characteristics of the different credential validation models. If you follow the authentication and authorization recommendations in this paper, then the overall performance characteristics of either credential validation method are approximately equal. However, detailed performance analysis will show that the LogonUser() approach introduces performance loading at the front-end of the authentication authorization cycle for each user. The LDAP bind- Authorization Manager approach will distribute the load across a greater period of time. After users are authenticated in your environment, they need to be authorized. The following sections discuss models for authorization, and models for flowing identity between the application tiers to provide authentication and authorization on downstream servers. For more information about using Forms-based authentication with Active Directory, see the MSDN Article How To: Use Forms Authentication with Active Directory in ASP.NET 1.1. Authorization There are two fundamental models for authorization that application developers can use separately or combine: The access control list (ACL) model. The role-based access control (RBAC) model. The Access Control List Model Microsoft Windows operating systems have supported the use of ACLs for access control to applications since the introduction of the Private Object Security application programming interface (API) in Microsoft Windows NT Server 4.0. In the ACL model, you can attach discretionary access control lists (DACL) to a securable object and make access decisions by calling the Windows AccessCheck API. This API compares a user's

16 10 Developing Identity-Aware ASP.NET Applications group membership information in an impersonation token, and then compares it to the contents of the ACL to determine if the user has the requested access rights. Note The AccessCheck API mentioned here refers to the Win32 API named AccessCheck, and should not be confused with the AccessCheck method of an object provided by the Authorization Manager API used for role-based authorization. The ACL model is ideal for many types of applications. Resource managers who have well-defined persistent objects use the ACL model appropriately to provide object-level access control. Examples of well-defined persistent objects include: Files Printers Directory objects Registry keys and data In resource manager applications, access control decisions can always be made in terms of a user requesting access to an existing object. In the future, applications that use the ACL model should use AuthzAPI, which was introduced in Microsoft Windows XP Professional and Windows Server It provides enhanced performance and flexibility over the Windows NT Private Object Security APIs. For more information about AuthzAPI, download the Windows Server 2003 SP1 Platform SDK Web Install from the Microsoft Download Center. A distinct authorization problem exists for some line-of-business (LOB) applications, such as Web expense reporting applications or shopping applications. For these applications, the authorization decisions do not determine access to well-defined persistent objects. Instead, they verify a workflow or perform multiple distinct operations, such as querying a database and sending . In LOB applications, access decisions are often based on complex business logic, such as the amount submitted in an expense application or verification of workflow completion. These decisions are not based only on relatively static information such as token group membership. Applications that do not have well-defined persistent objects have no place to put an ACL, so the ACL model can be harder to apply in these applications. The Role-Based Access Control Model Traditional access control administration models are based on objects. In these models, access control is specified by an ACL attached to the object or object container and the administrator must access the object to query and specify access control rights. These models require administrators to translate the organizational authorization policy into permissions on objects. Each object has a list of access permissions that is granted to various users and groups within an organization. Role-based access control (RBAC) simplifies access control administration so that you can manage enterprise environments more effectively using permissions related to user job roles. You can also use groups to accomplish some RBAC goals for the organization. A group corresponds to an employee role, and application administrators can specify the permissions that the role needs by granting the group permission in a DACL for the object. As object collections grow, the number of places where administrators need to manage permissions grows. Diligent use of resource groups and user groups can help minimize this effort, but this approach requires consistent practice and coordination among administrators, and precise definitions for resource groups. Because these processes slow down the administrative process, administrators often avoid them. In addition, querying users granted access to a particular group or role across an application becomes more difficult as the number of objects grows. To determine

17 Chapter 2: Approaches to Developing Identity-Aware ASP.NET Applications 11 accurately what permissions are granted to a user or group, administrators must examine the permissions on every object. While inheritance appears to simplify this, the ability of each object to avoid inheriting permissions still makes it necessary to look at each object to fully understand the authorization policy. As the number of objects becomes too many to effectively query, the state of access control with respect to a particular group or user becomes harder to verify. On the other hand, RBAC enables administrators to specify access control in terms of the organizational structure of a company. RBAC does this by creating a new object called a role. You assign a user to a role to perform a job function. However, unlike groups, a role defines the authorization permissions on a set of resources. In the RBAC model, the administrator uses the role to manage permissions and assignments. For example, a company may create a role called Sales Manager with permissions needed by sales managers to perform their jobs. When sales managers are hired, they are assigned the Sales Manager role and instantly have all of the required permissions that they need. When a sales manager leaves or takes another position, the person is removed from the Sales Manager role and no longer has access to resources available to other managers in this role. Since the role allows access to be granted in terms of a company s organizational model, it is more intuitive and natural for administrators to specify access control. The following figure identifies the relationship between the role, users, and permissions. In this model, the role is the object to which permissions are granted, and the users are assigned to the role. Figure 2.2. Relationships in the role-based access control (RBAC) model RBAC maps user job roles to application permissions so that access control administration can be accomplished in terms of a user s job role. Since the permissions are granted at the role level, they can be queried and changed for the role without examining the specific resources. In most environments, after the role permissions are established there will be little need to change them, especially when compared to changes in assignments to the role. This factor means that administrators will have to set up roles, such as Employee, Manager, and Administrator. However, after the roles are created, administrators will manage membership in the roles, not the permissions on the objects.

18 12 Developing Identity-Aware ASP.NET Applications The RBAC system allows you to define roles in terms of application permissions, which are then assigned to users to grant them the permissions associated with the role without incurring the management overhead of object-based administration. There are two main technologies available for implementing RBAC from ASP.NET applications. You can use each of these technologies to implement URL authorization for IIS 6.0, and role-based security for ASP.NET applications as follows: Use.NET Framework roles for: URL Authorization Role-based security Use Windows Authorization Manager for: URL Authorization Role-based security You can use both technologies for the same purposes. In general, Windows Authorization Manager is the preferred mechanism for implementing RBAC in ASP.NET applications. The following sections explain the pros and cons of each approach..net Framework Roles The built-in capabilities of ASP.NET provide two ways of implementing role-based authorization: URL authorization Role-based security ASP.NET URL Authorization ASP.NET provides URL authorization, which applies to file types mapped by IIS to the ASP.NET Internet Server Application Programming Interface (ISAPI) extension. URL authorization determines whether a user or role can issue specific HTTP verbs (for example, GET, HEAD, and POST) to a specific URL. To configure URL authorization, you add an <authorization> element to your application's Web.config file, and then restrict access to users and roles by using allow and deny attributes. The following example shows how you can allow Bob and Mary access but deny everyone else: <authorization> <allow users="domainname\bob" /> <allow users="domainname\mary" /> <deny users="*" /> </authorization>

19 Chapter 2: Approaches to Developing Identity-Aware ASP.NET Applications 13 ASP.NET URL authorization also allows for access based on role, as demonstrated by the following example: <authorization> <allow roles="builtin\administrators" /> <deny users="*" /> </authorization> Note When you use Windows authentication, user names take the form DomainName\UserName, and roles map on a one-to-one basis with Windows security groups. Although ASP.NET URL authorization provides basic role-based access at the URL level, the manual configuration it requires through the Web.config files makes it somewhat unwieldy for an enterprise environment..net Role-Based Security ASP.NET applications can use the IsInRole method of the Windows Principal class (System.Security.Principal namespace) to make run-time, role-based authorization decisions. The following code sample shows how easy this mechanism is to use: if (User.IsInRole("BUILTIN\\Administrators")) ExecutePrivilegedOperation(); In.NET role-based security, roles are derived directly from server local groups or Active Directory groups. The application is coded during development to require certain roles for certain operations..net role-based security directly uses the authorization information (in the form of Windows groups) that is included in the Windows impersonation token. This token is created automatically when using Windows or IIS-integrated authentication mechanisms. When using form-based authentication against Active Directory, the token can be created by constructing a WindowsIdentity object and passing a User Principal Name (UPN) to the constructor as shown in the following code sample: if(httpcontext.current.user.identity is FormsIdentity ) { WindowsIdentity formsuser = new WindowsIdentity(HttpContext.Current.User.Identity.Name); if(formsuser.isinrole("builtin\\administartors")) ExecutePrivilegedOperation(); } However, when using Forms-based authentication against identity stores other than Active Directory, the developer needs to do much more work.

20 14 Developing Identity-Aware ASP.NET Applications This includes manually calling the other identity stores and requesting a list of roles associated with the user, manually creating a new GenericPrincipal object based on these roles, and assigning the new GenericPrincipal object to the ASP.NET User object as displayed in the following code sample: public void Application_AuthenticateRequest(Object s, EventArgs e) { if (HttpContext.Current.User!= null) { if(httpcontext.current.user.identity is FormsIdentity ) { System.Web.Security.FormsIdentity id = HttpContext.Current.User.Identity; String[] myroles; myroles = GetArrayOfRolesFromIdentityStore(id.Name); //TODO:Implement this! HttpContext.Current.User = new System.Security.Principal.GenericPrincipal(id, myroles); } } } Because roles are assigned automatically during authentication, it should be obvious that the developer has to do less work for.net role-based authorization when using Windows-integrated authentication. Another issue to consider is the definition of the roles needed to access certain application functionality, which will be hard-coded into the application. An example of a potential issue with this approach is that if a new role (group) needs to be added to the list of users who can access a particular function, then the application code will likely need to be updated to reflect this change in authorization policy. Other authorization mechanisms discussed later in this chapter do a better job of abstracting roles from the application and isolating authorization policy changes from the application code. Windows Authorization Manager Windows Server 2003 introduced Windows Authorization Manager. You also can download Windows Authorization Manager for the Windows 2000 platform on microsoft.com. This role-based authorization mechanism is an attractive option to the basic authorization functionality of.net for the enterprise developer because it offers the following: Centralized authorization policy for multiple applications. Security groups that you can create outside of Active Directory that an application administrator can manage. Groups that you can create based on the result of an LDAP query. Windows Authorization Manager relies on a policy store that holds authorization policy for one or more applications. The policy store is a somewhat hierarchical supporting policy that contains application group definitions. Management of application policy can be

multiple placeholders bound to one definition, 158 page approval not match author/editor rights, 157 problems with, 156 troubleshooting, 156 158

multiple placeholders bound to one definition, 158 page approval not match author/editor rights, 157 problems with, 156 troubleshooting, 156 158 Index A Active Directory Active Directory nested groups, 96 creating user accounts, 67 custom authentication, 66 group members cannot log on, 153 mapping certificates, 65 mapping user to Active Directory

More information

Windows 2000 Security Architecture. Peter Brundrett Program Manager Windows 2000 Security Microsoft Corporation

Windows 2000 Security Architecture. Peter Brundrett Program Manager Windows 2000 Security Microsoft Corporation Windows 2000 Security Architecture Peter Brundrett Program Manager Windows 2000 Security Microsoft Corporation Topics Single Sign-on Kerberos v5 integration Active Directory security Delegation of authentication

More information

SharePoint 2013 Logical Architecture

SharePoint 2013 Logical Architecture SharePoint 2013 Logical Architecture This document is provided "as-is". Information and views expressed in this document, including URL and other Internet Web site references, may change without notice.

More information

Hardening Security in ASP.NET Applications & Services. Rick G. Garibay

Hardening Security in ASP.NET Applications & Services. Rick G. Garibay Hardening Security in ASP.NET Applications & Services Rick G. Garibay Agenda Identities & Resources Security Design & Deployment Models Gatekeepers & Gates Resource Access Models Authentication Authorization.NET

More information

Security IIS Service Lesson 6

Security IIS Service Lesson 6 Security IIS Service Lesson 6 Skills Matrix Technology Skill Objective Domain Objective # Configuring Certificates Configure SSL security 3.6 Assigning Standard and Special NTFS Permissions Enabling and

More information

BMC Performance Manager Windows Security White Paper DCOM / WMI

BMC Performance Manager Windows Security White Paper DCOM / WMI BMC Performance Manager Windows Security White Paper DCOM / WMI Problem The IT department delivers user IT services to their internal and external customers. The IT department wants to maintain control

More information

TIBCO Spotfire Platform IT Brief

TIBCO Spotfire Platform IT Brief Platform IT Brief This IT brief outlines features of the system: Communication security, load balancing and failover, authentication options, and recommended practices for licenses and access. It primarily

More information

Tenrox. Single Sign-On (SSO) Setup Guide. January, 2012. 2012 Tenrox. All rights reserved.

Tenrox. Single Sign-On (SSO) Setup Guide. January, 2012. 2012 Tenrox. All rights reserved. Tenrox Single Sign-On (SSO) Setup Guide January, 2012 2012 Tenrox. All rights reserved. About this Guide This guide provides a high-level technical overview of the Tenrox Single Sign-On (SSO) architecture,

More information

TIBCO Spotfire Web Player 6.0. Installation and Configuration Manual

TIBCO Spotfire Web Player 6.0. Installation and Configuration Manual TIBCO Spotfire Web Player 6.0 Installation and Configuration Manual Revision date: 12 November 2013 Important Information SOME TIBCO SOFTWARE EMBEDS OR BUNDLES OTHER TIBCO SOFTWARE. USE OF SUCH EMBEDDED

More information

Enabling single sign-on for Cognos 8/10 with Active Directory

Enabling single sign-on for Cognos 8/10 with Active Directory Enabling single sign-on for Cognos 8/10 with Active Directory Overview QueryVision Note: Overview This document pulls together information from a number of QueryVision and IBM/Cognos material that are

More information

v.2.5 2015 Devolutions inc.

v.2.5 2015 Devolutions inc. v.2.5 Contents 3 Table of Contents Part I Getting Started 6... 6 1 What is Devolutions Server?... 7 2 Features... 7 3 System Requirements Part II Management 10... 10 1 Devolutions Server Console... 11

More information

Xerox DocuShare Security Features. Security White Paper

Xerox DocuShare Security Features. Security White Paper Xerox DocuShare Security Features Security White Paper Xerox DocuShare Security Features Businesses are increasingly concerned with protecting the security of their networks. Any application added to a

More information

Introduction to Directory Services

Introduction to Directory Services Introduction to Directory Services Overview This document explains how AirWatch integrates with your organization's existing directory service such as Active Directory, Lotus Domino and Novell e-directory

More information

Deploying the BIG-IP LTM and APM with Citrix XenApp or XenDesktop

Deploying the BIG-IP LTM and APM with Citrix XenApp or XenDesktop Deployment Guide Deploying the BIG-IP LTM and APM with Citrix XenApp or XenDesktop Welcome to the F5 deployment guide for Citrix VDI applications, including XenApp and XenDesktop with the BIG-IP v11.2

More information

Using SAP Logon Tickets for Single Sign on to Microsoft based web applications

Using SAP Logon Tickets for Single Sign on to Microsoft based web applications Collaboration Technology Support Center - Microsoft - Collaboration Brief March 2005 Using SAP Logon Tickets for Single Sign on to Microsoft based web applications André Fischer, Project Manager CTSC,

More information

CA Single Sign-On r12.x (CA SiteMinder) Implementation Proven Professional Exam

CA Single Sign-On r12.x (CA SiteMinder) Implementation Proven Professional Exam CA Single Sign-On r12.x (CA SiteMinder) Implementation Proven Professional Exam (CAT-140) Version 1.4 - PROPRIETARY AND CONFIDENTIAL INFORMATION - These educational materials (hereinafter referred to as

More information

Session Code*: 0310 Demystifying Authentication and SSO Options in Business Intelligence. Greg Wcislo

Session Code*: 0310 Demystifying Authentication and SSO Options in Business Intelligence. Greg Wcislo Session Code*: 0310 Demystifying Authentication and SSO Options in Business Intelligence Greg Wcislo Introduction We will not go into detailed how-to, however links to multiple how-to whitepapers will

More information

SharePoint User Management

SharePoint User Management SharePoint User Management A Bamboo Solutions Whitepaper Contents Introduction... 1 SharePoint Architecture... 2 SharePoint User Authentication... 5 SharePoint User Management... 6 User Profile Management...

More information

Administering the Web Server (IIS) Role of Windows Server

Administering the Web Server (IIS) Role of Windows Server Course 10972B: Administering the Web Server (IIS) Role of Windows Server Page 1 of 7 Administering the Web Server (IIS) Role of Windows Server Course 10972B: 4 days; Instructor-Led Introduction This course

More information

Xerox DocuShare Private Cloud Service. Security White Paper

Xerox DocuShare Private Cloud Service. Security White Paper Xerox DocuShare Private Cloud Service Security White Paper Table of Contents Overview 3 Adherence to Proven Security Practices 3 Highly Secure Data Centers 4 Three-Tier Architecture 4 Security Layers Safeguard

More information

Administering the Web Server (IIS) Role of Windows Server 10972B; 5 Days

Administering the Web Server (IIS) Role of Windows Server 10972B; 5 Days Lincoln Land Community College Capital City Training Center 130 West Mason Springfield, IL 62702 217-782-7436 www.llcc.edu/cctc Administering the Web Server (IIS) Role of Windows Server 10972B; 5 Days

More information

SAML-Based SSO Solution

SAML-Based SSO Solution About SAML SSO Solution, page 1 SAML-Based SSO Features, page 2 Basic Elements of a SAML SSO Solution, page 2 SAML SSO Web Browsers, page 3 Cisco Unified Communications Applications that Support SAML SSO,

More information

XIA Configuration Server

XIA Configuration Server XIA Configuration Server XIA Configuration Server v7 Installation Quick Start Guide Monday, 05 January 2015 1 P a g e X I A C o n f i g u r a t i o n S e r v e r Contents Requirements... 3 XIA Configuration

More information

September 9 11, 2013 Anaheim, California 507 Demystifying Authentication and SSO Options in Business Intelligence

September 9 11, 2013 Anaheim, California 507 Demystifying Authentication and SSO Options in Business Intelligence September 9 11, 2013 Anaheim, California 507 Demystifying Authentication and SSO Options in Business Intelligence Greg Wcislo Introduction We will not go into detailed how-to, however links to multiple

More information

Microsoft Dynamics CRM Server 2011 software requirements

Microsoft Dynamics CRM Server 2011 software requirements Microsoft Dynamics CRM Server 2011 software requirements This section lists the software and application requirements for Microsoft Dynamics CRM Server 2011. Windows Server operating system: Microsoft

More information

Securing access to Citrix applications using Citrix Secure Gateway and SafeWord. PremierAccess. App Note. December 2001

Securing access to Citrix applications using Citrix Secure Gateway and SafeWord. PremierAccess. App Note. December 2001 Securing access to Citrix applications using Citrix Secure Gateway and SafeWord PremierAccess App Note December 2001 DISCLAIMER: This White Paper contains Secure Computing Corporation product performance

More information

NetIQ Directory and Resource Administrator NetIQ Exchange Administrator. Installation Guide

NetIQ Directory and Resource Administrator NetIQ Exchange Administrator. Installation Guide NetIQ Directory and Resource Administrator NetIQ Exchange Administrator Installation Guide August 2013 Legal Notice NetIQ Directory and Resource Administrator is protected by United States Patent No(s):

More information

Introduction to SAML

Introduction to SAML Introduction to THE LEADER IN API AND CLOUD GATEWAY TECHNOLOGY Introduction to Introduction In today s world of rapidly expanding and growing software development; organizations, enterprises and governments

More information

Single Sign On In A CORBA-Based

Single Sign On In A CORBA-Based Single Sign On In A CORBA-Based Based Distributed System Igor Balabine IONA Security Architect Outline A standards-based framework approach to the Enterprise application security Security framework example:

More information

Microsoft Dynamics AX 2009 Installation Guide. Microsoft Corporation Published: November 2009

Microsoft Dynamics AX 2009 Installation Guide. Microsoft Corporation Published: November 2009 Microsoft Dynamics AX 2009 Installation Guide Microsoft Corporation Published: November 2009 Microsoft Dynamics is a line of integrated, adaptable business management solutions that enables you and your

More information

Password Reset Server Installation Guide Windows 8 / 8.1 Windows Server 2012 / R2

Password Reset Server Installation Guide Windows 8 / 8.1 Windows Server 2012 / R2 Password Reset Server Installation Guide Windows 8 / 8.1 Windows Server 2012 / R2 Last revised: November 12, 2014 Table of Contents Table of Contents... 2 I. Introduction... 4 A. ASP.NET Website... 4 B.

More information

Active Directory and DirectControl

Active Directory and DirectControl WHITE PAPER CENTRIFY CORP. Active Directory and DirectControl APRIL 2005 The Right Choice for Enterprise Identity Management and Infrastructure Consolidation ABSTRACT Microsoft s Active Directory is now

More information

Entrust Managed Services PKI

Entrust Managed Services PKI Entrust Managed Services PKI Entrust Managed Services PKI Windows Smart Card Logon Configuration Guide Using Web-based applications Document issue: 1.0 Date of Issue: June 2009 Copyright 2009 Entrust.

More information

Lesson Plans Microsoft s Managing and Maintaining a Microsoft Windows Server 2003 Environment

Lesson Plans Microsoft s Managing and Maintaining a Microsoft Windows Server 2003 Environment Lesson Plans Microsoft s Managing and Maintaining a Microsoft Windows Server 2003 Environment (Exam 70-290) Table of Contents Table of Contents... 1 Course Overview... 2 Section 0-1: Introduction... 4

More information

http://msdn.microsoft.com/en-us/library/4w3ex9c2.aspx

http://msdn.microsoft.com/en-us/library/4w3ex9c2.aspx ASP.NET Overview.NET Framework 4 ASP.NET is a unified Web development model that includes the services necessary for you to build enterprise-class Web applications with a minimum of coding. ASP.NET is

More information

CA Performance Center

CA Performance Center CA Performance Center Single Sign-On User Guide 2.4 This Documentation, which includes embedded help systems and electronically distributed materials, (hereinafter referred to as the Documentation ) is

More information

R i o L i n x s u p p o r t @ r i o l i n x. c o m 3 / 5 / 2 0 1 3

R i o L i n x s u p p o r t @ r i o l i n x. c o m 3 / 5 / 2 0 1 3 EXTRADIUM INSTALLATION GUIDE This is the Extradium installation guide Quick Start Guide Get started with Extradium for SharePoint 2010 R i o L i n x s u p p o r t @ r i o l i n x. c o m 3 / 5 / 2 0 1 3

More information

10972B: Administering the Web Server (IIS) Role of Windows Server

10972B: Administering the Web Server (IIS) Role of Windows Server 10972B: Administering the Web Server (IIS) Role of Windows Server Course Details Course Code: Duration: Notes: 10972B 5 days This course syllabus should be used to determine whether the course is appropriate

More information

Web Plus Security Features and Recommendations

Web Plus Security Features and Recommendations Web Plus Security Features and Recommendations (Based on Web Plus Version 3.x) Centers for Disease Control and Prevention National Center for Chronic Disease Prevention and Health Promotion Division of

More information

Integrating VMware Horizon Workspace and VMware Horizon View TECHNICAL WHITE PAPER

Integrating VMware Horizon Workspace and VMware Horizon View TECHNICAL WHITE PAPER Integrating VMware Horizon Workspace and VMware Horizon View TECHNICAL WHITE PAPER Table of Contents Introduction.... 3 Requirements.... 3 Horizon Workspace Components.... 3 SAML 2.0 Standard.... 3 Authentication

More information

SumITUp. A Complete Summary for Our 70-631 Practice Test. TS: Microsoft Windows SharePoint Services 3.0, Configuring

SumITUp. A Complete Summary for Our 70-631 Practice Test. TS: Microsoft Windows SharePoint Services 3.0, Configuring SumITUp A Complete Summary for Our 70-631 Practice Test TS: Microsoft Windows SharePoint Services 3.0, Configuring SumITUp is a great summary recap of the objectives & material covered on the exam. Use

More information

Working with Structured Data in Microsoft Office SharePoint Server 2007 (Part1): Configuring Single Sign On Service and Database

Working with Structured Data in Microsoft Office SharePoint Server 2007 (Part1): Configuring Single Sign On Service and Database Working with Structured Data in Microsoft Office SharePoint Server 2007 (Part1): Configuring Single Sign On Service and Database Applies to: Microsoft Office SharePoint Server 2007 Explore different options

More information

Configuring and Troubleshooting Internet Information Services in Windows Server 2008

Configuring and Troubleshooting Internet Information Services in Windows Server 2008 Course 6427A: Configuring and Troubleshooting Internet Information Services in Windows Server 2008 OVERVIEW About this Course In this 3-day instructor-led course, the students will learn to install, configure,

More information

Tableau Server Security. Version 8.0

Tableau Server Security. Version 8.0 Version 8.0 Author: Marc Rueter Senior Director, Strategic Solutions, Tableau Software June 2013 p2 Today s enterprise class systems need to provide robust security in order to meet the varied and dynamic

More information

Windows Server 2008/2012 Server Hardening

Windows Server 2008/2012 Server Hardening Account Policies Enforce password history 24 Maximum Password Age - 42 days Minimum Password Age 2 days Minimum password length - 8 characters Password Complexity - Enable Store Password using Reversible

More information

Microsoft 10972 - Administering the Web Server (IIS) Role of Windows Server

Microsoft 10972 - Administering the Web Server (IIS) Role of Windows Server 1800 ULEARN (853 276) www.ddls.com.au Microsoft 10972 - Administering the Web Server (IIS) Role of Windows Server Length 5 days Price $4169.00 (inc GST) Version B Overview This course provides students

More information

The Encryption Anywhere Data Protection Platform

The Encryption Anywhere Data Protection Platform The Encryption Anywhere Data Protection Platform A Technical White Paper 5 December 2005 475 Brannan Street, Suite 400, San Francisco CA 94107-5421 800-440-0419 415-683-2200 Fax 415-683-2349 For more information,

More information

Multiple Formatter Support for the Logging Application Block

Multiple Formatter Support for the Logging Application Block Multiple Formatter Support for the Logging Application Block Scott Densmore, Naveen Yajaman, Paul Slater, and Andrew Mason Information in this document, including URL and other Internet Web site references,

More information

Colligo Engage Windows App 7.0. Administrator s Guide

Colligo Engage Windows App 7.0. Administrator s Guide Colligo Engage Windows App 7.0 Administrator s Guide Contents Introduction... 3 Target Audience... 3 Overview... 3 Localization... 3 SharePoint Security & Privileges... 3 System Requirements... 4 Software

More information

Click Studios. Passwordstate. Installation Instructions

Click Studios. Passwordstate. Installation Instructions Passwordstate Installation Instructions This document and the information controlled therein is the property of Click Studios. It must not be reproduced in whole/part, or otherwise disclosed, without prior

More information

Leverage Active Directory with Kerberos to Eliminate HTTP Password

Leverage Active Directory with Kerberos to Eliminate HTTP Password Leverage Active Directory with Kerberos to Eliminate HTTP Password PistolStar, Inc. PO Box 1226 Amherst, NH 03031 USA Phone: 603.547.1200 Fax: 603.546.2309 E-mail: salesteam@pistolstar.com Website: www.pistolstar.com

More information

Architecture Guidelines Application Security

Architecture Guidelines Application Security Executive Summary These guidelines describe best practice for application security for 2 or 3 tier web-based applications. It covers the use of common security mechanisms including Authentication, Authorisation

More information

Single Sign-On for SAP R/3 on UNIX with Centrify DirectControl and Microsoft Active Directory

Single Sign-On for SAP R/3 on UNIX with Centrify DirectControl and Microsoft Active Directory W H I T E P A P E R C E N T R I F Y C O R P. M A Y 2008 Single Sign-On for SAP R/3 on UNIX with Centrify DirectControl and Microsoft Active Directory The Active Directory-Based Single Sign-On Solution

More information

DIGIPASS Authentication for GajShield GS Series

DIGIPASS Authentication for GajShield GS Series DIGIPASS Authentication for GajShield GS Series With Vasco VACMAN Middleware 3.0 2008 VASCO Data Security. All rights reserved. Page 1 of 1 Integration Guideline Disclaimer Disclaimer of Warranties and

More information

WebLogic Server 7.0 Single Sign-On: An Overview

WebLogic Server 7.0 Single Sign-On: An Overview WebLogic Server 7.0 Single Sign-On: An Overview Today, a growing number of applications are being made available over the Web. These applications are typically comprised of different components, each of

More information

www.novell.com/documentation Policy Guide Access Manager 3.1 SP5 January 2013

www.novell.com/documentation Policy Guide Access Manager 3.1 SP5 January 2013 www.novell.com/documentation Policy Guide Access Manager 3.1 SP5 January 2013 Legal Notices Novell, Inc., makes no representations or warranties with respect to the contents or use of this documentation,

More information

Web Applications Access Control Single Sign On

Web Applications Access Control Single Sign On Web Applications Access Control Single Sign On Anitha Chepuru, Assocaite Professor IT Dept, G.Narayanamma Institute of Technology and Science (for women), Shaikpet, Hyderabad - 500008, Andhra Pradesh,

More information

BlackBerry Enterprise Service 10. Secure Work Space for ios and Android Version: 10.1.1. Security Note

BlackBerry Enterprise Service 10. Secure Work Space for ios and Android Version: 10.1.1. Security Note BlackBerry Enterprise Service 10 Secure Work Space for ios and Android Version: 10.1.1 Security Note Published: 2013-06-21 SWD-20130621110651069 Contents 1 About this guide...4 2 What is BlackBerry Enterprise

More information

DIGIPASS Authentication for Citrix Access Gateway VPN Connections

DIGIPASS Authentication for Citrix Access Gateway VPN Connections DIGIPASS Authentication for Citrix Access Gateway VPN Connections With VASCO Digipass Pack for Citrix 2006 VASCO Data Security. All rights reserved. Page 1 of 31 Integration Guideline Disclaimer Disclaimer

More information

managing SSO with shared credentials

managing SSO with shared credentials managing SSO with shared credentials Introduction to Single Sign On (SSO) All organizations, small and big alike, today have a bunch of applications that must be accessed by different employees throughout

More information

Module 1: Introduction to Designing Security

Module 1: Introduction to Designing Security Module 1: Introduction to Designing Security Table of Contents Module Overview 1-1 Lesson 1: Overview of Designing Security for Microsoft Networks 1-2 Lesson 2: Introducing Contoso Pharmaceuticals: A Case

More information

Cisco ASA Adaptive Security Appliance Single Sign-On: Solution Brief

Cisco ASA Adaptive Security Appliance Single Sign-On: Solution Brief Guide Cisco ASA Adaptive Security Appliance Single Sign-On: Solution Brief October 2012 2012 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 1 of 21 Contents

More information

NETWRIX PASSWORD MANAGER

NETWRIX PASSWORD MANAGER NETWRIX PASSWORD MANAGER ADMINISTRATOR S GUIDE Product Version: 6.1 February/2012 Legal Notice The information in this publication is furnished for information use only, and does not constitute a commitment

More information

Agenda. How to configure

Agenda. How to configure dlaw@esri.com Agenda Strongly Recommend: Knowledge of ArcGIS Server and Portal for ArcGIS Security in the context of ArcGIS Server/Portal for ArcGIS Access Authentication Authorization: securing web services

More information

Click Studios. Passwordstate. Installation Instructions

Click Studios. Passwordstate. Installation Instructions Passwordstate Installation Instructions This document and the information controlled therein is the property of Click Studios. It must not be reproduced in whole/part, or otherwise disclosed, without prior

More information

Symplified I: Windows User Identity. Matthew McNew and Lex Hubbard

Symplified I: Windows User Identity. Matthew McNew and Lex Hubbard Symplified I: Windows User Identity Matthew McNew and Lex Hubbard Table of Contents Abstract 1 Introduction to the Project 2 Project Description 2 Requirements Specification 2 Functional Requirements 2

More information

AGILEXRM REFERENCE ARCHITECTURE

AGILEXRM REFERENCE ARCHITECTURE AGILEXRM REFERENCE ARCHITECTURE 2012 AgilePoint, Inc. Table of Contents 1. Introduction 4 1.1 Disclaimer of warranty 4 1.2 AgileXRM components 5 1.3 Access from PES to AgileXRM Process Engine Database

More information

Security and Kerberos Authentication with K2 Servers

Security and Kerberos Authentication with K2 Servers Security and Kerberos Authentication with K2 Servers SECURITY RIGHTS AND STEP-BY-STEP INSTRUCTIONS FOR CONFIGURING KERBEROS FOR K2 [BLACKPEARL] January 10 Learn about the security rights required by K2

More information

Last Updated: July 2011. STATISTICA Enterprise Server Security

Last Updated: July 2011. STATISTICA Enterprise Server Security Last Updated: July 2011 STATISTICA Enterprise Server Security STATISTICA Enterprise Server Security Page 2 of 10 Table of Contents Executive Summary... 3 Introduction to STATISTICA Enterprise Server...

More information

CS 356 Lecture 28 Internet Authentication. Spring 2013

CS 356 Lecture 28 Internet Authentication. Spring 2013 CS 356 Lecture 28 Internet Authentication Spring 2013 Review Chapter 1: Basic Concepts and Terminology Chapter 2: Basic Cryptographic Tools Chapter 3 User Authentication Chapter 4 Access Control Lists

More information

Perceptive Content Security

Perceptive Content Security Perceptive Content Security Best Practices Perceptive Content, Version: 7.1.x Written by: Product Knowledge, R&D Date: June 2015 2015 Perceptive Software. All rights reserved. Perceptive Software is a

More information

Introduction to the EIS Guide

Introduction to the EIS Guide Introduction to the EIS Guide The AirWatch Enterprise Integration Service (EIS) provides organizations the ability to securely integrate with back-end enterprise systems from either the AirWatch SaaS environment

More information

MicrosoftDynam ics GP 2015. TenantServices Installation and Adm inistration Guide

MicrosoftDynam ics GP 2015. TenantServices Installation and Adm inistration Guide MicrosoftDynam ics GP 2015 TenantServices Installation and Adm inistration Guide Copyright Copyright 2014 Microsoft Corporation. All rights reserved. Limitation of liability This document is provided as-is.

More information

MCTS Self-Paced Training Kit (Exam 70-643): Configuring Windows Server 2008 Application Platform

MCTS Self-Paced Training Kit (Exam 70-643): Configuring Windows Server 2008 Application Platform MCTS Self-Paced Training Kit (Exam 70-643): Configuring Windows Server 2008 Application Platform J.C. Mackin and Anil Desai PREVIEW CONTENT This excerpt contains uncorrected manuscript from an upcoming

More information

Websense Support Webinar: Questions and Answers

Websense Support Webinar: Questions and Answers Websense Support Webinar: Questions and Answers Configuring Websense Web Security v7 with Your Directory Service Can updating to Native Mode from Active Directory (AD) Mixed Mode affect transparent user

More information

Installation and Configuration Guide

Installation and Configuration Guide Entrust Managed Services PKI Auto-enrollment Server 7.0 Installation and Configuration Guide Document issue: 1.0 Date of Issue: July 2009 Copyright 2009 Entrust. All rights reserved. Entrust is a trademark

More information

IIS SECURE ACCESS FILTER 1.3

IIS SECURE ACCESS FILTER 1.3 OTP SERVER INTEGRATION MODULE IIS SECURE ACCESS FILTER 1.3 Copyright, NordicEdge, 2006 www.nordicedge.se Copyright, 2006, Nordic Edge AB Page 1 of 14 1 Introduction 1.1 Overview Nordic Edge One Time Password

More information

70 299 Implementing and Administering Security in a Microsoft Windows Server 2003 Network

70 299 Implementing and Administering Security in a Microsoft Windows Server 2003 Network 70 299 Implementing and Administering Security in a Microsoft Windows Server 2003 Network Course Number: 70 299 Length: 1 Day(s) Course Overview This course is part of the MCSA training.. Prerequisites

More information

Enabling Kerberos SSO in IBM Cognos Express on Windows Server 2008

Enabling Kerberos SSO in IBM Cognos Express on Windows Server 2008 Enabling Kerberos SSO in IBM Cognos Express on Windows Server 2008 Nature of Document: Guideline Product(s): IBM Cognos Express Area of Interest: Infrastructure 2 Copyright and Trademarks Licensed Materials

More information

SharePoint Integration Framework Developers Cookbook

SharePoint Integration Framework Developers Cookbook Sitecore CMS 6.3 to 6.6 and SIP 3.2 SharePoint Integration Framework Developers Cookbook Rev: 2013-11-28 Sitecore CMS 6.3 to 6.6 and SIP 3.2 SharePoint Integration Framework Developers Cookbook A Guide

More information

MAPILab Search for Exchange. Administrator s Guide. Version 1.3

MAPILab Search for Exchange. Administrator s Guide. Version 1.3 MAPILab Search for Exchange Administrator s Guide Version 1.3 MAPILab, July 2014 Contents Introduction... 3 1. Product Overview... 4 2. Product Architecture and Basic Terms... 5 3. System Requirements...

More information

Microsoft Solutions for Security and Compliance Microsoft Identity and Access Management Series

Microsoft Solutions for Security and Compliance Microsoft Identity and Access Management Series Microsoft Solutions for Security and Compliance Microsoft Identity and Access Management Series Overview 2006 Microsoft Corporation. This work is licensed under the Creative Commons Attribution-NonCommercial

More information

Web Interface with Active Directory Federation Services Support Administrator s Guide

Web Interface with Active Directory Federation Services Support Administrator s Guide Web Interface with Active Directory Federation Services Support Administrator s Guide Web Interface with Active Directory Federation Services (ADFS) Support Citrix Presentation Server 4.0 for Windows Copyright

More information

Before taking this course, Citrix recommends that learners have the following:

Before taking this course, Citrix recommends that learners have the following: Course CXA-206 Citrix XenApp 6.5 Administration Overview Citrix XenApp 6.5 Administration training course provides the foundation necessary for administrators to effectively centralize and manage applications

More information

Integrating SharePoint Sites within WebSphere Portal

Integrating SharePoint Sites within WebSphere Portal Integrating SharePoint Sites within WebSphere Portal November 2007 Contents Executive Summary 2 Proliferation of SharePoint Sites 2 Silos of Information 2 Security and Compliance 3 Overview: Mainsoft SharePoint

More information

OPC UA vs OPC Classic

OPC UA vs OPC Classic OPC UA vs OPC Classic By Paul Hunkar Security and Communication comparison In the world of automation security has become a major source of discussion and an important part of most systems. The OPC Foundation

More information

Whitepaper: Manage Access Control for Network Resources with Securitay s Security Policy Manager

Whitepaper: Manage Access Control for Network Resources with Securitay s Security Policy Manager Whitepaper: Manage Access Control for Network Resources with Securitay s Security Policy Manager Introduction The past several years has seen an increase in the amount of attention paid to security management

More information

R i o L i n x s u p p o r t @ r i o l i n x. c o m 1 / 3 0 / 2 0 1 2

R i o L i n x s u p p o r t @ r i o l i n x. c o m 1 / 3 0 / 2 0 1 2 XTRASHARE INSTALLATION GUIDE This is the XtraShare installation guide Development Guide How to develop custom solutions with Extradium for SharePoint R i o L i n x s u p p o r t @ r i o l i n x. c o m

More information

Course Syllabus. Configuring and Troubleshooting Internet Information Services in Windows Server 2008. Key Data. Audience. At Course Completion

Course Syllabus. Configuring and Troubleshooting Internet Information Services in Windows Server 2008. Key Data. Audience. At Course Completion Key Data Product #: 3728 Course #: 6427A Number of Days: 3 Format: Instructor-Led Certification Exams: 70-643 This course syllabus should be used to determine whether the course is appropriate for the

More information

API-Security Gateway Dirk Krafzig

API-Security Gateway Dirk Krafzig API-Security Gateway Dirk Krafzig Intro Digital transformation accelerates application integration needs Dramatically increasing number of integration points Speed Security Industrial robustness Increasing

More information

CHAPTER - 3 WEB APPLICATION AND SECURITY

CHAPTER - 3 WEB APPLICATION AND SECURITY CHAPTER - 3 WEB APPLICATION AND SECURITY 3.1 Introduction Web application or Wepapp is the general term that is normally used to refer to all distributed web-based applications. According to the more technical

More information

How to Secure a Groove Manager Web Site

How to Secure a Groove Manager Web Site How to Secure a Groove Manager Web Site Information in this document, including URL and other Internet Web site references, is subject to change without notice. Unless otherwise noted, the companies, organizations,

More information

Extranet Access Management Web Access Control for New Business Services

Extranet Access Management Web Access Control for New Business Services Extranet Access Management Web Access Control for New Business Services An Evidian White Paper Increase your revenue and the ROI for your Web portals Summary Increase Revenue Secure Web Access Control

More information

Citrix XenApp 6.5 Administration

Citrix XenApp 6.5 Administration Presentation Style: Duration: Tutor-led Classroom 5 Days Course Start Time: 09:30hrs Course End Time: 16:30hrs Citrix XenApp 6.5 Basic Administration training course provides the foundation necessary for

More information

Hardening IIS Servers

Hardening IIS Servers 8 Hardening IIS Servers Overview This chapter focuses on the guidance and procedures required to harden the IIS servers in your environment. To provide comprehensive security for Web servers and applications

More information

Service Virtualization: Managing Change in a Service-Oriented Architecture

Service Virtualization: Managing Change in a Service-Oriented Architecture Service Virtualization: Managing Change in a Service-Oriented Architecture Abstract Load balancers, name servers (for example, Domain Name System [DNS]), and stock brokerage services are examples of virtual

More information

Using Windows XP Professional with Service Pack 1 in a Managed Environment: Controlling Communication with the Internet

Using Windows XP Professional with Service Pack 1 in a Managed Environment: Controlling Communication with the Internet Using Windows XP Professional with Service Pack 1 in a Managed Environment: Controlling Communication with the Internet Microsoft Corporation Published: January 2003 Table of Contents Introduction...4

More information

Taking Advantage of Active Directory Support in GroupWise 2014

Taking Advantage of Active Directory Support in GroupWise 2014 White Paper Collaboration Taking Advantage of Active Directory Support in GroupWise 2014 Flexibility and interoperability have always been hallmarks for Novell. That s why it should be no surprise that

More information