Windows Server 2003 Security Infrastructures: Core Security Features (HP Technologies)

In Windows Server 2003, Microsoft included the following Passport integration features:

• The ability to authenticate to a Windows Server 2003 IIS Web server using a set of Passport credentials. “Passport Authentication” is now listed as one of the authentication method options in the properties of an IIS Web site. To use this feature, your IIS Web site must be joined to the Passport infrastructure as a participating Web site. Windows Server 2003 does not support the creation of enterprise Passport infrastructures, where an organization would be its own domain authority and not linked in any way to the Microsoft Web Passport infrastructure. If you want to use Passport to authenticate users of your Web site, you must join the MS Web-based Passport infrastructure.

• The ability to define a mapping between a Passport PUID and a Windows Security Identifier (SID). Thanks to this, an administrator can apply Windows SID-based access control settings to users who have authenticated using Passport credentials. The PUID-SID mapping is defined in the altSecurityIdentities property of an Active Directory account object. Unlike alternate Kerberos identities and certificate mappings, PUID-SID mappings can currently not be added using the “Name Mappings…” option in the advanced view of the Users and Computers MMC snap-in. To set them up, you can use an LDAP-based editing tool (like LDIFDE or AdsiEdit) or you could also script the creation of the mappings using ADSI.

• The ability to let IIS construct an SID for a Passport PUID on the fly. This feature allows for Windows SID-based access control enforcement for users who have authenticated to IIS-using Passport credentials but who do not have an AD PUID-SID mapping defined. In this case the Passport Manager object will derive the newly generated SID from the Passport PUID. The problem with this feature is that the newly generated SID will not pop up in the resources’ access control editors. In other words,access control enforcement using this SID requires some custom access control logic coding.

Even though Windows Server 2003 includes advanced Passport support, it does not include a Passport-specific Security Support Provider (SSP). The Passport support in IIS is enabled using a dynamic link library (DLL) called “passport.dll.” As a consequence, Passport authentication cannot be negotiated between a Passport user and a Passport-enabled Windows Server 2003 server; it must be explicitly set in a Web site’s authentication methods property.

Recognizing IIS Passport Authentication Messages To recognize and trouble- shoot IIS Passport authentication exchanges, you can use the WebFetch (WFetch) tool coming with the IIS 6.0 Resource Kit. An IIS 6.0 Web site that has Passport authentication enabled will send out a WWW-authenticate message containing the Passport verb (see example in Figure 7.11).

Figure 7.11: WFetch HTTP Passport authentication trace.