a posting on the developmentor list about troubleshooting web service to web service authentication problems made me release this code i wrote a while ago.
this is basically a port of keith brown's showcontexts.aspx to a web service.

build the service and disable anonymous authentication on the virtual directory. the client shows several authentication variations including impersonation - you can also play around with web.config settings.

the service returns the three identitities we have to cope with in asp.net.

• the managed identity (user.identity)
• the process identity
• the thread identity

ShowContextService.zip (58,66 KB)

Wednesday, May 12, 2004 3:54:02 PM UTC     

in this last part i'll show you the code to do access checks against an AzMan store with custom SIDs.

first, you authenticate the username/password against the database and get the SID in return.

public string Authenticate(string Username, string Password)
{
  string salt = getSalt(Username);
  byte[] saltBytes = Convert.FromBase64String(salt);

  string passwordHash = generateHash(Password, saltBytes, 64);
  string sid = "";

  if (checkPassword(Username, passwordHash, ref sid))
    return sid;

  return null;
}

after that you can open the AzMan store and create a client context with the returned SID.

Tuesday, May 11, 2004 2:06:17 PM UTC     

small tool to change the ie proxy from the command line.

ieproxy.zip (3,04 KB)

Friday, May 07, 2004 5:52:06 AM UTC     

i am speaking at this years windev in boston. both talks are in keith brown's security track. cool!

Thursday, May 06, 2004 6:20:57 AM UTC     

just found this shirt in a drawer

(front - with the wonderful os/2 logo)
Happy 1st Birthday OS/2 2.0
March 31, 1993

(back)
OS/2 2.0 First Year Milestone
2,000,000+ Copies Sold
10 International Awards
1,200+ OS/2 Applications
80+ OEM Hardware Vendors
100+ User Groups
250+ Bulletin Boards

reminds me of the days where i were the youngest kid at the table....

Tuesday, May 04, 2004 6:04:42 PM UTC     

Custom SIDs can be added to roles or to application groups.

You will have to do that programmatically because the MMC snapin only gives you the usual User/Group picker for local/domain accounts.

My aproach is to completely configure the AzMan store Operations/Tasks/Roles and Application Groups with the snapin and then add the SIDs to Application Groups through code.

How to open and close AzMan stores and applications (all eror checking omitted for brevity :)

public void OpenApplication(string StorePath, string ApplicationName)
{
  if (storeOpen == true)
    CloseApplication();
            
  store = new AzAuthorizationStoreClass();
  store.Initialize(2, StorePath, null);
  app = store.OpenApplication(ApplicationName, null);
}

public void CloseApplication()
{
  release(app);
  release(store);
}

void release(object o) 
{
   if (null != o)
   {
     while (0 != System.Runtime.InteropServices.Marshal.ReleaseComObject(o))
     continue;
   }
}

How to add and remove the SIDs to/from application groups:

public void AddSidToGroup (string Sid, string ApplicationGroup)
{
  IAzApplicationGroup appGroup = getApplicationGroup(ApplicationGroup);
  if (appGroup == null)
    throw new Exception("Application Group not found");

  appGroup.AddMember(Sid, null);
  appGroup.Submit(0, null);
}

public void RemoveSidFromGroup(string Sid, string ApplicationGroup)
{
  IAzApplicationGroup appGroup = getApplicationGroup(ApplicationGroup);
  if (appGroup == null)
    throw new Exception("Application Group not found");

   appGroup.DeleteMember(Sid, null);
   appGroup.Submit(0, null);
}

private IAzApplicationGroup getApplicationGroup(string ApplicationGroup)
{
   foreach (IAzApplicationGroup appGroup in app.ApplicationGroups)
     if (appGroup.Name == ApplicationGroup)
       return appGroup;

   return null;
}

Part 3 will show how to use that store from the application to do access checks and some management.

Tuesday, May 04, 2004 5:39:21 AM UTC     

Ok – here’s the scenario:

If you have an application which stores the principals in a sql database and you have an AzMan store against which you want to run access checks. How can you combine these?

First of all you have to map your principals to Custom SIDs.

When creating custom SIDs you must establish a SID design for your application. For example, you might have S-1-9-AppInstanceGUID-UserRID, where 9 is the resource manager subauthority, AppInstanceGUID is your Application ID and UserRID is a unique number for the user in the scope of the application instance.

e.g. S-1-9-1-1 for the first app and the first user.

Database Design
The table that stores the principals and the SIDs has the following schema:

Username varchar(50) NOT NULL, Primary Key
ID int NOT NULL Identity
PasswordHash varchar(50) NOT NULL
Salt varchar(200) NOT NULL
Sid varchar(50) NOT NULL

The ID column will help to generate unique user RIDs.

The stored procedure to insert new users and generate a SID:

CREATE PROCEDURE dbo.AddUser
(
  @Username varchar(50),
  @PasswordHash varchar(200),
  @Salt varchar(200),
  @AppID varchar(50)
)
AS

INSERT INTO utSid
  (Username, Salt, PasswordHash, Sid)
  VALUES (@Username, @Salt, @PasswordHash, @AppID)

  update utSid set Sid = @AppID + '-' + Convert(varchar,@@Identity) where ID = @@Identity
 
  select @AppID + '-' + Convert(varchar,@@Identity)

RETURN

Maybe not the most elegant t-sql – but it works. Another option could be to use a column expression to form the SID value....

Passwords, Hashes and Salts

Obviously we don’t want to store the cleartext passwords of our users. We use a salted hash instead. The password hash is formed through : hash(salt, password) by using PKCS#5 which is exposed in the .net framework in the PasswordDeriveBytes class. The salt is a random number generated by RNGCryptoServiceProvider (a cryptographically strong random number generator).

private byte[] generateSalt(int length)
{
  byte[] salt = new byte[length];
  new RNGCryptoServiceProvider().GetBytes(salt);

  return salt;
}

private string generateHash(string password, byte[] salt, int iterations)
{
  PasswordDeriveBytes p = new PasswordDeriveBytes(password, salt, "SHA1", iterations);
  return Convert.ToBase64String(p.GetBytes(16));
}

in part 2 i will show how to interact with the AzMan store.

Monday, May 03, 2004 9:03:39 PM UTC     

Lutz Roeder's new .NET Decompiler is out!!! Rocks as usual.

download

Monday, May 03, 2004 5:28:49 AM UTC     

One question at the AzMan talk was about how to use AzMan with non-Windows accounts, e.g. with applications that roll their own user management (like Web Applications, SQL Server type user stores) or alternate authentication protocols like RSA SecureID.

What’s pretty cool about AzMan is that you don’t have to necessarily map your roles to windows accounts.

You can stick three different identity types into the AzMan access check functions.

1. Tokens
2. Usernames
3. SIDs

Number 1 clearly maps to Windows Accounts, number 2 maps to Windows Usernames (DOMAIN\USER Format) or results of LDAP queries.

Number 3 can be a SID of a Windows User account or just any SID you store in the AzMan policy store. SIDs don’t get verified against AD or the SAM when adding them to the store or doing access checks.

This feature is very powerful as you can design your own SID structure and map these to your application managed user accounts and – voila – you can use the powerful authorization API within your applications.

When having to integrate other authentication protocols, the new protocol transition feature of Kerberos in Windows 2003 server comes in handy. An application or a gateway could request (after authenticating the user) an S4USelf ticket. This ticket contains a Token which then can be used to feed AzMan.

I’ve written a proof of concept program for the Custom SID scenario. I will post some code in the next days.

more on S4U Kerberos Extensions here.

Sunday, May 02, 2004 8:13:29 PM UTC     

Der neue Newsletter der ERNW GmbH ist online.

Das Thema ist diesmal "Arbeiten als non-Admin unter Windows". download

Auszug:
"Das Problem
Das Arbeiten als Administrator bzw. mit einem Account mit Administrator-Rechten unter Windows hat sich in vielen Firmen-Umgebungen und im privaten Bereich weitestgehend eingebürgert. Windows XP z.B. versieht den ersten Benutzer-Account mit administrativen Rechten. Dies hat auch einen guten Grund. Einem normalen Benutzer ist es nicht gestattet Software oder Treiber zu installieren oder die IP Adresse zu ändern – nicht einmal das Ändern der System-Zeit ist zulässig.
Im User-Alltag werden diese Funktionen sehr selten benötigt – für den Office-Einsatz und das Surfen im Internet sind keineswegs Administrator-Rechte erforderlich.
Im Gegenteil – als Administrator zu arbeiten birgt sogar erhebliche Gefahren. Alle Programme, die Sie starten, arbeiten unter dem mächtigsten Benutzer-Account, den Ihr System zu bieten hat. Diesen Programmen ist es gestattet auf Ihrem System beliebige Dateien zu lesen, hinzuzufügen oder zu löschen. Dies schließt natürlich beliebige Registry-Schlüssel, Passwort-Dateien, System-Bibliotheken sowie Email und Internet Funktionalitäten mit ein.
Heutzutage kann man sich auf verschiedenste Art und Weise einen Virus oder Wurm „einfangen" und es können sich erhebliche Softwarefehler (sog. Buffer Overflows") in nahezu jeder Standard-Software (z.B. Outlook, Internet Explorer, Macromedia Flash Player, RealAudio Player usw.) einnisten.
All dies kann dazu führen, dass böswilliger Code auf Ihrem System zur Ausführung kommt und dieser Code wird mit den Rechten des aktuell angemeldeten Benutzers ausgeführt.
90% aller Viren wären kläglich gescheitert wenn sie nicht Rechte auf gewisse Systemdateien oder Registry Schlüssel gehabt hätten (z.B. um sich automatisch startend beim Booten des Systems zu konfigurieren). Das Austauschen von System-Dateien ist ebenfalls nur als Administrator möglich.
Warum sich also dieser Gefahr aussetzen?..."

Sunday, May 02, 2004 8:02:18 PM UTC     

I gave a talk about Microsoft Authorization Manager at the IIR Windows Forum in Frankfurt. I was pretty suprised about how many people came to this session (even some more than to the iis 6 security talk directly before ;)

There were also some good questions about intregrating other directory services than ad, combining azMan with other authentication systems like SecureID, mobile scenarios and so on.

the slides and a demo azMan Store can be downloaded (german) here.
An excellent article about AzMan by Keith Brown can be found here.
Technet info about Azman : here.

more to come....

Sunday, May 02, 2004 1:42:33 PM UTC     

ifconfig let's you change ip address, subnet mask, dns server and default gateway of any network interface from the command prompt. it also shows detailed information about the selected interface via wmi. this new version introduces a more flexible command line and some minor bugfixes. download

Sunday, May 02, 2004 1:25:56 PM UTC     

small tool to quickly decode base64 encoded strings (like the ones used in http basic auth) download

Sunday, May 02, 2004 1:22:01 PM UTC     

gui tool to encrypt/decrypt files using rijndael/aes and a user supplied key. just drag a file from explorer to crypter and set the password. credits to Keith Brown (http://www.develop.com/kbrown) download

Sunday, May 02, 2004 1:20:37 PM UTC     

EventMonitor is a command line tool that can display windows event log entries in real time. you can filter by event log name (system, security…) and by event severity (warning, error…). the entries can also be written to an output file. this file can be plain text or xml. several xsl stylesheets are included to convert the xml output to html. download

Sunday, May 02, 2004 1:19:32 PM UTC     

new and updated version of SqlShell. establishes a connection to a sql server with an administrative account (sa or integrated security), it then uses xp_cmdshell to open a remote shell. all shell activities can be logged to a text file. this new version can automatically dump the password hashes from master..sysxlogins and writes them to a file ready for cracking with tools like sqlbf (www.cqure.net). download

Sunday, May 02, 2004 1:18:07 PM UTC     

command line tool to do xsl transformations on xml files. the result gets piped to stdout, so you can redirect to any device (e.g. a file) download

Sunday, May 02, 2004 1:16:10 PM UTC     

tool to hash strings (e.g. passwords) with sha1 or md5. it also shows the entropy of the string. if you execute it without commandline parameter, a gui will pop up - otherwise use /?. it can automatically copy the result to the clipboard. also works for forms authentication hashed passwords. download

Sunday, May 02, 2004 1:10:00 PM UTC     

some tools to work with the data protection api (DPAPI). includes an encypter/decrypter command line version (use the /? switch) and a gui version. also includes a single aspx file which does encrypting/decrypting. good for copying on servers :) download

Sunday, May 02, 2004 12:57:47 PM UTC     

a small ISAPI Filter to modify or remove some http headers (especially the server header) download

Sunday, May 02, 2004 12:54:20 PM UTC