How Web Api/ASP.NET windows authentication works?
Question
According to official asp.net site
Integrated Windows authentication enables users to log in with their Windows credentials, using Kerberos or NTLM. The client sends credentials in the Authorization header
But it advantages of this approach on the same page
Built into IIS. Does not send the user credentials in the request .
It's a little confusing. So how Windows Authentication really works in http requests to Web Api / ASP.NET?
2 answers
solution1
1 2019-07-02 19:39:25
ASP.NET Windows Authentication leverages a few technologies to make its implementation relatively transparent and seamless. The base authentication modes that are used are Kerberos and/or NTLM, which are explained below. Once the base authentication process is completed, IIS passes the results to ASP.NET. The results are either an authenticated or anonymous user. ASP.NET then starts building out an IPrinciple object which your application uses.
Kerberos
-------------- --------------
- - ----(1)---> - -
- Client - <---(2)---- - Domain -
- - ----(3)---> - Controller -
- - <---(4)---- - -
-------------- --------------
\ /\
(5) \
\ (6)
\/ \
--------------
- -
- Web -
- Server -
- -
--------------
(1) - Client requests TGT from KDC
(2) - KDC sends TGT to client
(3) - Client requests resource access from TGS with TGT
(4) - TGS sends session key and ticket to client
(5) - Client sends ticket to web server
(6) - Web server sends response to client
NTLM
-------------- --------------
- - ----(1)---> - -
- Client - <---(2)---- - Web -
- - ----(3)---> - Server -
- - <---(6)---- - -
-------------- --------------
\ /\
(4) \
\ (5)
\/ \
--------------
- -
- Domain -
- Controller -
- -
--------------
(1) - Client requests access with username from web server
(2) - Web server sends challenge message to client
(3) - Client encrypts challenge with password hash (NTLM response) and sends to web server
(4) - Web server sends username, challenge, and NTLM response to the domain controller
(5) - Domain controller checks NTLM response
(6) - Web server sends response to client
References:
https://docs.microsoft.com/en-us/windows/desktop/secauthn/microsoft-kerberos
https://docs.microsoft.com/en-us/windows/desktop/secauthn/microsoft-ntlm
solution2
-1 2016-10-31 07:27:44
Windows Authentication enables users to log in with their Windows credentials for intranet environment under same domain . Just like you login to your company laptop(your window credentials) using your company network.(your company domain) If your Web Api is open for all to use, then you shouldn't use Windows Authentication.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.