Microsoft Virtual Labs

Connected Systems: Security

Connected Systems: Security

Table of Contents
Connected Systems: Security................................................................................................................... 3
Exercise 1 Using the GeneriCo implementation .................................................................................................4
Exercise 2 A first look at the code behind GeneriCo ..........................................................................................7
Exercise 3 Employee Login.................................................................................................................................9
Exercise 4 Active Directory Integration............................................................................................................13

Connected Systems: Security

Connected Systems: Security

Objectives

After completing this lab, you will be able to:

Scenario

Estimated time to
complete this lab: 60
minutes

Log in and use some of the GeneriCo employee portal functionality.

Describe the basic structure of the GeneriCo source code.
Describe the login mechanism that the GeneriCo employee portal uses.
Describe the interception mechanism used to verify authentication.
Examine and reason about the Active Directory integration in GeneriCo.

This lab examines two systems in GeneriCo: the employee portal, which is a
web application accessed via a browser, and the security service, which is an
XML web service used to authenticate and authorize users as they use various
systems in GeneriCo, including the employee portal. We start by giving you a
brief introduction to the portal application, in case youve not used it before.
Then we show the basic structure of GeneriCos source code, so you can more
easily navigate this highly factored implementation. After the introductions, we
walk through the login process from the employee portal presentation layer all
the way through to the Active Directory integration in the security service.
Along the way, youll learn about some of the tradeoffs that must be made
when building a platform-neutral system like GeneriCo, and some of the
benefits youll get by integrating more fully with Windows.

Connected Systems: Security

Exercise 1
Using the GeneriCo implementation
Scenario
In this part of the lab, you walk through using parts of the GeneriCo Blueprints implementation to
gain familiarity with its functionality from a client's perspective. If you already feel comfortable
with the functionality of the application, you may elect to skip to part 2.

Tasks
1.

Login to the employee

portal.

Detailed steps
a.

Open Internet Explorer and browse to

http://localhost:5001/default.aspx. You should see a page that looks
like this:

b. Enter a User Name of Earl12.

c.

Enter a Password of ABCabc123.

d. Click Login.

Note: it may take a moment to authenticate the user.

2.

Familiarize yourself with

the employee portal.

a.

Once you login, you should see the following page:

Connected Systems: Security

Note: this is main page an employee would use in the portal its
customizable via Web parts. Many of the links on this page are not
functional.
b. Click the Department Listing link at the bottom of the page.
c.

Click the Employees tab to see a list of employees (this should contain
the same information you saw in the HR application).

d. Click on Eric Earl to view his employee information. View a few

others along with the department details.

3.

Create a new task.

e.

Click Up to Generico in the upper right-hand corner.

f.

Click the eHR tab to go back to the employee portal.

a.

Click the New Task button.

b. Enter a Subject and Date to fill in the form with a new task.
c.

Click Submit.

d. If an AutoComplete dialog appears, click No.

Note: when other employees interact with the portal, tasks can be
automatically created for other users (e.g., when something needs
approval, etc.).
Now lets walk through a more involved workflow scenario, requiring
logging in and out as different users. The following steps will walk you
through submitting and approving an expense report.
4.

Submit an expense report.

a.

Click the Create Report button.

b. Enter a Title and Purpose.

c.

Click the Add New Item button.

d. Enter a Description, Justification, From (eg. 7/4/2005), Days, and

Total.
e.

Check the Have Receipt check box.

f.

Click the Update button.

g.

Click the Back to Report button.

h. Click the Submit Report button.

Connected Systems: Security

5.

Log out.

a.

Click the Home tab.

b. Click the Logout button.

Note: Earl, an employee, has submitted an expense report. Now his

manager needs to approve it.
6.

7.

Enter the employee portal as

the manager.

Approve the expense report.

a.

Enter a User Name of Michelson11.

b. Enter a Password of ABCabc123.

c.

Click Login.

a.

Click the Staff Reports link under the Expense Reports field.

b. Click the link for Earl's expense report.

8.

Log out.

c.

Click the Approve button.

a.

Click the Home link.

b. Click the Logout button.

Note: now that the manager has approved the expense report, accounting
needs to authorize the expense report for payment.
9.

Enter the employee portal as

the accountant.

10. Authorize the expense

report.

11. Log out.

a.

Enter Holmez10 as the User Name.

b. Enter ABCabc123 as the Password.

c.

Click the Login button.

a.

Click the Staff Reports link.

b. Click the link for Earl's expense report.

c.

Click the Approve button.

a.

Click the Home link.

b. Click the Logout button.

Note: now that accounting has approved the expense report, it should be
paid.
12. Log back in as Earl12 to

verify the authorization.

a.

Enter a User Name of Earl12.

b. Enter a Password of ABCabc123.

a.

Click Login.

b. Verify that the report has been paid by looking in My Reports under

Status.
c.

Click the Home link.

d. Click the Logout button.

Connected Systems: Security

Exercise 2
A first look at the code behind GeneriCo
Scenario
In this exercise, we will see how the layers of a solution work together by examining the structure
of that solution.

Tasks

Detailed steps

1.

Open the EmployeePortal

solution.

a.

Click the folder icon on the quick launch bar. This just launches an
Explorer window and drills into to the directory shown below. This
will be the base source code directory where youll be working:
C:\Documents and Settings\Administrator\My
Documents\Visual Studio Projects\GeneriCo
b. Open the EmployeePortal subdirectory and double-click
GeneriCo.EmployeePortal.sln to open the solution in Visual Studio.

2.

Examine the structure of the

solution.

a.

Collapse all the projects in the Solution Explorer and youll be able to
see the overall structure of the solution, as shown here:

Besides the UnitTests and setup folders, notice the three layers that make
up this project: Presentation, Business and Model. Other projects will also
have a data layer (this particular example does not because it relies on a
set of XML Web Services instead of a data store).
Since this project exposes a user interface (in this case an ASP.NET web
application), there is a Presentation layer. In a service, youll see this
replaced by a Service layer instead.
3.

Understand how these layers

work together.

The Presentation or Service layers contain all functionality exposed to

external clients.
The Business layer contains all the business logic; examples include the
EmployeeLogic and ExpenseLogic classes.
The Data layer is the only place youll see interaction with a database or
other data store; examples include the UserData and RoleData classes.
The Model layer contains classes that are used to hold in-memory
representations of objects (typically the Business layer uses these objects to
communicate with the other layers). These classes dont have any logic,
just fields and properties to access those fields.
The diagram below shows the dependencies between these layers, and
should serve as a guide as you explore the GeneriCo source code.

Connected Systems: Security

Business
BusinessLayer
Layer
Presentation
Presentation
or
orService
ServiceLayer
Layer

Data
DataLayer
Layer

Model
ModelLayer
Layer

Connected Systems: Security

Exercise 3
Employee Login
Scenario
When an employee logs into the portal application, she is asked for a username and password. The
portal takes this information and submits it to the security system via a web service request. In the
BusinessLayer project, we will open up the SecurityLogic.cs file and look at the code for the Login
method.

Tasks
1.

Examine the code that

authenticates the user.

Detailed steps
a.

In the Solution Explorer, expand the BusinessLayer node, right-click

SecurityLogic.cs and select View Code.

The first section of code instantiates an object that represents the message
(AuthenticateRequest) and fills it out with the name and password provided
by the user. This is merely a formality to satisfy the GeneriCo specification.
The interesting part is really the attachment of a UsernameToken to the
message, which is the next bit of code, just inside the try block.
The UsernameToken is part of the Web Service Enhancements (WSE)
package that implements WS-Security, and its use with the web service
request causes an extra header to be added to the request which contains
the user name and password.
This header can then be validated by some plumbing in the service
implementation, which leads to an aspect-based solution for authentication
and authorization in the server. Well explore that shortly.
2.

Note how the password is

communicated to the server.

When the UsernameToken is constructed, PasswordOption.SendPlainText

is used. This means the password will be send in the header without being
protected in any way in the message itself.
To protect the password, the servers X.509 certificate is used to encrypt
the message.
You dont see any of this in the code, because its implemented via WSE 2.0
policy (which you can see in the PolicyCache.config file if youre
interested).
After adding the token to the request header, the Authenticate function is
called, which returns an AuthenticateResponse object.
Note: Even though its encrypted on the wire, the plaintext password is still
being sent to the server, and if the server is ever compromised, an attacker
could record hundreds or even thousands of passwords on any given day,
and these are long term secrets (when was the last time you changed any of
your passwords?). In a system that more fully integrates with the Windows
platform, you should try to use integrated security (Kerberos) instead of an
ad-hoc mechanism like the one defined by the GeneriCo spec. With
Kerberos, instead of sending a password to the server, we send whats
called a ticket, which is only good for use during the working day. This and
other restrictions make a Kerb ticket a much better choice for
authentication than a password.

3.

Examine the response.

The response contains something called an AuthToken.

10

Connected Systems: Security

This is simply a string that represents an application-level logon session.
By sending this string with each ensuing request to the security system,
were reminding the security system that we are still logged in.
This means the security system needs to maintain state to remember our
login.
Note that the security system indicates a failed login by returning a NULL
AuthToken, in which case the Business layer throws a SecurityException.
If everything goes smoothly, the Authenticate function returns a
LoginResult containing the employee ID and authToken.
4.

Note how subsequent calls

are authenticated.

a.

Scroll down to the GetAuthorization method.

Note that in order to call this method, the Presentation layer needs to know
the employee ID and authToken.
Once again, youll see a UsernameToken being constructed, but note that
this time the user name that is sent is the employee ID, and the password
becomes the authToken.
The pattern for using the security system is as follows: login and get a
session started, then with each subsequent call, identify and authenticate
yourself by proving knowledge of the authToken associated with the logon
session.

5.

Consider session guessing

attacks.

One obvious attack against this system is to try to guess the authToken.
This would mean you could use the security system without knowing a valid
user name or password just create a UsernameToken with the desired
employee ID and the authToken you guessed.
As you can see, using a monotonically increasing counter (an integer, say)
for the token would be a very bad idea indeed!
To mitigate this threat, the GeneriCo implementation uses a GUID for the
AuthToken, and GUIDs are generated using the default cryptographic
random number generator built into Windows. GUIDs are 128 bits long, so
guessing the authToken is not feasible.
Pay attention to this issue in your own systems!

6.

Examine the security system

implementation.

a.

Open a second instance of Visual Studio by clicking Start | All

Programs | Microsoft Visual Studio .NET2003 | Microsoft Visual
Studio .NET 2003.

b. Click File | Open Solution and navigate to C:\Documents and

Settings\Administrator\My Documents\Visual Studio

Projects\GeneriCo\SecuritySystem.
c.

Select GeneriCo.SecuritySystem.sln and click Open.

d. Collapse all the projects like before so you can get a feel for the layout

of the solution.
Since this is a web service implementation, youll see a ServiceLayer
project instead of a PresentationLayer.
Note the addition of a DataLayer along with a few helper projects for
dealing with Active Directory, where the Data layer stores its state.
7.

Examine the service layer.

a.

In the Solution Explorer, expand the ServiceLayer node and rightclick on AuthenticateService.asmx and select View Code.

The first method on the AuthenticateService class is the one that we saw
being called earlier: Authenticate.

Connected Systems: Security

11

Examine the code for this method.

Where is the password being validated?
8.

Find where the password is

being validated.

The somewhat surprising answer is that its not really validated anywhere
in the Authenticate method.
In fact, the password was validated before this method was even called!
Since the caller sent the user name and password in a WS-Security header,
some plumbing in WSE automatically validates the token before the web
service method is called. If the validation fails, the web service method is
not called at all.
Note: This is an example of a pattern that is really useful for security: it
should be as transparent as possible to application developers. By pushing
the security checks into the plumbing, an application developer doesnt
need to remember to call a method to check authentication or
authorization. Thats already been done before the call even reaches the
developers code. And if any of these security checks fail, the developers
code is never called the request is aborted right there in the plumbing.
The figure below shows this aspect-based architecture:

Web Service
Request

WSE
WSEPlumbing
Plumbing

Service
Servicecode
code

Custom
CustomUsername
Username
Token
TokenManager
Manager
9.

See how a custom token

manager is wired into the
WSE pipeline.

WSE provides built-in plumbing that can authenticate users with real
Windows accounts.
But GeneriCo has its own security system, as the spec it was based on
doesnt assume any particular platform. This means that GeneriCo must
wire up a little bit of custom plumbing
a.

In the Solution Explorer, under the ServiceLayer node and doubleclick the Web.config file.

b. Scroll to the bottom of the code.

You should see an element called <securityTokenManager/> which points

to a class in Generico that will handle the security checks
(SecuritySystemTokenManager).
The code for this class is in the same project, so lets look at it now.
10. Examine GeneriCos custom

token manager.

a.

In the Solution Explorer, under the ServiceLayer node, right-click

SecuritySystemTokenManager.cs and select View Code.

Note that it derives from a WSE class called UsernameTokenManager and

overrides the AuthenticateToken method.
This is the custom plumbing GeneriCo needs to validate logins using the
Security system.
The first section of code handles the case where a user name and password
are being passed (this only happens when the AuthenticateService is being
used).
The second section validates authTokens that were issued by the

12

Connected Systems: Security

AuthenticateService.
11. Note that the token manager

authenticates users against

real Windows accounts.

It turns out that GeneriCo does indeed use Windows accounts to manage its
users. In fact, it uses an extension of the Active Directory schema to model
the employee database.
But when users log in, they dont specify a full domain account name,
rather they just specify their simple user names (Howard13, for example).
This custom plumbing looks up the domain name from the configuration
file, combines it with the users name, and then lets the existing WSE
plumbing check the login (note the call to base.AuthenticateToken).

12. Examine the authToken

validation.

For checking authTokens, the CheckAuthenticated helper function is used.

This simply pulls the employee ID and authToken out of the
UsernameToken, and calls the CheckAuthenticated service, as per the
GeneriCo specification.
a.

In the Solution Explorer, under the ServiceLayer node, right-click

CheckAuthenticatedService.asmx and select View Code.

You can see how the authToken is verified the state is simply stored in the
web services application state.
Note: One thing that is not addressed by the GeneriCo spec (or this
implementation) is logout, but this is important in real systems. Given the
way GeneriCo is implemented here, an obvious approach would be to
timeout the login after a certain amount of idle time.
13. Find where the authToken is

originally generated.

a.

Switch to the AuthenticateService.asmx code view and look at the

GetAuthToken helper function.

Note that all this does is generate a new GUID, stringize it, add it to the
application state as a valid login identifier, and return its value to the
caller.

Connected Systems: Security

13

Exercise 4
Active Directory Integration
Scenario
Finally, we will examine the configuration of Active Directory to see how GeneriCo manages users
and roles. We will also consider how this configuration achieves efficiency, and how it might be
improved for other situation.

Tasks
1.

Generico uses Active

Directory to manage users
and roles.

Detailed steps
a.

Switch to the GeneriCo.EmployeePortal solution.

The employee portal is designed to provide varying levels of functionality

depending on the role the user is in.
For example, a user who is a manager should be able to view the submitted
expense reports of her staff, while a non-manager should only be able to
view his own records.
GeneriCo uses Active Directory to manage users and roles, and an easy
place to see this in action is to look at the ExpenseReportsControl in the
Presentation layer of the EmployeePortal solution.

2.

Drill into the

ExpenseReportsControl.

a.

In the Solution Explorer, expand the PresentationLayer node, rightclick ExpenseReportsControl.ascx and click View Code.

b. Locate the Page_Load handler.

c.

Scroll down into the implementation of this method.

Youll see a call into the Business layer SecurityLogic class to a method
called CheckAuthorization.
This helps the Presentation layer decide whether to show staffers reports or
only personal reports.
3.

Drill into the

CheckAuthorization
method.

a.

In the Solution Explorer, under the BusinessLayer node, right-click

SecurityLogic.cs and select View Code.

b.

Scroll down to the CheckAuthorization method.

Note the first two arguments allow the caller to provide the employee ID
and authToken, which are used to authenticate with the security system.
The third argument is an identifier for the role were checking.
As usual, we see a request message being filled out, a UsernameToken
being attached to the request, and a call to the web service.
Theres really no logic here.
4.

Examine the service.

a.

Switch to the SecuritySystem solution.

b. In the Solution Explorer, under the ServiceLayer node, right-click

CheckAuthorizationService.asmx and select View Code.

Note that this delegates control to the Business layer in the service.
c.

In the Solution Explorer, expand the BusinessLayer node, right-click

EmployeeLogic.cs file and select View Code.

d. Expand the region entitled UserInfo WS Logic Methods and find the

CheckAuthorization method.

14

Connected Systems: Security

5.

Find the code that integrates

with Active Directory.

The business logic has one line of code that delegates to the Data layer, so
drill into the DataLayer project.
a.

In the Solution Explorer, expand the DataLayer node, right-click

RoleData.cs and select View Code.

b. Find the IsRoleAssignedToUser method.

Here youll see several calls that simply validate the input (which is always
good for security), followed by a couple of calls that lookup the user and
role objects in Active Directory.
Finally, the code checks to see if the role objects member property
contains the distinguished name of the user in question.
As you can see, the employee database is actually stored in Active
Directory.
6.

Consider the performance

implications of this
implementation.

Take another look at the IsRoleAssignedToUser method and try to figure

out how many round-trips it makes to ActiveDirectory in total.
There are at least five round trips, and that really adds up.
If you were to go back and look at the Page_Load event handler, youll see
that its checking two roles, which means before the ExpenseReportControl
can even display, it must make ten round-trips to a domain controller.
Now some of this is due to the way the GeneriCo implementation is
factored, but part is also do to the constraints that LDAP imposes.
For example, theres no way to do a JOIN via an LDAP search. Theres
also no way to implement something like a stored procedure in Active
Directory to reduce this overhead.

7.

Consider performance
improvements.

There are other ways of augmenting Active Directory that can give
markedly improved performance.
For example, you may prefer to keep all of your data in SQL Server,
including user data.
You can then use Microsoft Identity Integration Server (MIIS) to
synchronize your SQL Server database with the data in Active Directory.
Having access to directory data from SQL Server allows you to do
sophisticated queries, JOINs, and stored procedures, and can significantly
improve the performance of your solution.
Keep this in mind when building your own systems.

8.

Consider GeneriCos rolebased security

implementation.

As it stands, this is a strict implementation of the GeneriCo specification,

which is platform-neutral.
If you are building a Windows-based system, as was mentioned earlier,
youll want to use integrated authentication (Kerberos) wherever you can.
And if youre relying on integrated authentication, you can use Windows
groups to model roles.
Not only does this reduce the amount of code you need to write (it almost
entirely eliminates the security system in GeneriCo), but it also simplifies
access to role information.
For example, heres a snippet of code you might use to check if a user is in
the HRRepresentative role in a web service:
bool isHr =
User.IsInRole(string.Format("{0}\HRRepresentativeRo
le", domain));
The only trick is knowing the domain in which your roles are defined,

Connected Systems: Security

15

because domain group definitions are always scoped by a domain.

9.

Consider the benefits of

using Windows groups to
model roles.

A big benefit of a group-oriented solution is that an administrator can use

the tools that are built in to Windows to manage roles, such as the Active
Directory Users and Groups console.
Another benefit is that you can set up Access Control Lists (ACL), SQL
Server roles, and COM+ roles based on Windows groups.
Its really the most natural way to go if youre building a Windows-based
system. But once again, GeneriCo wasnt designed for any particular
platform, and thus must provide its own role infrastructure.
When security is concerned, integrate as tightly as possible with your
operating system of choice!

10. Note that GeneriCo uses

custom schema extensions

to Active Directory.

In the SecuritySystem solution youll see three projects that help implement
custom schema extensions: ADSchemaGenerator, ADObjectGenerator, and
ADReader.
The first adds the schema classes and attributes to store the user, role, and
system data in the directory.
The second generates instances of these classes (roles like the HR
Representative, and test employees like Howard13).
The third (ADReader) simply prints out the instances; its more of a
diagnostic tool than anything else.
If youre interested in learning how to extend the Active Directory schema,
these would be useful projects to spend some time exploring.