.NET Passport Authentication | IIS 6: The Complete Reference

IIS 6 can use Microsoft's .NET Passport to authenticate users requesting resources from a web site or a web site virtual directory. The benefit that this solution offers is that the credentials are stored and managed on another server that you are not responsible for building or maintaining. Users can authenticate using the .NET Passport service and then be allowed access to the web site hosted on your WS03 server. The service does not provide access control or site authorization, however. The .NET Passport server can only affirm that a web consumer representing himself or herself to be the person represented by the established profile in the .NET Passport server has successfully authenticated as that person represented by the established profile.

The .NET Passport system is free for the web consumer to register with and use. Web consumers log in and log out at the Passport server, and they are directed to your web site after a successful login event. The login and logout pages may be cobranded so that they appear to be related to the web site that the user is logging in to.

Passport provides a nice system for everyone involved in a web-based transaction, because users get the benefit of a single sign-on solution for any .NET Passport authenticated web site they encounter. The web host benefits because the hosting party does not have to build and support the credentials system or server, but they must pay a fee to the Microsoft .NET Passport service to establish an account with the Passport server. After an account is set up, the web host simply needs to build the web site to respond to users who authenticate. This is the same effort that any web site with an established membership and authentication mechanism would perform regardless of where the members' credentials are hosted, except that they now deal with only authenticated users.

The problem with the .NET Passport system, however, is that many web consumers have not responded quickly to the solution. The web consumer community is apprehensive about providing personal information to the .NET Passport service. Existing web-based vendors and portals have not adopted the use of .NET Passport with great enthusiasm because they generally already have their own authentication systems in place. The benefits of providing a web single login experience are greatly minimized when the web consumer may have to authenticate to other sites that they patronize. Without wide acceptance of the use of .NET Passport by web sites using it as an authentication system, the web single login system will not benefit the web consumer.

Establishing .NET Passport Service

Before you can use the .NET Passport service, you need to prepare your site for the service. Following is a review of the steps required for establishing a .NET Passport server setup:

Register the web site through the .NET Passport service. Go to the following URL to begin the process: http://www.microsoft.com/net/services/passport/ developer.asp. Here, you'll fill out a comprehensive series of forms and complete a .NET Passport Wizard with information about yourself and your web site. Table 7-1 summarizes the information required to perform this step.
On successful registration, your site is assigned an ID and registered with a pending status. Microsoft will attempt to replicate the site on its server and approve your site.
Build the site. Microsoft provides a .NET Passport software development kit (SDK) that offers aid and support in your effort to build a .NET Passport web site. The SDK is available free for download from Microsoft's web site at http://msdn.microsoft.com/library/default.asp?url=/downloads/list/websrvpass.asp.
Petition .NET Passport services for a compliance review of the site. If your site meets the standards, you will be required to enter into a contractual agreement with .NET Passport services.

Launch the site. Obtain the encryption keys for the production site and roll in the production code required to support the .NET Passport integration.

Table 7-1: .NET Passport Registration Information
Item	Description
Your general contact information	Name, phone, address, e-mail, and so on
Name of the site	Required-Name used to identify the site in the Passport portal
Type of .NET Passport service	Required-Choose one or more of the following: Kids Passport, .NET Passport Single Sign-In, .NET Passport Express Purchase
Web Site Title	Required-Title for the web site
Domain Name	Required-The top most domain name for the site; no subdomains should be included in the name
Default Return URL	Required-The URL where customers will be redirected from the Passport server in an error event
Customer Support Phone Number	Telephone number presented to customers if they need help or support
Customer Support E-mail	E-mail address presented to customers if they need help or support
Customer Support URL	URL presented to customers if they need help or support
Privacy Policy URL	Required-URL presented to customers for your privacy policy
Cobrand URL	URL for the cobranding file that contains the JavaScript cobranding variables
Cobrand CSS URL	URL for the cascading style sheet (.css) file that will be used by the .NET Passport pages to make them appear cobranded
Cobrand Image URL	Required-URL for the site's logo, which should be 468 × 60 pixels
Cobrand Image2 URL	Required-URL for the site's logo, which must be 2 × 80 pixels, and a .gif
Cobrand Image HREF	Link for the logo image
Cobrand Instruction Text	Required-Instructions that will appear at the top of the .NET Passport Credential dialog box
Registration Return URL	URL of the file that users will be redirected to after login by default
Terms of Use URL	URL for the terms of use
Edit URL	URL to the page on the web devoted to editing user's data on your site
Disable Copyright	Checkbox that will disable the Microsoft copyright link presented in each .NET Passport module
Disable Help Text	Checkbox that will disable the Microsoft help file link presented in each .NET Passport module
Disable Member Services	Checkbox that will disable the Microsoft Member Services file link presented in each .NET Passport module
Disable Privacy Policy	Checkbox that will disable the Microsoft privacy policy file link presented in each .NET Passport module
Disable Terms of Use	Checkbox that will disable the Microsoft Terms of Use file link presented in each .NET Passport module
Expire Cookie URL	Required-URL for a file that deletes the .NET Passport cookies; this URL is called when the user performs a logout function
Logout URL	URL for a file that the passport system will send customers when they sign out of .NET Passport by clicking the .NET Passport Sign Out button

The registration process identified in step 1 is rather comprehensive. You will also be presented with the .NET Passport Wizard, and you will be expected to establish a .NET Passport. After the wizard completes, you will see a series of web pages prompting you for information-some of which is mandatory to complete the process. The information requested during the registration processes is summarized in Table 7-1.

Setting Up the Site for .NET Passport

If you set up a web site or a web virtual directory to authenticate users via .NET Passport, the users will be presented with a .NET Passport login prompt when they request a file for the first time from the web site. The circumstances under which the user will be prompted for their credentials may vary, depending on the site application's use of the .NET Passport service. After the user enters a valid login and password, they are allowed to access the requested file.

To set up IIS to provide .NET Passport authentication, follow these steps:

Open the IIS MMC snap-in and expand the Web Sites node in the left panel.
Right-click the respective web site or virtual directory that should authenticate using .NET Passport. Select Properties.
In the Properties window, select the Directory Security tab.
Click the Edit button under the Authentication And Access Control section. The Authentication Methods window will open.
Under the Authenticated Access section, check the .NET Passport Authentication checkbox. All other authentication methods will be disabled, since using .NET Passport authentication is a mutually exclusive option. Anonymous access can still be selected, however.
If you want, type a domain name in the Default Domain text box. This is the domain to which usernames will be assumed to belong on the host server after the .NET Passport server authenticates them. Realm may be used to identify the organization or domain to which users should be assumed to belong if the server participates in a non-Microsoft system.
Click the OK button to close the Authentication Methods window, and click the OK button to close the Properties window.

If the .NET Passport service is set properly, users will be presented with a .NET Passport prompt that looks like the window shown in Figure 7-2, except the configurations described in Table 7-1 will exist in place of the default values shown in Figure 7-2.

click to expand
Figure 7-2: .NET Passport login prompt with the default configurations