HOW TO: Secure an ASP.NET Application by Using Microsoft Passport (315734)


The information in this article applies to:

  • Microsoft Passport 2.5
This article was previously published under Q315734
IMPORTANT: This article contains information about modifying the registry. Before you modify the registry, make sure to back it up and make sure that you understand how to restore the registry if a problem occurs. For information about how to back up, restore, and edit the registry, click the following article number to view the article in the Microsoft Knowledge Base:

256986 Description of the Microsoft Windows Registry

IN THIS TASK

SUMMARY

This step-by-step article describes how to set up and use Passport in test mode. Microsoft .NET Passport provides Web-based authentication with Single Sign-In service, Kids Passport service, and Wallet service. Microsoft Passport provides Single Sign-in authentication service to secure Web applications. In a Passport-enabled site, you can sign in by using your Passport account. Your Passport account may also be used to sign in to thousands of other Web sites.

Back to the top

Requirements

To set up and use Passport in test mode, Microsoft recommends the following hardware, software, network infrastructure, skills, knowledge, and service packs:
  • Use a computer that is running Microsoft Windows 2000 Server with Service Pack 2 (SP2) or Microsoft Windows 2003 Server.

    You can use Microsoft Windows XP Professional for testing.
  • Use Internet Information Services (IIS) version 5.0.
  • Use Internet Explorer 6.0.
  • Use Microsoft Visual Studio .NET Beta 2.0 or Release Candidate.
  • Be connected to the Internet.
  • Have prior knowledge about Microsoft Visual Basic .NET or Microsoft Visual C#. NET.
Back to the top

Install Passport 2.5 Software Development Kit (SDK)

To install the Passport 2.5 SDK, follow these steps:
  1. Visit the following Microsoft uniform resource locator (URL):

    http://download.microsoft.com/download/e/8/1/e8197a24-dd81-48c3-9db2-be5fed8bed84/ppm_sdk_v2_5.exe
  2. Click to select Save this program to disk, and then click OK.
  3. Save the setup file to your hard disk.
  4. When the download completes, double-click ppm_sdk_v2_5.exe to start the installation procedure.
  5. On the Welcome page, click Next.
  6. On the License Agreement page, click Yes.
  7. On the Destination Path page, specify the path for the Passport SDK files, and then click Next.
  8. On the Setup Type page, click to select Development/Test, and then click Next.
  9. On the Select Folder page, specify the program folder that displays the Passport SDK icons, and then click Next.
  10. On the Select Web Site page, click to select Default Web Site, and then click Next.

    Setup stops IIS, installs Passport SDK, and then restarts IIS. Next, Internet Explorer launches and tries to open the local PassportTest Web site.

    Click Refresh on the Internet Explorer toolbar if you receive the following error message:
    "This page cannot be displayed"
  11. When the network map is updated, read the page that appears. Passport is installed in test mode. Your site is not registered on the Passport servers, and the total functionality is not available. However, you can use Passport to build sites that authenticate users.
Back to the top

Configure Windows XP Client for Pre-Production Mode

WARNING: If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use Registry Editor at your own risk. A Windows XP client can associate a Passport account with each user. If you use a Windows XP client, follow these steps to make sure you use the Passport database in pre-production mode instead of production mode.
  1. Start Registry Editor (Regedit.exe), and then delete the contents of the following two registry keys:
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Passport

    -and-

    • HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Passport\DAMap
  2. Download the pre-production mode registry script from the following Microsoft Web site:

    Microsoft .NET Passport
    http://www.passport.com/downloads/blaze-default.reg
  3. Double-click the blaze-default.reg registry script to add the pre-production mode Passport information to the registry.
Back to the top

Create a Pre-Production Mode Passport Account

To test your Passport functionality, create one or more pre-production mode Passport accounts. To use Windows 2000 while you create a pre-production mode Passport account, follow these steps:
  1. Visit the following URL by using Internet Explorer:

    http://localhost/PassportTest
  2. Click Sign In to redirect to the Passport logon server.
  3. Click Get one now to create a pre-production environment Passport account. Complete the form by using the e-mail address of your choice.

    Note You cannot use any of your existing Passport accounts when you install Passport in pre-production mode. Pre-production environments use a user database that is separate from production sites.
  4. When you register your new Passport, verify that you are redirected back to the URL from step 1.

    Notice the default account details that are used when Passport is installed in test mode. The details you type in the form are ignored until you register your site.
  5. Close Internet Explorer.
To use Windows XP, follow these steps:
  1. From Control Panel, start the user accounts application. View the properties of your user account.
  2. If your Passport account is already associated with your Windows XP user account, click Change my .NET Passport, and then click to select Use a Different Passport.

    If your Passport account is not already associated with your Windows XP user account, click Set up my account to use a .NET Passport, and then click Next on the first page of the wizard. Use the wizard to create a Passport account and associate it with your Windows XP user account. The pre-production mode account is created because of the registry editing that permits you to use Passport in pre-production mode.

    You can also create pre-production accounts by visiting the following Web site:

    Microsoft .NET Passport
    www.passport-ppe.com
Back to the top

Create an ASP.NET Site that Uses Passport Authentication

  1. Start Visual Studio .NET.
  2. Create a new ASP.NET Web Application project by using Visual Basic .NET or Visual C# .NET.
  3. Name the project PassportSite.
  4. In Solution Explorer, double-click Web.config.
  5. Change the mode attribute value of the authentication element to Passport, as follows:
       <authentication mode="Passport" />
  6. Right-click WebForm1.aspx, and then click View Code.
  7. Add the following code to the class declaration:

    Visual Basic .NET
    Imports System.Web.Security
    Visual C# .NET
    using System.Web.Security;
  8. Add the following code to the Page_Load event:

    Visual Basic .NET
    Dim pi As New PassportIdentity()
' Display the Passport Sign-in / Sign-out logo
Response.Write(pi.LogoTag2(Request.Url.ToString, 60, False, Nothing, -1,False, Nothing, -1,False))
'Check user authentication and display the Passport ID of logged in users
If pi.IsAuthenticated Then
  Response.Write ("<BR> Your Passport ID is " & pi.Name)
Else
  Response.Write ("<BR> Please log in by clicking the Passport logo above")
End If
    Visual C# .NET
    PassportIdentity pi = new PassportIdentity();
// Display the Passport Sign-in / Sign-out logo
Response.Write(pi.LogoTag2(Request.Url.ToString(), 60, false, "", -1, false, "", -1, false));
//Check user authentication and display the Passport ID of logged in users
if(pi.IsAuthenticated)
{
  Response.Write("<BR> Your Passport ID is "+ pi.Name);
}
else
{
  Response.Write("<BR> Please log in by clicking the Passport logo above");
}
  9. Build and then save the project.
Back to the top

Passport Sign In

  1. Start PassportSite.

    By default, WebForm1.aspx is displayed.
  2. Click Sign In.
  3. Sign in to Passport by using the pre-production mode that you previously registered.

    When you sign-in, you are returned to the WebForm1.aspx page. This page displays a Sign Out logo and your Passport ID.
Back to the top

Troubleshoot

When you experiment with Passport authentication in ASP.NET applications, you can use the authorization element to deny anonymous access to some or all pages in the site. This causes a default sign-in page to be displayed.

When you use Visual Studio .NET Beta 2.0, modify the Machine.config file in the <WindowsDirectory>\Microsoft.NET\Framework\<version>\CONFIG folder. This modification is required because of a bug in Visual Studio .NET Beta 2.0. This bug is resolved in later versions of Visual Studio .NET.

To create the modification, open Machine.config in Visual Studio, and then use the Find and Replace tool with the Match Case option enabled to replace <passport redirectUrl="Internal" /> with <passport redirectUrl="internal" />. You can then save Machine.config and restart IIS by using the IISRESET.exe command line tool.

Back to the top

REFERENCES

For information about how to implement .NET Passport Single Sign-In service for live Web sites, visit the following Microsoft Web site:

Licensing .NET Passport
http://www.microsoft.com/net/services/passport/default.asp

For information about how to use Passport authentication for the PassportIdentity class in ASP.NET, visit the following Microsoft Web site:

PassportIdentity Class
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/cpref/html/frlrfSystemWebSecurityPassportIdentityClassTopic.aspBack to the top
Modification Type:MinorLast Reviewed:8/5/2004
Keywords:kbdownload kbRegistry kbDownload kbsetup kbWebForms kbHOWTOmaster KB315734 kbAudDeveloper
©2004 Microsoft Corporation. All rights reserved.