Re: Complicated Fallback ASP.NET Security
From: Joe Kaplan \(MVP - ADSI\) (joseph.e.kaplan_at_removethis.accenture.com)
Date: 01/16/04
- Next message: Joe Kaplan \(MVP - ADSI\): "Re: caspol & local intranet security"
- Previous message: gerry: "Re: Could aspnet_wp.exe recycle be due to hackers?"
- In reply to: Shawn Wheatley: "Re: Complicated Fallback ASP.NET Security"
- Next in thread: Shawn Wheatley: "Re: Complicated Fallback ASP.NET Security"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 16 Jan 2004 11:32:47 -0600
I think the main problem is that you really can't do Windows authentication
against ADAM for ADAM users. You can't create a Windows login token for an
ADAM user. Thus ADAM users can't have a WindowsPrincipal object.
Thus you need a way to ask for credentials.
Now, you could try to do something fancy such as passing back a
WWW-Authenticate header in the response with Basic realm="xxx" in it. That
would cause the browser to throw up the Basic authentication dialog. Then
you would need to crack open the received httpauthorization header to
extract out the usename and password and try doing a bind to ADAM with those
credentials. From there you could build out an IPrincipal object. You
could probably build all that with an HttpModule so that your main code
wouldn't need to see it.
The thing is, you will still have two different kinds of IPrincipal objects.
WindowsPrincipal for Windows users and FormPrincipal (or your own custom
type) for ADAM users. They could probably be used interchangably in your
code, but I don't really know.
I also don't if tricking out the headers like that will cause IIS to do
weird things as it gets first crack at them.
Once again, I hope this is helpful and isn't causing more additional
confusion.
Joe K.
"Shawn Wheatley" <swheatley22@yahoo.com> wrote in message
news:50b4861f.0401160541.1f56bc88@posting.google.com...
> Thanks for the response. I'm trying to stay away from Forms
> Authentication if possible. With the release of Mozilla 1.6, even
> those clients not on Windows can use NTLM authentication, so I would
> prefer to do that if possible. The question remains how to implement
> an AD structure such that all application users outside the local
> intranet would also be able to authenticate via AD or AD/AM.
>
> I began reading through "Authentication in ASP.NET: .NET Security
> Guidance" from the MS website:
>
>
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnbda/html/authaspdotnet.asp
>
> They briefly discuss Custom Authentication, which seems like it would
> be the way to go, but they don't go much into detail on how it works.
> My ideal custom authentication would:
>
> 1) Use NTLM to authenticate the user
> 2) If the user cannot be authenticated, the system would then prompt
> them for username and password, just like any other NTLM-authenticated
> site
> 3) (The tricky bit) Check against local AD (maybe they're on a dial-up
> connection, but have a local account); if not, check against AD/AM or
> any other credential store.
>
> I fear this is impossible though, as there don't seem to be any hooks
> into Windows authentication.
>
> Right now, I'm using a "WindowsAuthentication_OnAuthenticate" method,
> which I found on Bill Hickman's weblog:
>
> http://weblogs.asp.net/bhickman/archive/2003/02/07.aspx
>
> This helped me because I never had the AD groups listed in the roles
> array of my HttpContext.User object. I use this method to get roles
> from a SQL Server database instead. Ideally, these roles would come
> from and be managed in Active Directory instead. Unfortunately, I
> haven't found a similar method to the one above which lets me at the
> credentials *before or during* authentication occurs. I think this
> would allow the scenario I described above.
>
> Shawn
>
> "Joe Kaplan \(MVP - ADSI\)" <joseph.e.kaplan@removethis.accenture.com>
wrote in message news:<eHYKy##2DHA.632@TK2MSFTNGP12.phx.gbl>...
>
> > I'm pretty sure you would need to authenticate the ADAM users via LDAP
and
> > some kind of Forms authentication as they aren't Windows users and can't
be
> > authenticated via the normal SSPI stuff. You could also authenticate
your
> > Windows users against ADAM using its proxy authentication stuff, but
then
> > you won't have WindowsPrincipals for your web users.
> >
> > From there you could get clever and do something like calling LogonUser
for
> > the Windows users to build a real Windows logon token if you needed
that,
> > but there isn't any way to get a token for the ADAM users, so it might
be
> > best to treat them uniformly.
> >
> > Hopefully that gave you some good ideas and didn't confuse you. I
haven't
> > played with ADAM much yet, so this is all based on my current
understanding
> > and reading a lot of newsgroup posts about it. But I am pretty sure
this
> > info is accurate.
> >
> > Joe K.
- Next message: Joe Kaplan \(MVP - ADSI\): "Re: caspol & local intranet security"
- Previous message: gerry: "Re: Could aspnet_wp.exe recycle be due to hackers?"
- In reply to: Shawn Wheatley: "Re: Complicated Fallback ASP.NET Security"
- Next in thread: Shawn Wheatley: "Re: Complicated Fallback ASP.NET Security"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
