Re: Authentication via AD
From: Joe Kaplan \(MVP - ADSI\) (joseph.e.kaplan_at_removethis.accenture.com)
Date: 05/19/05
- Next message: Joe Kaplan \(MVP - ADSI\): "Re: Delegation user's credential from webserver to backend server through terminal service"
- Previous message: culeno: "Re: Delegation user's credential from webserver to backend server through terminal service"
- In reply to: VK: "Re: Authentication via AD"
- Next in thread: VK: "Re: Authentication via AD"
- Reply: VK: "Re: Authentication via AD"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 19 May 2005 15:14:15 -0500
As long as the web server is a member of the domain you want to authenticate
against, you should be able to use IIS to authenticate those members. It
should work if the domain is NT4 or AD. The key is that the IIS box is a
member server.
Whether you use digest, basic or IWA is up to you. There are good and bad
points about each one. I'm not really familiar with Digest, so I'm not sure
how to advise you on the proper use of the realm parameter.
Joe K.
"VK" <VK@discussions.microsoft.com> wrote in message
news:9D0A7A81-FA6E-4E13-8C59-9D05B9EF1431@microsoft.com...
> Thanks for the help buddy. I am assuming that it will automatically
> authenticate via the AD now. I have checked: "Digest authentication..."
> and
> "Integrated Windows Authentication". Furtheremore I disabled "Anonymous
> access". Do I have to enter the domain in the "realm" field?
>
> Anyhow my administrator told me that we are not completely on AD yet, we
> are
> in kind of mixed mode with NT4 and therefore I am not sure if that all
> will
> work or not. We are switching next week completely to AD and then I will
> have
> to test this more. I will let you know next week how the test went. I
> would
> like to thank you for all the help.
>
> Regards
>
> "Joe Kaplan (MVP - ADSI)" wrote:
>
>> Ok, so you don't want to do any programmatic authentication at all. Just
>> let Windows, IIS and the browser take care of it for you.
>>
>> If you configure ASP.NET for Windows authentication in web.config and
>> configure IIS for Windows auth (uncheck anonymous, check basic/digest or
>> IWA, depending on what you want), and you should be good to go.
>>
>> To do role-based authorization in your application, just use the
>> Context.User object. This contains an IPrincipal object that will be a
>> WindowsPrincipal. Use it's IsInRole method to check the user's group
>> membership for your security decisions. You can also use the <allow/>
>> and
>> <deny/> tags in web.config to configure access to specific pages
>> declaratively.
>>
>> HTH,
>>
>> Joe K.
>>
>> "VK" <VK@discussions.microsoft.com> wrote in message
>> news:13AE88A4-3BFF-473A-B3F6-2BE28D1FC7B3@microsoft.com...
>> > Forgot to mention. I already can see the popup which asks for the user
>> > and
>> > pw, but the title of the window says:
>> >
>> > "Connect to SystemName"
>> >
>> > Shouldnt it say: "Connect to domainName" ?
>> >
>> > I am testing all this locally right now. I dont want to put something
>> > on
>> > the
>> > server that doesnt work.
>> >
>> > Thanks again
>> >
>> > "Joe Kaplan (MVP - ADSI)" wrote:
>> >
>> >> It really depends on what your application is. You haven't explained
>> >> at
>> >> all
>> >> what you are building. Is it a normal web application or something
>> >> else?
>> >> Can it use IIS/Windows for authentication or does it need to be forms
>> >> authentication?
>> >>
>> >> Joe K.
>> >>
>> >> "VK" <VK@discussions.microsoft.com> wrote in message
>> >> news:34E8EFE5-9C6C-4C4F-B64F-F89EB8736827@microsoft.com...
>> >> > Thanks Joe for the reply. Can you point me to some URLs which shows
>> >> > how
>> >> > to
>> >> > use authenticate with AD? Also what do you mean wit:
>> >> >
>> >> >> Another good option is to let Windows authenticate for you.
>> >> >> Depending
>> >> >> on
>> >> >> your application architecture (you don't specify), this may or may
>> >> >> not
>> >> >> be
>> >> >> possible.
>> >> >
>> >> > I am kind of new in authentication. Thanks for any suggestions.
>> >> >
>> >> > "Joe Kaplan (MVP - ADSI)" wrote:
>> >> >
>> >> >> The preferred method of authenticating against AD is to us the SSPI
>> >> >> API
>> >> >> with
>> >> >> the negotiate protocol. This is easy to do in .NET 2.0 with the
>> >> >> NegotiateStream class, but requires some significant p/invoke in
>> >> >> .NET
>> >> >> 1.x.
>> >> >> There are samples online though.
>> >> >>
>> >> >> Another good option is to let Windows authenticate for you.
>> >> >> Depending
>> >> >> on
>> >> >> your application architecture (you don't specify), this may or may
>> >> >> not
>> >> >> be
>> >> >> possible.
>> >> >>
>> >> >> LDAP should be possible if you have AD as it supports LDAP
>> >> >> natively.
>> >> >> However, I'd recommend avoiding LDAP authentication unless you have
>> >> >> to
>> >> >> use
>> >> >> it.
>> >> >>
>> >> >> Joe K.
>> >> >>
>> >> >> "VK" <VK@discussions.microsoft.com> wrote in message
>> >> >> news:0525D57E-3385-44AC-B588-C44526AB808E@microsoft.com...
>> >> >> > Hello,
>> >> >> >
>> >> >> > I want to authenitcate my users against the Active Directory. Do
>> >> >> > I
>> >> >> > have
>> >> >> > to
>> >> >> > go through the LDAP to do that? We are not using LDAP. I have
>> >> >> > googled
>> >> >> > and
>> >> >> > found several examples - however they all use LDAP.
>> >> >> >
>> >> >> > Any suggestions?
>> >> >> > Thanks
>> >> >>
>> >> >>
>> >> >>
>> >>
>> >>
>> >>
>>
>>
>>
- Next message: Joe Kaplan \(MVP - ADSI\): "Re: Delegation user's credential from webserver to backend server through terminal service"
- Previous message: culeno: "Re: Delegation user's credential from webserver to backend server through terminal service"
- In reply to: VK: "Re: Authentication via AD"
- Next in thread: VK: "Re: Authentication via AD"
- Reply: VK: "Re: Authentication via AD"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
