Re: Authentication via AD
From: VK (VK_at_discussions.microsoft.com)
Date: 05/19/05
- Next message: Joe Kaplan \(MVP - ADSI\): "Re: Authentication via AD"
- Previous message: Joe Kaplan \(MVP - ADSI\): "Re: Authentication via AD"
- In reply to: Joe Kaplan \(MVP - ADSI\): "Re: Authentication via AD"
- Next in thread: Joe Kaplan \(MVP - ADSI\): "Re: Authentication via AD"
- Reply: Joe Kaplan \(MVP - ADSI\): "Re: Authentication via AD"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 19 May 2005 14:04:02 -0700
I understand. Well, I will wait till we AD running and then see from there.
Can I also force the user to login only when he requests ONLY page x.aspx ?
"Joe Kaplan (MVP - ADSI)" wrote:
> That's a different problem entirely. :)
>
> Once you actually have AD up and running, you would typically do this kind
> of stuff via LDAP. LDAP IS the normal query mechanism for AD.
>
> Essentially, you need to find the user in the directory given whatever name
> they used for login and query whatever attributes you need. The normal
> issues here are what account you want to use to query AD. Do you want to
> use the user's security context in a delegation scenario or do you want to
> use a fixed service account? There are many many threads on this exact
> topic in microsoft.public.adsi.general that you can google for.
>
> Joe K.
>
> "VK" <VK@discussions.microsoft.com> wrote in message
> news:5252024C-C76A-4B03-A41E-CA60ACA5D4E1@microsoft.com...
> > Well that seems to work. Many many thanks buddy! I have another additional
> > question.
> >
> > Can I now get access to the users data from the AD - like Fullname, email
> > phone etc?
> >
> > Regards
> >
> > "Joe Kaplan (MVP - ADSI)" wrote:
> >
> >> As long as the web server is a member of the domain you want to
> >> authenticate
> >> against, you should be able to use IIS to authenticate those members. It
> >> should work if the domain is NT4 or AD. The key is that the IIS box is a
> >> member server.
> >>
> >> Whether you use digest, basic or IWA is up to you. There are good and
> >> bad
> >> points about each one. I'm not really familiar with Digest, so I'm not
> >> sure
> >> how to advise you on the proper use of the realm parameter.
> >>
> >> Joe K.
> >>
> >> "VK" <VK@discussions.microsoft.com> wrote in message
> >> news:9D0A7A81-FA6E-4E13-8C59-9D05B9EF1431@microsoft.com...
> >> > Thanks for the help buddy. I am assuming that it will automatically
> >> > authenticate via the AD now. I have checked: "Digest authentication..."
> >> > and
> >> > "Integrated Windows Authentication". Furtheremore I disabled "Anonymous
> >> > access". Do I have to enter the domain in the "realm" field?
> >> >
> >> > Anyhow my administrator told me that we are not completely on AD yet,
> >> > we
> >> > are
> >> > in kind of mixed mode with NT4 and therefore I am not sure if that all
> >> > will
> >> > work or not. We are switching next week completely to AD and then I
> >> > will
> >> > have
> >> > to test this more. I will let you know next week how the test went. I
> >> > would
> >> > like to thank you for all the help.
> >> >
> >> > Regards
> >> >
> >> > "Joe Kaplan (MVP - ADSI)" wrote:
> >> >
> >> >> Ok, so you don't want to do any programmatic authentication at all.
> >> >> Just
> >> >> let Windows, IIS and the browser take care of it for you.
> >> >>
> >> >> If you configure ASP.NET for Windows authentication in web.config and
> >> >> configure IIS for Windows auth (uncheck anonymous, check basic/digest
> >> >> or
> >> >> IWA, depending on what you want), and you should be good to go.
> >> >>
> >> >> To do role-based authorization in your application, just use the
> >> >> Context.User object. This contains an IPrincipal object that will be
> >> >> a
> >> >> WindowsPrincipal. Use it's IsInRole method to check the user's group
> >> >> membership for your security decisions. You can also use the <allow/>
> >> >> and
> >> >> <deny/> tags in web.config to configure access to specific pages
> >> >> declaratively.
> >> >>
> >> >> HTH,
> >> >>
> >> >> Joe K.
> >> >>
> >> >> "VK" <VK@discussions.microsoft.com> wrote in message
> >> >> news:13AE88A4-3BFF-473A-B3F6-2BE28D1FC7B3@microsoft.com...
> >> >> > Forgot to mention. I already can see the popup which asks for the
> >> >> > user
> >> >> > and
> >> >> > pw, but the title of the window says:
> >> >> >
> >> >> > "Connect to SystemName"
> >> >> >
> >> >> > Shouldnt it say: "Connect to domainName" ?
> >> >> >
> >> >> > I am testing all this locally right now. I dont want to put
> >> >> > something
> >> >> > on
> >> >> > the
> >> >> > server that doesnt work.
> >> >> >
> >> >> > Thanks again
> >> >> >
> >> >> > "Joe Kaplan (MVP - ADSI)" wrote:
> >> >> >
> >> >> >> It really depends on what your application is. You haven't
> >> >> >> explained
> >> >> >> at
> >> >> >> all
> >> >> >> what you are building. Is it a normal web application or something
> >> >> >> else?
> >> >> >> Can it use IIS/Windows for authentication or does it need to be
> >> >> >> forms
> >> >> >> authentication?
> >> >> >>
> >> >> >> Joe K.
> >> >> >>
> >> >> >> "VK" <VK@discussions.microsoft.com> wrote in message
> >> >> >> news:34E8EFE5-9C6C-4C4F-B64F-F89EB8736827@microsoft.com...
> >> >> >> > Thanks Joe for the reply. Can you point me to some URLs which
> >> >> >> > shows
> >> >> >> > how
> >> >> >> > to
> >> >> >> > use authenticate with AD? Also what do you mean wit:
> >> >> >> >
> >> >> >> >> Another good option is to let Windows authenticate for you.
> >> >> >> >> Depending
> >> >> >> >> on
> >> >> >> >> your application architecture (you don't specify), this may or
> >> >> >> >> may
> >> >> >> >> not
> >> >> >> >> be
> >> >> >> >> possible.
> >> >> >> >
> >> >> >> > I am kind of new in authentication. Thanks for any suggestions.
> >> >> >> >
> >> >> >> > "Joe Kaplan (MVP - ADSI)" wrote:
> >> >> >> >
> >> >> >> >> The preferred method of authenticating against AD is to us the
> >> >> >> >> SSPI
> >> >> >> >> API
> >> >> >> >> with
> >> >> >> >> the negotiate protocol. This is easy to do in .NET 2.0 with the
> >> >> >> >> NegotiateStream class, but requires some significant p/invoke in
> >> >> >> >> .NET
> >> >> >> >> 1.x.
> >> >> >> >> There are samples online though.
> >> >> >> >>
> >> >> >> >> Another good option is to let Windows authenticate for you.
> >> >> >> >> Depending
> >> >> >> >> on
> >> >> >> >> your application architecture (you don't specify), this may or
> >> >> >> >> may
> >> >> >> >> not
> >> >> >> >> be
> >> >> >> >> possible.
> >> >> >> >>
> >> >> >> >> LDAP should be possible if you have AD as it supports LDAP
> >> >> >> >> natively.
> >> >> >> >> However, I'd recommend avoiding LDAP authentication unless you
> >> >> >> >> have
> >> >> >> >> to
> >> >> >> >> use
> >> >> >> >> it.
> >> >> >> >>
> >> >> >> >> Joe K.
> >> >> >> >>
> >> >> >> >> "VK" <VK@discussions.microsoft.com> wrote in message
> >> >> >> >> news:0525D57E-3385-44AC-B588-C44526AB808E@microsoft.com...
> >> >> >> >> > Hello,
> >> >> >> >> >
> >> >> >> >> > I want to authenitcate my users against the Active Directory.
> >> >> >> >> > Do
> >> >> >> >> > I
> >> >> >> >> > have
> >> >> >> >> > to
> >> >> >> >> > go through the LDAP to do that? We are not using LDAP. I have
> >> >> >> >> > googled
> >> >> >> >> > and
> >> >> >> >> > found several examples - however they all use LDAP.
> >> >> >> >> >
> >> >> >> >> > Any suggestions?
> >> >> >> >> > Thanks
> >> >> >> >>
> >> >> >> >>
> >> >> >> >>
> >> >> >>
> >> >> >>
> >> >> >>
> >> >>
> >> >>
> >> >>
> >>
> >>
> >>
>
>
>
- Next message: Joe Kaplan \(MVP - ADSI\): "Re: Authentication via AD"
- Previous message: Joe Kaplan \(MVP - ADSI\): "Re: Authentication via AD"
- In reply to: Joe Kaplan \(MVP - ADSI\): "Re: Authentication via AD"
- Next in thread: Joe Kaplan \(MVP - ADSI\): "Re: Authentication via AD"
- Reply: Joe Kaplan \(MVP - ADSI\): "Re: Authentication via AD"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
