Re: Authentication via AD

From: Joe Kaplan \(MVP - ADSI\) (joseph.e.kaplan_at_removethis.accenture.com)
Date: 05/19/05

  • Next message: Tim Reynolds: "System.Security.SecurityException: Requested registry access is no"
    Date: Thu, 19 May 2005 16:36:12 -0500
    
    

    Well, Windows authentication is configured at the IIS level, so you would
    need to enabled the settings for that in the IIS metabase first. For
    example, different virtual directories in your app can have different IIS
    security settings.

    It is probably easier just to authenticate the entire application though.

    Joe K.
    "VK" <VK@discussions.microsoft.com> wrote in message
    news:70DCFE2F-3BEB-49E7-846C-BBDBB9D791B5@microsoft.com...
    >I understand. Well, I will wait till we AD running and then see from there.
    > Can I also force the user to login only when he requests ONLY page x.aspx
    > ?
    >
    > "Joe Kaplan (MVP - ADSI)" wrote:
    >
    >> That's a different problem entirely. :)
    >>
    >> Once you actually have AD up and running, you would typically do this
    >> kind
    >> of stuff via LDAP. LDAP IS the normal query mechanism for AD.
    >>
    >> Essentially, you need to find the user in the directory given whatever
    >> name
    >> they used for login and query whatever attributes you need. The normal
    >> issues here are what account you want to use to query AD. Do you want to
    >> use the user's security context in a delegation scenario or do you want
    >> to
    >> use a fixed service account? There are many many threads on this exact
    >> topic in microsoft.public.adsi.general that you can google for.
    >>
    >> Joe K.
    >>
    >> "VK" <VK@discussions.microsoft.com> wrote in message
    >> news:5252024C-C76A-4B03-A41E-CA60ACA5D4E1@microsoft.com...
    >> > Well that seems to work. Many many thanks buddy! I have another
    >> > additional
    >> > question.
    >> >
    >> > Can I now get access to the users data from the AD - like Fullname,
    >> > email
    >> > phone etc?
    >> >
    >> > Regards
    >> >
    >> > "Joe Kaplan (MVP - ADSI)" wrote:
    >> >
    >> >> As long as the web server is a member of the domain you want to
    >> >> authenticate
    >> >> against, you should be able to use IIS to authenticate those members.
    >> >> It
    >> >> should work if the domain is NT4 or AD. The key is that the IIS box
    >> >> is a
    >> >> member server.
    >> >>
    >> >> Whether you use digest, basic or IWA is up to you. There are good and
    >> >> bad
    >> >> points about each one. I'm not really familiar with Digest, so I'm
    >> >> not
    >> >> sure
    >> >> how to advise you on the proper use of the realm parameter.
    >> >>
    >> >> Joe K.
    >> >>
    >> >> "VK" <VK@discussions.microsoft.com> wrote in message
    >> >> news:9D0A7A81-FA6E-4E13-8C59-9D05B9EF1431@microsoft.com...
    >> >> > Thanks for the help buddy. I am assuming that it will automatically
    >> >> > authenticate via the AD now. I have checked: "Digest
    >> >> > authentication..."
    >> >> > and
    >> >> > "Integrated Windows Authentication". Furtheremore I disabled
    >> >> > "Anonymous
    >> >> > access". Do I have to enter the domain in the "realm" field?
    >> >> >
    >> >> > Anyhow my administrator told me that we are not completely on AD
    >> >> > yet,
    >> >> > we
    >> >> > are
    >> >> > in kind of mixed mode with NT4 and therefore I am not sure if that
    >> >> > all
    >> >> > will
    >> >> > work or not. We are switching next week completely to AD and then I
    >> >> > will
    >> >> > have
    >> >> > to test this more. I will let you know next week how the test went.
    >> >> > I
    >> >> > would
    >> >> > like to thank you for all the help.
    >> >> >
    >> >> > Regards
    >> >> >
    >> >> > "Joe Kaplan (MVP - ADSI)" wrote:
    >> >> >
    >> >> >> Ok, so you don't want to do any programmatic authentication at all.
    >> >> >> Just
    >> >> >> let Windows, IIS and the browser take care of it for you.
    >> >> >>
    >> >> >> If you configure ASP.NET for Windows authentication in web.config
    >> >> >> and
    >> >> >> configure IIS for Windows auth (uncheck anonymous, check
    >> >> >> basic/digest
    >> >> >> or
    >> >> >> IWA, depending on what you want), and you should be good to go.
    >> >> >>
    >> >> >> To do role-based authorization in your application, just use the
    >> >> >> Context.User object. This contains an IPrincipal object that will
    >> >> >> be
    >> >> >> a
    >> >> >> WindowsPrincipal. Use it's IsInRole method to check the user's
    >> >> >> group
    >> >> >> membership for your security decisions. You can also use the
    >> >> >> <allow/>
    >> >> >> and
    >> >> >> <deny/> tags in web.config to configure access to specific pages
    >> >> >> declaratively.
    >> >> >>
    >> >> >> HTH,
    >> >> >>
    >> >> >> Joe K.
    >> >> >>
    >> >> >> "VK" <VK@discussions.microsoft.com> wrote in message
    >> >> >> news:13AE88A4-3BFF-473A-B3F6-2BE28D1FC7B3@microsoft.com...
    >> >> >> > Forgot to mention. I already can see the popup which asks for the
    >> >> >> > user
    >> >> >> > and
    >> >> >> > pw, but the title of the window says:
    >> >> >> >
    >> >> >> > "Connect to SystemName"
    >> >> >> >
    >> >> >> > Shouldnt it say: "Connect to domainName" ?
    >> >> >> >
    >> >> >> > I am testing all this locally right now. I dont want to put
    >> >> >> > something
    >> >> >> > on
    >> >> >> > the
    >> >> >> > server that doesnt work.
    >> >> >> >
    >> >> >> > Thanks again
    >> >> >> >
    >> >> >> > "Joe Kaplan (MVP - ADSI)" wrote:
    >> >> >> >
    >> >> >> >> It really depends on what your application is. You haven't
    >> >> >> >> explained
    >> >> >> >> at
    >> >> >> >> all
    >> >> >> >> what you are building. Is it a normal web application or
    >> >> >> >> something
    >> >> >> >> else?
    >> >> >> >> Can it use IIS/Windows for authentication or does it need to be
    >> >> >> >> forms
    >> >> >> >> authentication?
    >> >> >> >>
    >> >> >> >> Joe K.
    >> >> >> >>
    >> >> >> >> "VK" <VK@discussions.microsoft.com> wrote in message
    >> >> >> >> news:34E8EFE5-9C6C-4C4F-B64F-F89EB8736827@microsoft.com...
    >> >> >> >> > Thanks Joe for the reply. Can you point me to some URLs which
    >> >> >> >> > shows
    >> >> >> >> > how
    >> >> >> >> > to
    >> >> >> >> > use authenticate with AD? Also what do you mean wit:
    >> >> >> >> >
    >> >> >> >> >> Another good option is to let Windows authenticate for you.
    >> >> >> >> >> Depending
    >> >> >> >> >> on
    >> >> >> >> >> your application architecture (you don't specify), this may
    >> >> >> >> >> or
    >> >> >> >> >> may
    >> >> >> >> >> not
    >> >> >> >> >> be
    >> >> >> >> >> possible.
    >> >> >> >> >
    >> >> >> >> > I am kind of new in authentication. Thanks for any
    >> >> >> >> > suggestions.
    >> >> >> >> >
    >> >> >> >> > "Joe Kaplan (MVP - ADSI)" wrote:
    >> >> >> >> >
    >> >> >> >> >> The preferred method of authenticating against AD is to us
    >> >> >> >> >> the
    >> >> >> >> >> SSPI
    >> >> >> >> >> API
    >> >> >> >> >> with
    >> >> >> >> >> the negotiate protocol. This is easy to do in .NET 2.0 with
    >> >> >> >> >> the
    >> >> >> >> >> NegotiateStream class, but requires some significant p/invoke
    >> >> >> >> >> in
    >> >> >> >> >> .NET
    >> >> >> >> >> 1.x.
    >> >> >> >> >> There are samples online though.
    >> >> >> >> >>
    >> >> >> >> >> Another good option is to let Windows authenticate for you.
    >> >> >> >> >> Depending
    >> >> >> >> >> on
    >> >> >> >> >> your application architecture (you don't specify), this may
    >> >> >> >> >> or
    >> >> >> >> >> may
    >> >> >> >> >> not
    >> >> >> >> >> be
    >> >> >> >> >> possible.
    >> >> >> >> >>
    >> >> >> >> >> LDAP should be possible if you have AD as it supports LDAP
    >> >> >> >> >> natively.
    >> >> >> >> >> However, I'd recommend avoiding LDAP authentication unless
    >> >> >> >> >> you
    >> >> >> >> >> have
    >> >> >> >> >> to
    >> >> >> >> >> use
    >> >> >> >> >> it.
    >> >> >> >> >>
    >> >> >> >> >> Joe K.
    >> >> >> >> >>
    >> >> >> >> >> "VK" <VK@discussions.microsoft.com> wrote in message
    >> >> >> >> >> news:0525D57E-3385-44AC-B588-C44526AB808E@microsoft.com...
    >> >> >> >> >> > Hello,
    >> >> >> >> >> >
    >> >> >> >> >> > I want to authenitcate my users against the Active
    >> >> >> >> >> > Directory.
    >> >> >> >> >> > Do
    >> >> >> >> >> > I
    >> >> >> >> >> > have
    >> >> >> >> >> > to
    >> >> >> >> >> > go through the LDAP to do that? We are not using LDAP. I
    >> >> >> >> >> > have
    >> >> >> >> >> > googled
    >> >> >> >> >> > and
    >> >> >> >> >> > found several examples - however they all use LDAP.
    >> >> >> >> >> >
    >> >> >> >> >> > Any suggestions?
    >> >> >> >> >> > Thanks
    >> >> >> >> >>
    >> >> >> >> >>
    >> >> >> >> >>
    >> >> >> >>
    >> >> >> >>
    >> >> >> >>
    >> >> >>
    >> >> >>
    >> >> >>
    >> >>
    >> >>
    >> >>
    >>
    >>
    >>


  • Next message: Tim Reynolds: "System.Security.SecurityException: Requested registry access is no"

    Relevant Pages

    • Re: HTTP Error 403.6 - Forbidden: IP Address Rejected
      ... it was the proxy settings on the ... > You can also try to change the security settings for the Remote Web ... Open the IIS console ...
      (microsoft.public.windows.server.sbs)
    • Re: Using IIS w/ASP .NET 2.0 Web Application Projects
      ... I believe that selecting both allows IIS to have the benefits of both. ... not set the ASP .NET setting to Windows authentication. ... Integrated Windows Authentication overrides the Anonymous authentication ... account on the server which is hosting it. ...
      (microsoft.public.dotnet.framework.aspnet)
    • IIS Setting prevents AD Query from working?
      ... does NOT work when IIS is set to only use Integrated Windows ... only delegatable when Integrated Windows Authentication is used if Kereberos ... Windows 2003 Server ...
      (microsoft.public.sharepoint.portalserver.development)
    • IIS Setting prevents AD Query from working?
      ... does NOT work when IIS is set to only use Integrated Windows ... only delegatable when Integrated Windows Authentication is used if Kereberos ... Windows 2003 Server ...
      (microsoft.public.inetserver.iis)
    • Re: Configuring Windows-based Authentication and UrlAuthorization
      ... In IIS, I had set the bindings for the site to http://SERVER. ... you can add web.config file with Windows Authentication ... Is it possible to disable anonymous access just for the Admin ...
      (microsoft.public.dotnet.framework.aspnet.security)