Re: Authentication via AD
From: bradbury9 (ray.bradbury9_at_gmail.com)
Date: 05/20/05
- Next message: Joe Kaplan \(MVP - ADSI\): "Re: Cript querystring return value potentially dangerous"
- Previous message: benjessel_at_gmail.com: "Page with multiple IFRAMEs"
- In reply to: Joe Kaplan \(MVP - ADSI\): "Re: Authentication via AD"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: 20 May 2005 04:53:25 -0700
You can choose the way to access AD. Check the link bellow:
http://www.c-sharpcorner.com/DirectoryServices.asp
As said in another post the best way is confgure IIS autentication to
check for roles. To gather info from the AD you can use
System.DirectoryServices or LDAP API calling.
IMHO I would use the .NET wrapper, (System.DirectoryServices). Seems
easier to me.
"Requirements. System.DirectoryServices is supported on Windows Server
2003. System.DirectoryServices can be redistributed on Windows 98,
Windows 98 SE and Windows NT 4.0, as long as the DS Client is
installed on client machines. It can also be redistributed on Windows
2000 Windows XP."
"Joe Kaplan \(MVP - ADSI\)" <joseph.e.kaplan@removethis.accenture.com> wrote in message news:<upKvIrLXFHA.828@TK2MSFTNGP10.phx.gbl>...
> Well, Windows authentication is configured at the IIS level, so you would
> need to enabled the settings for that in the IIS metabase first. For
> example, different virtual directories in your app can have different IIS
> security settings.
>
> It is probably easier just to authenticate the entire application though.
>
> Joe K.
> "VK" <VK@discussions.microsoft.com> wrote in message
> news:70DCFE2F-3BEB-49E7-846C-BBDBB9D791B5@microsoft.com...
> >I understand. Well, I will wait till we AD running and then see from there.
> > Can I also force the user to login only when he requests ONLY page x.aspx
> > ?
> >
> > "Joe Kaplan (MVP - ADSI)" wrote:
> >
> >> That's a different problem entirely. :)
> >>
> >> Once you actually have AD up and running, you would typically do this
> >> kind
> >> of stuff via LDAP. LDAP IS the normal query mechanism for AD.
> >>
> >> Essentially, you need to find the user in the directory given whatever
> >> name
> >> they used for login and query whatever attributes you need. The normal
> >> issues here are what account you want to use to query AD. Do you want to
> >> use the user's security context in a delegation scenario or do you want
> >> to
> >> use a fixed service account? There are many many threads on this exact
> >> topic in microsoft.public.adsi.general that you can google for.
> >>
> >> Joe K.
> >>
> >> "VK" <VK@discussions.microsoft.com> wrote in message
> >> news:5252024C-C76A-4B03-A41E-CA60ACA5D4E1@microsoft.com...
> >> > Well that seems to work. Many many thanks buddy! I have another
> >> > additional
> >> > question.
> >> >
> >> > Can I now get access to the users data from the AD - like Fullname,
> >> > email
> >> > phone etc?
> >> >
> >> > Regards
> >> >
> >> > "Joe Kaplan (MVP - ADSI)" wrote:
> >> >
> >> >> As long as the web server is a member of the domain you want to
> >> >> authenticate
> >> >> against, you should be able to use IIS to authenticate those members.
> >> >> It
> >> >> should work if the domain is NT4 or AD. The key is that the IIS box
> >> >> is a
> >> >> member server.
> >> >>
> >> >> Whether you use digest, basic or IWA is up to you. There are good and
> >> >> bad
> >> >> points about each one. I'm not really familiar with Digest, so I'm
> >> >> not
> >> >> sure
> >> >> how to advise you on the proper use of the realm parameter.
> >> >>
> >> >> Joe K.
> >> >>
> >> >> "VK" <VK@discussions.microsoft.com> wrote in message
> >> >> news:9D0A7A81-FA6E-4E13-8C59-9D05B9EF1431@microsoft.com...
> >> >> > Thanks for the help buddy. I am assuming that it will automatically
> >> >> > authenticate via the AD now. I have checked: "Digest
> >> >> > authentication..."
> >> >> > and
> >> >> > "Integrated Windows Authentication". Furtheremore I disabled
> >> >> > "Anonymous
> >> >> > access". Do I have to enter the domain in the "realm" field?
> >> >> >
> >> >> > Anyhow my administrator told me that we are not completely on AD
> >> >> > yet,
> >> >> > we
> >> >> > are
> >> >> > in kind of mixed mode with NT4 and therefore I am not sure if that
> >> >> > all
> >> >> > will
> >> >> > work or not. We are switching next week completely to AD and then I
> >> >> > will
> >> >> > have
> >> >> > to test this more. I will let you know next week how the test went.
> >> >> > I
> >> >> > would
> >> >> > like to thank you for all the help.
> >> >> >
> >> >> > Regards
> >> >> >
> >> >> > "Joe Kaplan (MVP - ADSI)" wrote:
> >> >> >
> >> >> >> Ok, so you don't want to do any programmatic authentication at all.
> >> >> >> Just
> >> >> >> let Windows, IIS and the browser take care of it for you.
> >> >> >>
> >> >> >> If you configure ASP.NET for Windows authentication in web.config
> >> >> >> and
> >> >> >> configure IIS for Windows auth (uncheck anonymous, check
> >> >> >> basic/digest
> >> >> >> or
> >> >> >> IWA, depending on what you want), and you should be good to go.
> >> >> >>
> >> >> >> To do role-based authorization in your application, just use the
> >> >> >> Context.User object. This contains an IPrincipal object that will
> >> >> >> be
> >> >> >> a
> >> >> >> WindowsPrincipal. Use it's IsInRole method to check the user's
> >> >> >> group
> >> >> >> membership for your security decisions. You can also use the
> >> >> >> <allow/>
> >> >> >> and
> >> >> >> <deny/> tags in web.config to configure access to specific pages
> >> >> >> declaratively.
> >> >> >>
> >> >> >> HTH,
> >> >> >>
> >> >> >> Joe K.
> >> >> >>
> >> >> >> "VK" <VK@discussions.microsoft.com> wrote in message
> >> >> >> news:13AE88A4-3BFF-473A-B3F6-2BE28D1FC7B3@microsoft.com...
> >> >> >> > Forgot to mention. I already can see the popup which asks for the
> >> >> >> > user
> >> >> >> > and
> >> >> >> > pw, but the title of the window says:
> >> >> >> >
> >> >> >> > "Connect to SystemName"
> >> >> >> >
> >> >> >> > Shouldnt it say: "Connect to domainName" ?
> >> >> >> >
> >> >> >> > I am testing all this locally right now. I dont want to put
> >> >> >> > something
> >> >> >> > on
> >> >> >> > the
> >> >> >> > server that doesnt work.
> >> >> >> >
> >> >> >> > Thanks again
> >> >> >> >
> >> >> >> > "Joe Kaplan (MVP - ADSI)" wrote:
> >> >> >> >
> >> >> >> >> It really depends on what your application is. You haven't
> >> >> >> >> explained
> >> >> >> >> at
> >> >> >> >> all
> >> >> >> >> what you are building. Is it a normal web application or
> >> >> >> >> something
> >> >> >> >> else?
> >> >> >> >> Can it use IIS/Windows for authentication or does it need to be
> >> >> >> >> forms
> >> >> >> >> authentication?
> >> >> >> >>
> >> >> >> >> Joe K.
> >> >> >> >>
> >> >> >> >> "VK" <VK@discussions.microsoft.com> wrote in message
> >> >> >> >> news:34E8EFE5-9C6C-4C4F-B64F-F89EB8736827@microsoft.com...
> >> >> >> >> > Thanks Joe for the reply. Can you point me to some URLs which
> >> >> >> >> > shows
> >> >> >> >> > how
> >> >> >> >> > to
> >> >> >> >> > use authenticate with AD? Also what do you mean wit:
> >> >> >> >> >
> >> >> >> >> >> Another good option is to let Windows authenticate for you.
> >> >> >> >> >> Depending
> >> >> >> >> >> on
> >> >> >> >> >> your application architecture (you don't specify), this may
> >> >> >> >> >> or
> >> >> >> >> >> may
> >> >> >> >> >> not
> >> >> >> >> >> be
> >> >> >> >> >> possible.
> >> >> >> >> >
> >> >> >> >> > I am kind of new in authentication. Thanks for any
> >> >> >> >> > suggestions.
> >> >> >> >> >
> >> >> >> >> > "Joe Kaplan (MVP - ADSI)" wrote:
> >> >> >> >> >
> >> >> >> >> >> The preferred method of authenticating against AD is to us
> >> >> >> >> >> the
> >> >> >> >> >> SSPI
> >> >> >> >> >> API
> >> >> >> >> >> with
> >> >> >> >> >> the negotiate protocol. This is easy to do in .NET 2.0 with
> >> >> >> >> >> the
> >> >> >> >> >> NegotiateStream class, but requires some significant p/invoke
> >> >> >> >> >> in
> >> >> >> >> >> .NET
> >> >> >> >> >> 1.x.
> >> >> >> >> >> There are samples online though.
> >> >> >> >> >>
> >> >> >> >> >> Another good option is to let Windows authenticate for you.
> >> >> >> >> >> Depending
> >> >> >> >> >> on
> >> >> >> >> >> your application architecture (you don't specify), this may
> >> >> >> >> >> or
> >> >> >> >> >> may
> >> >> >> >> >> not
> >> >> >> >> >> be
> >> >> >> >> >> possible.
> >> >> >> >> >>
> >> >> >> >> >> LDAP should be possible if you have AD as it supports LDAP
> >> >> >> >> >> natively.
> >> >> >> >> >> However, I'd recommend avoiding LDAP authentication unless
> >> >> >> >> >> you
> >> >> >> >> >> have
> >> >> >> >> >> to
> >> >> >> >> >> use
> >> >> >> >> >> it.
> >> >> >> >> >>
> >> >> >> >> >> Joe K.
> >> >> >> >> >>
> >> >> >> >> >> "VK" <VK@discussions.microsoft.com> wrote in message
> >> >> >> >> >> news:0525D57E-3385-44AC-B588-C44526AB808E@microsoft.com...
> >> >> >> >> >> > Hello,
> >> >> >> >> >> >
> >> >> >> >> >> > I want to authenitcate my users against the Active
> >> >> >> >> >> > Directory.
> >> >> >> >> >> > Do
> >> >> >> >> >> > I
> >> >> >> >> >> > have
> >> >> >> >> >> > to
> >> >> >> >> >> > go through the LDAP to do that? We are not using LDAP. I
> >> >> >> >> >> > have
> >> >> >> >> >> > googled
> >> >> >> >> >> > and
> >> >> >> >> >> > found several examples - however they all use LDAP.
> >> >> >> >> >> >
> >> >> >> >> >> > Any suggestions?
> >> >> >> >> >> > Thanks
> >> >> >> >> >>
> >> >> >> >> >>
> >> >> >> >> >>
> >> >> >> >>
> >> >> >> >>
> >> >> >> >>
> >> >> >>
> >> >> >>
> >> >> >>
> >> >>
> >> >>
> >> >>
> >>
> >>
> >>
- Next message: Joe Kaplan \(MVP - ADSI\): "Re: Cript querystring return value potentially dangerous"
- Previous message: benjessel_at_gmail.com: "Page with multiple IFRAMEs"
- In reply to: Joe Kaplan \(MVP - ADSI\): "Re: Authentication via AD"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
