Re: Windows Authentication (asp.net 1.1 C#)



Hi,

i wouldn't recommend using your internal AD for customer accounts. FormsAuthentication is as secure as IIS integrated auth - and you need SSL for both anyway.

There is no easy way to get a forms based login for IIS integrated auth - this would require to craft the authentication headers on the client - maybe be easy for basic auth - but beyond.

I would go for FormsAuth + SSL

---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com

I'm creating a site which will allow our clients to place orders.
Because of
different price list and sensitive merchandise we sell (Medical
Supplies.)
I'm concerned about security. I though that either I have to do a
Windows
Authentication or Form Authentication. If I use windows
authentication, I can
validate with my domain and I wouldn't have a problem with that,
unless that
would cause a problem with my internal security. The Second option is
Form
Authenticated.
My Question is
1) If I use Windows Authentication can I bypass the browser dialog box
and
use  a form with textboxes to do the sign in. I seen that Microsoft
Exchange
Web Outlook 2003 can do this.  Is this possible? Someone told me at
the asp
group that it was not, but since it was asp and not asp.net, I want it
to
ask.
2) Can I run into internal security problems if I give them a
restricted
windows account? I guess the answer is yes... (Did I just answer my
self?)
3) Can you point me at another method of secure login, like forms but
with
encryptation, that can allow me to not have to validate with my
domain.
Thank you
Francisco O.
IBLUES


.