Re: Windows Authentication (asp.net 1.1 C#)
- From: Dominick Baier [DevelopMentor] <dbaier@xxxxxxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Fri, 20 Jan 2006 21:12:43 +0000 (UTC)
i wouldn't recommend using your internal AD for customer accounts. FormsAuthentication is as secure as IIS integrated auth - and you need SSL for both anyway.
There is no easy way to get a forms based login for IIS integrated auth - this would require to craft the authentication headers on the client - maybe be easy for basic auth - but beyond.
I would go for FormsAuth + SSL
--------------------------------------- Dominick Baier - DevelopMentor http://www.leastprivilege.com
I'm creating a site which will allow our clients to place orders. Because of different price list and sensitive merchandise we sell (Medical Supplies.) I'm concerned about security. I though that either I have to do a Windows Authentication or Form Authentication. If I use windows authentication, I can validate with my domain and I wouldn't have a problem with that, unless that would cause a problem with my internal security. The Second option is Form Authenticated. My Question is 1) If I use Windows Authentication can I bypass the browser dialog box and use a form with textboxes to do the sign in. I seen that Microsoft Exchange Web Outlook 2003 can do this. Is this possible? Someone told me at the asp group that it was not, but since it was asp and not asp.net, I want it to ask. 2) Can I run into internal security problems if I give them a restricted windows account? I guess the answer is yes... (Did I just answer my self?) 3) Can you point me at another method of secure login, like forms but with encryptation, that can allow me to not have to validate with my domain. Thank you Francisco O. IBLUES