Re: Single Sign On - from anywhere
- From: "David Thielen" <thielen@xxxxxxxxxxxxx>
- Date: Thu, 26 Jan 2006 07:19:04 -0800
Hi;
Thanks for your answer. What I want is the browser talks to my ASP.NET app
and my app gets the request, calls the business logic layer that then access
the database as the user on the browser.
I want to do this (rather than a single connection for all users to the
database) so that database access is limited to what that user has rights to.
It removes my program from all the authorization issues and uses the
authorizations already in existince for the user, their group memberships,
and their rights in the database.
In terms of identifying the user, I prefer to not make them log in since
they already logged in the Windows. I think what you are saying is this is
only possible for IE.
When they do have to log in, I'd prefer that it is done in a way where my
app never sees the password. Is that possible? Or do I need to do a form
login and use the username/password to get their credentials?
Finally, what is the best way to handle repeated logins by someone who is
not running IE from a system on the same domain? I could use a cookie to
identify that they are back (if they select that option) and store their
domain username/password in my DB - but that strikes me as a big security
vulnerability as that data holds peoples username/password.
I could make them log in for each session, but that could honk people off as
they are used to not having to re-enter each time.
??? - thanks - dave
"Dominick Baier [DevelopMentor]" wrote:
> Hi,
>
> what do you mean with access files, db etc - you mean via the browser interface?
> Are these resource local or remote to the web server
>
> 1) IE is the only browser that supports kerberos directly. There are NTLM
> plugins for Firefox and Mozilla, but AFAIK they don't provide seamless login
> (without providing credentials)
> 2) this could be done with NTLM or some other HTTP auth mechanism
>
> some points:
>
> - for delegation to work you need kerberos end to end. Only IE supports Kerberos.
> IIS6 (in a W2k3 functionality level domain) supports transitioning between
> non-delegatable protocols like NTLM to Kerberos
> - you need SSL - regardless of the authentication technique
>
>
> ---------------------------------------
> Dominick Baier - DevelopMentor
> http://www.leastprivilege.com
>
> > Hi;
> >
> > I think this can be done. I want to be able to do the following:
> > 1) User hits my ASP.NET app from a browser running on Windows XP, and
> > there
> > is a trust relationship between the domain they are logged in as on
> > their
> > workstation and the domain of the server I am running on -> I get
> > their
> > credentials with their not having to enter a username/password and I
> > can then
> > open files and access a database as them. Using any browser, not just
> > IE.
> > 2) They or on a workgroup (not domain) or on a system without a trust
> > relationship, or on a non-Windows O/S, they are then prompted for
> > their username/password on the domain my server is running on and once
> > they enter it, I get their credentials, and I never see or touch their
> > password. And again, I can then open files & access the database as
> > them.
> >
> > Can this be done? And if so, any urls to a simple example?
> >
>
>
>
.
- Follow-Ups:
- Re: Single Sign On - from anywhere
- From: Dominick Baier [DevelopMentor]
- Re: Single Sign On - from anywhere
- References:
- Re: Single Sign On - from anywhere
- From: Dominick Baier [DevelopMentor]
- Re: Single Sign On - from anywhere
- Prev by Date: WindowsPrincipal and aspnet user
- Next by Date: Re: WindowsPrincipal and aspnet user
- Previous by thread: Re: Single Sign On - from anywhere
- Next by thread: Re: Single Sign On - from anywhere
- Index(es):
Relevant Pages
|
