RE: Best way to provide security when need a WindowsIdentity

Hi;

I'm on vacation next week and because of you're guys feedback I'm taking the
..NET 2.0 security book. I don't know if I should thank you or ... <g>.

--
thanks - dave
david_at_windward_dot_net
http://www.windwardreports.com



"Dominick Baier [DevelopMentor]" wrote:

even better would be to use protocol transition - this doesn't require to
store/cache any credentials at all.

but works only on w2k3 in w2k3 domains.

---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com

Hi,

session will not work very well - WindowsPrincipal/Identity is not
serializable - which is not a big problem when session is in-proc -
but when you want to switch at some point to StateServer or SqlServer
- this will not work.

Cache will work - just sync the expiration time to your formsauth
timeout settings.

---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com
Ok, for choice (3) it's store credentials in memory on the server
(encrypted) and create a WindowsPrincipal as needed.

Question - can I create a WindowsPrincipal, attach it to the session,
throw away the username/password, and use that principal from then on
in the session?

For choice (2) we're going to ask our customers. I don't even know if
anyone will fall into this category.

"David Thielen" wrote:

Hi;

Suggestions please. This is for a portal that we will ship to
multiple customers so we need to make security as painless as
possible while still protecting them. This portal does reporting and
therefore needs to read files (xml) and databases (select only).

I see it falling into 3 categories:

1) All users are in the domain and all use IE as a browser. We can
then use windows authentication and all access of files and SSPI
database queries is done under the WindowsIdentity of the user.
SingleSignOn and uses the existing domain permissions - life is
good.

2) Not all users are in ActiveDirectory - they may not even be on a
domain. In this case we use the asp.net user database and sign-on is
via forms. For reading a file (we only read) we give them the option
of: a) anything the server can read, b) they must enter a
username/password each time and we create that Windows user and then
read, c) They store a username/password with the filename as a
datasource in our database and we use that to create a user to read.
For DB access we do the same thing using %user% and %pass% in the
connection string. This is by definition a less secure world but I
don't see what else we can do.

3) All users are in active directory but some do not use IE and
therefore we can't require windows authentication. I believe we can
allow both windows and forms authentication so we are still in group
(1) for those using IE. But for the rest, it seems to me we have two
approaches when reading files/databases. a) We store the username &
password in memory (do not save anywhere!!!) and create a
WindowsIdentity to read. b) we run like item (2) above where we are
saving and/or prompting for a username/password for accessing data.
It seems to me the safer of these two is (a) because we are storing
the password in memory only. But choice (b) can be user/pass that
have very limited permissions so in that case, while they could be
saved in our database, they are not a user's credentials.

???

--
thanks - dave
david_at_windward_dot_net
http://www.windwardreports.com



.

Relevant Pages

  • RE: Best way to provide security when need a WindowsIdentity
    ... serializable - which is not a big problem when session is in-proc - ... throw away the username/password, and use that principal from then on ... then use windows authentication and all access of files and SSPI ... database queries is done under the WindowsIdentity of the user. ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: Theoretical Question OracleService
    ... Have a fairly good understanding of the OS where your Oracle software ... On Windows, you need a service to run a process in the background i.e. ... the other threads eventually end up in i.e. database, ... Open up another DOS session and start ...
    (comp.databases.oracle.server)
  • Re: Detecting local user before stealing his machine
    ... Kenneth Porter wrote: ... steal a session if someone is using the machine there. ... If you are using a common logon username/password - you aren't REALLY ... logging anyone out (in Windows XP).. ...
    (microsoft.public.windowsxp.work_remotely)
  • RE: Best way to provide security when need a WindowsIdentity
    ... session will not work very well - WindowsPrincipal/Identity is not serializable - which is not a big problem when session is in-proc - but when you want to switch at some point to StateServer or SqlServer - this will not work. ... throw away the username/password, and use that principal from then on ... then use windows authentication and all access of files and SSPI ... database queries is done under the WindowsIdentity of the user. ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: Best way to provide security when need a WindowsIdentity
    ... For them to use the sharepoint functionality we need to impersonate a ... This sets the request context to the correct windows user, ... throw away the username/password, and use that principal from then on ... database queries is done under the WindowsIdentity of the user. ...
    (microsoft.public.dotnet.framework.aspnet.security)