Re: Mixed Mode Authentication in .net 2.0

Basic auth should be used with SSL. Basic authentication is an HTTP defined
protocol; MS can't change it. They just support it in their browsers and
servers and allow it to interop with Windows logins. If you want
encryption, just use SSL. Any serious application that requires
authentication should use SSL anyway, as forms-based authentication is
subject to the user's cookie being stolen in transit which is just as bad.
Some security experts suggest that NTLM without SSL is more vulnerable that
Basic auth with SSL.

There is a nice set of links on ADFS here on the MSDN Identity portal:
http://msdn.microsoft.com/security/identityaccess/default.aspx
ADFS also requires SSL, FWIW.

ADFS is generally intended to be used for federation, which is a
standards-based technology intended to allow multiple different
organizations to access each other's web applications using their own
credentials. An example might be using your company's AD credentials to
sign in to your 401K provider's website.

It may take a little digging to see how you could actually use ADFS to
implement your application, as your scenario isn't one of the key ones they
tend to map out in the example guides. It would certainly work though.

Basic auth with SSL is your path of least resistance too.

Joe K.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
"Graham Lloyd" <gilly1409@xxxxxxxxxxx> wrote in message
news:%23lKg53YxGHA.4700@xxxxxxxxxxxxxxxxxxxxxxx
Thanks for the info. I've not come across ADFS before. Can you point out
any good links.

I will do some research into this.

Also, do you know if MS is intending to update its Basic Authentication
method to encrypt the users credentials in a more secure way for future
reelases of IIS/ASP.net? It seems to be quite a problem for websites with
local/remote access while still requiring the required username. Or is
ADFS the MS recommended solution?

many thanks for your help

Graham




"Joe Kaplan (MVP - ADSI)" <joseph.e.kaplan@xxxxxxxxxxxxxxxxxxxxxxxx> wrote
in message news:eIuWnzUxGHA.2120@xxxxxxxxxxxxxxxxxxxxxxx
If I were doing this, I would implement it with ADFS, as it gives you
nice integration with both integrated auth and forms authentication,
while still allowing the web application to make use of Windows security
tokens for security purposes. Their solution is really clean and does
exactly what you want.

However, ADFS is a big thing to set up if you aren't trying to implement
identity federation or SSO otherwise.

One thing you might do is use split DNS or something like that so that
one version of your app is available on the public internet and the
integrated auth version is available internally. There isn't a good way
to make the integrated prompts go away for some users if you still want
integrated auth.

Another option is to enable Basic auth with SSL and make everyone supply
credentials. Some users won't like it, but it is very simple and will
just work.

Joe K.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services
Programming"
http://www.directoryprogramming.net
--
"Graham Lloyd" <gilly1409@xxxxxxxxxxx> wrote in message
news:%23UgWNcMxGHA.2352@xxxxxxxxxxxxxxxxxxxxxxx
Hi there

Our web site requires Integrated Security switched on and anonomous
disabled so each users credentials are valid when accessing a database
on the server. This is all working fine but now I want to allow remote
users, eg at an airport or internet cafe, remote access.

Currently they are prompted via IIS for there credentials but we want to
direct them to our own login page then authenticate them using Forms
security with Active Directory.

I've read ths paper on MSDN
(http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnaspp/html/mixedsecurity.asp)
and also a few others but our remote users are always prompted by the
IIS login box.

Can anyone point me in the right direction?

Cheers







.

Relevant Pages

  • Re: LDAP authentication security ?
    ... If the application supports SASL bind with either GSS-SPNEGO or DIGEST authentication, then you can use that directly with AD without needing to secure the channel as those authentication mechanisms are already secure without channel encryption. ... Simple bind is the authentication mechanism in the LDAP V3 spec and is supported by all LDAP directories. ... If you need SSL, AD supports SSL LDAP just fine, assuming you get a certificate for your domain controllers. ... Co-author of "The .NET Developer's Guide to Directory Services Programming" ...
    (microsoft.public.windows.server.security)
  • Re: User ASPNET in SQL Server 2000
    ... aren't a lot of viable options where SSL is not necessary. ... Basic auth all ... but requires SSL, as does forms-based authentication. ... >> Assuming that the IIS and SQL boxes are in the same domain ... ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: SSL Issue - [WP]
    ... What port is SSL setup for? ... Yes, basic auth is enabled on the exchange virtual direcotry in my IIS, I ... What authentication methods are you using on the Exchang vdir? ... I used the same certificate which is assigned ...
    (microsoft.public.exchange.admin)
  • Re: Digest Auth driving me nuts!!!
    ... Digest auth never really caught on. ... passwords getting sniffed with basic auth, ... enable SSL and let the application check the password. ... Web server authentication plugin and not by the application. ...
    (comp.infosystems.www.servers.unix)
  • Re: Mixed Mode Authentication in .net 2.0
    ... There are two parts to SSL, which is why this can be confusing. ... encryption and authentication of the server. ... ADFS supports a component called the federation service proxy which is ...
    (microsoft.public.dotnet.framework.aspnet.security)