Re: Windows Authentication, Single sign on and Active Directory

Thanks Joe,

I changed the IIS setting to not allow anonymous access and in the Proxy, I
added a line like this :
this.Credentials = System.Net.CredentialCache.DefaultNetworkCredentials;

and it seems to be doing the main thing correctly.

One obvious difference I noticed was, quite a few of the images do not
appear now. I think this might be because the images are accessible only to
ASPNET user whereas with the changes I made, these physical files are being
accessed by me (SP user) and may not have access to them. Is my thinking
correct? Is this where I'll have to use impersonation? or is there a simpler
way out?

I guess its a new topic for discussion.

--SP


"Joe Kaplan" <joseph.e.kaplan@xxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:O7gp6b4THHA.192@xxxxxxxxxxxxxxxxxxxxxxx
AD is primarily behind the scenes. At the web server, the machine is able
to authenticate incoming domain members as a result of being a domain
member and being able to communicate with AD using its Kerberos or NTLM
features. Same goes for the clients. The client can authenticate with the
domain controller's KDC and get a service ticket to access the web server
if Kerberos is being used or will negotiate down to NTLM otherwise.

If there is no AD, your web server is probably a workgroup mode machine.
In that case, the web server can only authenticate IDs defined on the
local machine. I wouldn't suggest you use this architecture if AD is not
in the mix.

Joe K.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services
Programming"
http://www.directoryprogramming.net
--
"SP" <spspsp@xxxxxxxxxxxx> wrote in message
news:ukuA231THHA.2212@xxxxxxxxxxxxxxxxxxxxxxx
Joe,

this does make sense, I'll try and proceed in this direction and see
where and how it goes. One thing I am not sure about is where and how
active directory is getting involved in here? Does it all happen behind
the scene / under the hood for me? What will happen if there is something
else in place of AD?

I think by now it must be obvious to you that I am a complete novice to
this whole thing.

--SP

"Joe Kaplan" <joseph.e.kaplan@xxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:ub4EaEtTHHA.5068@xxxxxxxxxxxxxxxxxxxxxxx
The best thing to do would be to catch the appropriate exception if the
web service proxy client fails to connect due to authentication failure
and then prompt the user for credentials. You can then create a
NetworkCredentials object that contains the plain text credentials and
use that instead of the DefaultCredentials. This gives you SSO for
users logged in to the desktop but gives you a mechanism to handle
situations where it doesn't work. This is actually how the browser
tends to work as well.

I can't remember the exact exception, but I'm sure you can figure it out
quickly through a little testing.

If you were working in an internet scenario instead of intranet, you
might also want to consider the possibility of using Basic
authentication with SSL. That will require you to always prompt for
credentials, but is the most flexible. Note that you should almost
certainly be using SSL with the web services anyway, as it is generally
important to protect any authenticated web traffic at the transport
level, no matter what authentication protocol you are using.

Joe K.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services
Programming"
http://www.directoryprogramming.net
--
"SP" <spspsp@xxxxxxxxxxxx> wrote in message
news:OhJUezsTHHA.3440@xxxxxxxxxxxxxxxxxxxxxxx
Thanks for the input Joe,

I do not want to implement my own protocol and anything readymade is
definitely the best option for me. I just got carried away reading lots
of different articles on internet but could not get anywhere in
practice. I think I was looking to replace the existing mechanism on a
like for like substitute.

One of the problems is, I need to keep the login dialog as well, in
case if a user logs in to the client machine outside the domain, then
he should be able to key in his credentials. The server is always in
the domain. for example, I am a domain usee as MyDomain\SP. On a client
machine, if I am logged in as one, then I want the application to not
show me a login dialog. If I am not logged on to the domain, I would
like for the application to show me a login dialog where I may enter
MyDomain\SP as user and my password to start using the application

As I had previously said, I don't know how to do it so can you please
point me to some examples if possible?

TIA,

--SP

"Joe Kaplan" <joseph.e.kaplan@xxxxxxxxxxxxxxxxxxxxxxxx> wrote in
message news:%23CmLAXsTHHA.3996@xxxxxxxxxxxxxxxxxxxxxxx
The more straightforward way to do this is to enable integrated
Windows authentication on the web services. If the user is logged
into the domain when running the client app, all you need to do is set
the Credentials property on your web service proxy classes to use
DefaultCredentials and the user will log in automatically (assuming
the web server is also a member of the domain).

Your web services can then determine the identity of the authenticated
user with Context.User.Identity.Name.

The other alternatively to consider would be to use WCF or WSE3 or
something to implement some sort of message level security.

I would recommend that you NOT try to implement your own
authentication protocol. It is not easy to get right.

Joe K.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services
Programming"
http://www.directoryprogramming.net
--
"SP" <spspsp@xxxxxxxxxxxx> wrote in message
news:elcz2irTHHA.496@xxxxxxxxxxxxxxxxxxxxxxx
Hello All,

First of all, let me make it very clear that I do not have any idea
about implementing the windows authentication, so all inputs would be
appreciated.

The scenario :
I have a client - server application. At the moment, the passwords
for the users are stored in a password storage (encrypted). The
client app shows a login dialog, gets the username and password and
sends it to the server where the server verifies it against the
password store. I would like to move to a position where the user
does not need to enter the username and password, If they are logged
on to the domain, they should go straight in. The application is
written in C# (client app) accessing the ASP.NET web services. All of
it is done in .NET framework 2.0

The way I have figured out so far is as follows :
On the client side,
1) Get the user's identity
2) Send this to the server
On the server side :
3) Validate the user's identity against the active directory
4) If the user is valid, the normal process of using the application
continues.

In the process of trying this, I have done the following:
1) Get the user's identity
System.Security.Principal.WindowsIdentity.GetCurrent().User.Value
2) send it to server (the value returned from the above call is
string) so I send it as it is.

On the server side
3) I try and create the SecurityIdentifier object as follows :
System.Security.Principal.SecurityIdentifier sid = new
SecurityIdentifier(sddlIdentity);
this call is okay. From here I don't know where to go and how to
validate this agains the active directory. I had a look at AD objects
and it seems the SID should be available in some tokengroups but this
is where I have got completely lost. (On a sidenote :Another thing
is, If I try and use AD searching, I get an error possibly because
the call is run as ASPNET user which does not have access to AD)

Kindly help me in achieving this or if this method is not the correct
way of achieving my goal, advise me accordingly.

TIA,

SP













.

Relevant Pages

  • Re: Windows Authentication, Single sign on and Active Directory
    ... web service proxy client fails to connect due to authentication failure ... the web services anyway, as it is generally important to protect any ... web server is also a member of the domain). ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: Windows Authentication, Single sign on and Active Directory
    ... At the web server, the machine is able ... The client can authenticate with the domain ... Co-author of "The .NET Developer's Guide to Directory Services Programming" ... might also want to consider the possibility of using Basic authentication ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: Windows Authentication, Single sign on and Active Directory
    ... Co-author of "The .NET Developer's Guide to Directory Services Programming" ... your web server is probably a workgroup mode machine. ... web service proxy client fails to connect due to authentication failure ... Windows authentication on the web services. ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: using xp credentials for ldap authentication
    ... Joe Kaplan-MS MVP Directory Services Programming ... Co-author of "The .NET Developer's Guide to Directory Services Programming" ... password into this method and have the server use that data to ... You return the authentication ...
    (microsoft.public.windows.server.security)
  • Re: Windows Authentication, Single sign on and Active Directory
    ... when running the client app, all you need to do is set the Credentials ... Your web services can then determine the identity of the authenticated user ... I would recommend that you NOT try to implement your own authentication ... I have a client - server application. ...
    (microsoft.public.dotnet.framework.aspnet.security)