Re: WCF Security Question

From: Dominick Baier <dbaier@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx>
Date: Wed, 14 Mar 2007 16:40:24 +0000 (UTC)

Hi,

i have no clue about Edirectory - but Kerberos will allow you to propagate the credentials over exactly 2 hops

Client
|
Service
|
Database

That means you need a Domain and Keberos/Delegation configured correctly.

-----
Dominick Baier (http://www.leastprivilege.com)

Developing More Secure Microsoft ASP.NET 2.0 Applications (http://www.microsoft.com/mspress/books/9989.asp)

We have the following structure:

Windows (probably vista)
WPF
Service Layer
WCF in IIS
Service Layer
Business Objects
Domain Model
Database
We need to use the WindowsIdentity from the user logged on to the
windows machine all the way through to the database. We'd like to
make sure that they have single sign-on (i.e. they log onto windows
and that's it). With Windows Authentication, I think that's going to
be pretty easy to do, since WCF and IIS support it natively.

However, we have to also support Novell NDS (EDirectory).

1. Can we use WindowsIdentity for this?
2. Does anything in IIS and WCF help us here.
3. Are we going to have to do an LDAP query and is the user going to
have
to supply username and password credentials when the app opens for
non-AD
security providers?
Any help here would be greatly appreciated.

Robert

References:
- WCF Security Question
  - From: Robert May

Prev by Date: WCF Security Question
Next by Date: Using Protocol Transition and Constrained Delegation to access a domain controler via LDAP
Previous by thread: WCF Security Question
Next by thread: Using Protocol Transition and Constrained Delegation to access a domain controler via LDAP
Index(es):
- Date
- Thread

Relevant Pages

RE: synchronizing domain user Local cached credentials with domain
... Would you mind emailing me your script? ... windows taskbar bubble which would indicate that their password needs to be ... locally cached credentials are out of sync with domain credentials. ...
(microsoft.public.windowsxp.security_admin)
Re: File.Copy
... a file over the network. ... If I run the same code on IIS 5.1 on Windows XP on the same ... But as a general rule, if you've got a system from which you can access the file, and one from which you can't, it's possible that you're just using different credentials on each system. ...
(microsoft.public.dotnet.languages.csharp)
Cached Password Issue???
... cannot browse the server. ... shares if I supply the same credentials however. ... Windows cannot query for the list of Group Policy ...
(microsoft.public.windows.server.sbs)
Re: Problem with control hosted in IE
... The control is running on the client machine, so the default credentials are ... These will be the Windows logon from the ... > I logon to another machine using a local account (not one that the IIS ...
(microsoft.public.dotnet.security)
WindowsTokenRoleProvider Anyone?
... Hey All, I'm attempting to put together a "secure" ASP.NET 2.0 application with one requirement that has given me a bit of grief: In a nutshell, if the user's session expires then they should be forced to re-authenticate with the application by providing logon credentials. ... the easy way to implement security with domain users is to use the Windows Authentication model built in to ASP.NET. ... to have the programmatic control over the authentication mechanism seems to leave only one choice in this scenario: ...
(microsoft.public.dotnet.framework.aspnet)