Re: Lightweight logon? Impersonation? - shared workstation problem

---

• From: "Joe Kaplan" <joseph.e.kaplan@xxxxxxxxxxxxxxxxxxxxxxxx>
• Date: Thu, 12 Jun 2008 22:30:52 -0500

---

Can you disable automatic integrated authentication in IE for the machines
in question so that the users will simply be prompted to enter credentials
when they access the app? Then, have them close the browser when they are
done.

If you have smart cards, you could also just use SSL with client cert auth.
The user would need to enter their smart card and PIN to log in.

Joe K.
--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
"THG" <THG@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:64150E52-C8CE-4EBD-8A03-6617B102800C@xxxxxxxxxxxxxxxx

We have an Intranet ASP.NET application that is relying on AD security.

We have a business requirement to run our application on shared
workstations. Additional requirement is that users are under time
constraints
and use the system on and off during their shift. Up to 4-5 users can
share
same machine during the same shift at the facility. There is no physical
space to install dedicated machines, mobile devices can not be used due to
security considerations and complexity of the application screens.

User identity is a critical part of this application and we can not allow
users share the identity. We also can not require the users to log on and
log
out after each data entry session that can be 15 minutes at a time, as log
on
takes time under our standard security profiles.

We are looking at all the possible ways to meet the requirements and I am
soliciting ideas, couple thoughts so far:

1. Impersonate current user on top of a generic login (I was told that
impersonation "does not stick" under the Windows authentication model -
can
somebody confirm or prove this statement wrong?)
2. Make use of the terminal services server and autenticate users based on
the smart card that they would insert into a reader and that user ID would
be
passed onto the session on the remote server (seems like overcomplicated
solution to me)

Any thoughts and pointers to possible technologies would be appreciated.

.

---

• Prev by Date: Re: Exclude Error Status 403 from customErrors Redirect
• Next by Date: Re: Some or all identity references could not be translated.
• Previous by thread: List of user's digital certificates
• Next by thread: Re: Lightweight logon? Impersonation? - shared workstation problem
• Index(es):
  • Date
  • Thread

---

Relevant Pages Re: How can I read the account lockout threshold from c#? ... info for local machine accounts. ... Co-author of "The .NET Developer's Guide to Directory Services Programming" ... Is there a way to read either a machines setting or an individual users ... (microsoft.public.windows.server.active_directory) Re: C&P card nuked in Greece ... PIN, or for their machines to interact with the smart card, I ... it is (in the format we use anyway). ... (uk.finance)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(10)