Re: Newbie: Authentication approach, Kerberos
From: Joe Kaplan \(MVP - ADSI\) (joseph.e.kaplan_at_removethis.accenture.com)
Date: 05/11/04
- Previous message: MattC: "Re: Newbie: Authentication approach, Kerberos"
- In reply to: MattC: "Newbie: Authentication approach, Kerberos"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 11 May 2004 10:57:06 -0500
Are you sure you need to delegate the user's security credentials to other
machines on the network? Most of the time when people do this, they really
should be a using a standard account to access SQL in order to take
advantage of connection pooling instead of using the user's credentials.
If you don't need to delegate, then you can use simple LDAP authentication
against AD. There are some ok samples here:
http://support.microsoft.com/default.aspx?scid=kb;en-us;326340
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/sds/sds/active_directory_authentication_from_asp__net.asp?frame=true
If you do need to delegate but insist on using forms authentication, then
you must call the LogonUser API in order to validate the user's credentials
and use the token handle returned to build a WindowsIdentity object that you
can impersonate.
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/cpref/html/frlrfSystemSecurityPrincipalWindowsImpersonationContextClassTopic.asp?frame=true
If you don't need forms authentication, then you can use Windows
authentication instead and get around having to do impersonation. However,
you will still need to learn some stuff about delegation.
This topic comes up a lot here and in the ASP.NET security newsgroup.
You'll find lots of additional help via a Google search.
HTH,
Joe K.
"MattC" <m@m.com> wrote in message
news:etVB%2370NEHA.3668@TK2MSFTNGP11.phx.gbl...
> Hi,
>
> With Reference the the following MSDN flowchart
> (http://msdn.microsoft.com/library/en-us/dnbda/html/AuthASPdotNET03.gif) I
> have the following dillema.
>
> I wish to implement an ASP.NET web application that uses Form based
> authentication but where my users information is stored in Windows
accounts.
> My users will will log on by typing in their Windows username and password
> this will then be authenticated against their windows account.
> The application will only run via the company intranet which comprises LAN
> both local and VPN and a dial up VPN. My users will alos be accessing
> datasources such as databases, so that mean context delegation.
>
> Following the flow chart I am presented with the solution of implementing
a
> layer in my application that handles "Custom Credential Mapping Basic
> Kerberos".
>
> My initial response is: ¿que?
>
> I would greatly appreciate any experience or advice regarding this
problem.
>
> Thanks
>
> MattC
>
>
- Previous message: MattC: "Re: Newbie: Authentication approach, Kerberos"
- In reply to: MattC: "Newbie: Authentication approach, Kerberos"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
