Re: System.Security.Principal.IdentityReference

I think I kind of get it, although I would obviously need more details to
understand it deeply. It seems like you might have a legitimate enhancement
request for the next version of the framework. You could try the product
feedback center (if it is still there) to post it.

The other thing I was wondering was whether you might consider creating a
custom SID to use for this. If you use an identifier authority other than 1
or 5, Windows shouldn't get confused by it. ADAM uses something like this
for its SID and it fits into the whole SID concept pretty well. You
obviously wouldn't be able to translate to NTAccount and such, but perhaps
it would suit your needs? I know AzMan supports custom SIDs as well.

Best of luck with whatever you end up with.

Joe K.

"Michael Primeaux" <mjprimeaux@xxxxxxxxxxxxxx> wrote in message
news:%23Y2NvWJIGHA.2912@xxxxxxxxxxxxxxxxxxxxxxx
> We are writing a distributed application framework. As with most
> applications, we separate into two distinct categories: extranet and
> intranet. Regardless of which camp an application resides, we offer two
> options with respect to authentication: (1) native authentication and (2)
> custom authentication. Regardless of the chosen scenario, we augment the
> principal with security profile information (business "stuff"). To keep
> the link between our principal, identity, and security profile we use
> identity references.
>
> Therefore, there are four scenarios:
>
> 1. Intranet application, native authentication. For this [widely used]
> case, we use the native WindowsIdentity "wrapped" with a custom principal.
>
> 2. Intranet application, custom authentication. For this case, we use a
> custom identity "wrapped" with a custom principal.
>
> 3. Extranet application, native authentication. For this case, we use the
> native WindowsIdentity "wrapped" with a custom principal. We use protocol
> transition and obtain the Kerberos credentials without knowning the user's
> password; nice feature.
>
> 4. Extranet application, custom authentication. For this case, we use a
> custom identity "wrapped" with a custom principal.
>
> For native authentication, we map the identity to a security profile using
> one of three options: (1) use the NTAccount class or the (2)
> SecurityIdentifier class, or (3) the objectId associated to the user
> within AD. However, for custom authentication we do not have an option and
> wanted to define out own CustomIdentityReference so we can keep our
> security profile security API consistent: For example...
>
> ISecurityProfile Get(IdentityReference identityReference);
>
> I'm over-simplifying the issue as we have other APIs that would certainly
> benefit from a custom identity reference. However, since the
> IdentityReference class defines an internal ctor we are forced to break
> apart our API into something less elegant. Why allow for custom IIdentity
> implementations but without allowing for custom identity references?
>
> Let me know if you need more clarification.
>
> Kindest Regards,
> Michael
>
>
>
> "Joe Kaplan (MVP - ADSI)" <joseph.e.kaplan@xxxxxxxxxxxxxxxxxxxxxxxx> wrote
> in message news:O7$DMx7HGHA.1388@xxxxxxxxxxxxxxxxxxxxxxx
>>I think it is only supposed to be used with the SecurityIdentifier or
>>NTAccount derived classes, but I'm not from MS, so I can't say for sure.
>>
>> Can you say more about your scenario?
>>
>> Joe K.
>>
>> "Michael Primeaux" <mjprimeaux@xxxxxxxxxxxxxx> wrote in message
>> news:eIdRcJ7HGHA.596@xxxxxxxxxxxxxxxxxxxxxxx
>>>
>>> Would someone from Microsoft please explain what scenario required the
>>> IdentityReference class in .NET 2.0 to be declared with an internal
>>> constructor. I have serveral use cases that would benefit extensively
>>> from a custom identity reference. However, that's not currently possible
>>> as the Identity reference class can not be inherited.
>>>
>>> Kindest Regards,
>>> Michael Primeaux
>>>
>>
>>
>
>


.

Relevant Pages

  • RE: Membership Provider Woes
    ... in forms authentication context. ... how do I actually store the custom information? ... limited by the natural of cookie. ... Doens't the membership provider set a forms auth cookie for me ...
    (microsoft.public.dotnet.framework.aspnet)
  • Forms authentication in a subfolder problem, please help
    ... When I create forms authentication at root level it works but when I move my ... <!-- CUSTOM ERROR MESSAGES ... Application-level tracing enables trace log output for every page ... private void Page_Load ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: * * * C# Application and Database Security Model * * *
    ... I've noticded that your main concern here is to provide security ... If you're going to do authentication and authorization against windows ... authenticate user against custom security account database and authroize ... Microsoft MSDN Online Support Lead ...
    (microsoft.public.dotnet.languages.csharp)
  • Runtime error when customErrors are Off
    ... "On" Always display custom messages. ... This section sets the authentication policies of the application. ... Application-level tracing enables trace log output for every page ... <!-- SESSION STATE SETTINGS ...
    (microsoft.public.dotnet.framework.aspnet)
  • RE: Membership Provider Woes
    ... perform forms authentication in your ASP.NET web application. ... you also want to add additional custom datainto the ... Microsoft MSDN Online Support Lead ... where an initial response from the community or a Microsoft Support ...
    (microsoft.public.dotnet.framework.aspnet)