Re: Kerberos authentication NOT in AD

I'm not sure where the piece of code is that gives you a high level Kerberos
wrapper that runs on Windows. I'm pretty sure all of the APIs are there in
Windows to do it yourself, but I'm not an expert at this.

If the code exists on the Unix side, then a web service wrapper hosted on
Apache on the Unix side would be probably be pretty easy to put together as
well.

Maybe someone else here will post on the thread and provide some ideas. You
might also try asking how to do non-AD Kerberos auth in Windows without .NET
in the microsoft.public.platformsdk.security newsgroup and see what they
say. If a native solution can be created easily, it probably would not be
hard to p/invoke that from .NET to get your integration.

Best of luck,

Joe K.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
"Gary" <Gary@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:EE7D0FDA-F14F-4712-8C85-CF79017254D0@xxxxxxxxxxxxxxxx
You're right -- I haven't been able to find that piece of code anywhere.
All
the code there seem to be more building block-type examples that I don't
need. I'm not concerned about port access, but I don't have a lot of help
from the folks that manage the Kerberos realm, as they're all UNIX guys.
This is a new app, so I'm not doing any authentication as of yet (I've
done
straight AD/Windows authentication and SQL Server/Forms authentication in
the
past). I'm just trying to not have usernames/passwords stored in multiple
data sources.

If you've got a lead as to where such a piece of code might be I'd greatly
appreciate it.

"Joe Kaplan" wrote:

If you want to do forms auth and use plaintext credentials (instead of
trying to make this work with integrated Windows auth), then this should
be
something that is pretty doable.

The trick is to find a piece of code running somewhere that can take a
username and password and authenticate it against your Kerb realm. Then,
you just need an appropriate wrapper around that which can be used to
call
it remotely from your ASP.NET app.

The web service approach makes a lot of sense for your remoting wrapper,
but
there are other ways to do that. If you can get some Windows code that
can
do the authentication for you, I would think you could do this as an
in-process call directly from ASP.NET in the forms authentication event
handler. This would require having appropriate port 88 access to the
kerb
realm from the web server, obviously.

How are you able to authenticate programmatically now?

Joe K.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services
Programming"
http://www.directoryprogramming.net
--
"Gary" <Gary@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:9B8F838D-62D5-4B4F-A3D0-357183419ACE@xxxxxxxxxxxxxxxx
I'm looking for the second one. This is a UNIX realm, and I just can't
find
anything. I did find IISPassword
<http://www.troxo.com/products/iispassword/>, but that only does basic
authentication, and I also took a look at MADAM
<http://msdn2.microsoft.com/en-us/library/aa479391.aspx>, but that
doesn't
seem to work either. What would be nice to do would be to use forms
authentication to pass the user credentials to a web service that could
authenticate against the Kerberos realm, but all the SOAP examples out
there
are really confusing.

Thanks!

"Joe Kaplan" wrote:

I don't have a lot of experience with doing this, but I'm curious if
you
want this integration to work at the Windows level such that you can
log
in
to Windows with an external Kerb realm (possible) and thus get that
support
from IIS, or if you want to find a Kerberos stack for .NET that you
can
integrate at the app level?

I imagine that either approach could work, but you'd be skinning the
cat
two
totally different ways.

Joe K.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services
Programming"
http://www.directoryprogramming.net
--
"Gary" <Gary@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:03F78D62-DB86-43EE-BB25-E392A6826C73@xxxxxxxxxxxxxxxx
I'm trying to authenticate against a non-Active Directory Kerberos
realm
for
an ASP.NET application. I've seen so much stuff out there it's not
even
funny -- is there a halfway easy solution?

Thanks.








.

Relevant Pages

  • Re: Change in ASP.Net authentication between Win2000 and Win2003
    ... > is turning on/off Kerberos is occuring. ... It control how IE deals with "Authentication: ... when you put IIS6 in a domain and have "Integrated Windows Authentication" ...
    (microsoft.public.windows.server.security)
  • Re: Change in ASP.Net authentication between Win2000 and Win2003
    ... > is turning on/off Kerberos is occuring. ... It control how IE deals with "Authentication: ... when you put IIS6 in a domain and have "Integrated Windows Authentication" ...
    (microsoft.public.inetserver.iis.security)
  • Re: using xp credentials for ldap authentication
    ... Windows Negotiate protocol which selects between Kerberos and NTLM. ... Windows Authentication in IIS) and is supported by IE and FireFox to some ... Joe Kaplan-MS MVP Directory Services Programming ... Co-author of "The .NET Developer's Guide to Directory Services Programming" ...
    (microsoft.public.windows.server.security)
  • Re: Integrated Windows Authentication Timeout?
    ... Joe Kaplan-MS MVP Directory Services Programming ... Co-author of "The .NET Developer's Guide to Directory Services Programming" ... If you have "Negotiate" authentication set in the metabase, ... protocol thinks that Kerberos is unavailable. ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: Kerberos login on VMS
    ... Does the latest version of Pathworks support either Kerberos or LDAP ... NTLM authentication? ... >OpenVMS System Software Group ... Any version of Windows server more recent than Windows NT ...
    (comp.os.vms)