Re: Kerberos authentication NOT in AD
- From: Dave Mowers <david.mowers@xxxxxxxxxxxxxxxxxxxx>
- Date: Mon, 15 Jan 2007 18:02:00 -0800
Windows supports Unix Kerberos realms natively. You should be able to set up
an external trust with the Kerberos realm (a good starting point is
http://www.washington.edu/computing/support/windows/UWdomains/crossRealm.html)
and then you can p/invoke LogonUser with the username and password. You'll
also need to set up an account in your local AD to represent the foreign
realm user, but it's pretty easy to script such a thing or get fancy and use
something like MIIS to keep the account objects in sync.
Hope this helps.
Dave
"Joe Kaplan" wrote:
I'm not sure where the piece of code is that gives you a high level Kerberos.
wrapper that runs on Windows. I'm pretty sure all of the APIs are there in
Windows to do it yourself, but I'm not an expert at this.
If the code exists on the Unix side, then a web service wrapper hosted on
Apache on the Unix side would be probably be pretty easy to put together as
well.
Maybe someone else here will post on the thread and provide some ideas. You
might also try asking how to do non-AD Kerberos auth in Windows without .NET
in the microsoft.public.platformsdk.security newsgroup and see what they
say. If a native solution can be created easily, it probably would not be
hard to p/invoke that from .NET to get your integration.
Best of luck,
Joe K.
--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
"Gary" <Gary@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:EE7D0FDA-F14F-4712-8C85-CF79017254D0@xxxxxxxxxxxxxxxx
You're right -- I haven't been able to find that piece of code anywhere.
All
the code there seem to be more building block-type examples that I don't
need. I'm not concerned about port access, but I don't have a lot of help
from the folks that manage the Kerberos realm, as they're all UNIX guys.
This is a new app, so I'm not doing any authentication as of yet (I've
done
straight AD/Windows authentication and SQL Server/Forms authentication in
the
past). I'm just trying to not have usernames/passwords stored in multiple
data sources.
If you've got a lead as to where such a piece of code might be I'd greatly
appreciate it.
"Joe Kaplan" wrote:
If you want to do forms auth and use plaintext credentials (instead of
trying to make this work with integrated Windows auth), then this should
be
something that is pretty doable.
The trick is to find a piece of code running somewhere that can take a
username and password and authenticate it against your Kerb realm. Then,
you just need an appropriate wrapper around that which can be used to
call
it remotely from your ASP.NET app.
The web service approach makes a lot of sense for your remoting wrapper,
but
there are other ways to do that. If you can get some Windows code that
can
do the authentication for you, I would think you could do this as an
in-process call directly from ASP.NET in the forms authentication event
handler. This would require having appropriate port 88 access to the
kerb
realm from the web server, obviously.
How are you able to authenticate programmatically now?
Joe K.
--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services
Programming"
http://www.directoryprogramming.net
--
"Gary" <Gary@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:9B8F838D-62D5-4B4F-A3D0-357183419ACE@xxxxxxxxxxxxxxxx
I'm looking for the second one. This is a UNIX realm, and I just can't
find
anything. I did find IISPassword
<http://www.troxo.com/products/iispassword/>, but that only does basic
authentication, and I also took a look at MADAM
<http://msdn2.microsoft.com/en-us/library/aa479391.aspx>, but that
doesn't
seem to work either. What would be nice to do would be to use forms
authentication to pass the user credentials to a web service that could
authenticate against the Kerberos realm, but all the SOAP examples out
there
are really confusing.
Thanks!
"Joe Kaplan" wrote:
I don't have a lot of experience with doing this, but I'm curious if
you
want this integration to work at the Windows level such that you can
log
in
to Windows with an external Kerb realm (possible) and thus get that
support
from IIS, or if you want to find a Kerberos stack for .NET that you
can
integrate at the app level?
I imagine that either approach could work, but you'd be skinning the
cat
two
totally different ways.
Joe K.
--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services
Programming"
http://www.directoryprogramming.net
--
"Gary" <Gary@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:03F78D62-DB86-43EE-BB25-E392A6826C73@xxxxxxxxxxxxxxxx
I'm trying to authenticate against a non-Active Directory Kerberos
realm
for
an ASP.NET application. I've seen so much stuff out there it's not
even
funny -- is there a halfway easy solution?
Thanks.
- References:
- Re: Kerberos authentication NOT in AD
- From: Joe Kaplan
- Re: Kerberos authentication NOT in AD
- From: Joe Kaplan
- Re: Kerberos authentication NOT in AD
- From: Gary
- Re: Kerberos authentication NOT in AD
- From: Joe Kaplan
- Re: Kerberos authentication NOT in AD
- Prev by Date: Re: Fail mutual authentication from c# client to tomcat 4.1 web servic
- Next by Date: Re: How do I convert sid retrieved from the AD to SDDL string format?
- Previous by thread: Re: Kerberos authentication NOT in AD
- Next by thread: PHP mcrypt and VB.NET cryptoservice interop
- Index(es):
Relevant Pages
|
