Re: Confusion on standard security methodologies.

From: Karl Levinson [x y] mvp (levinson_k@excite.com)
Date: 01/14/03


From: "Karl Levinson [x y] mvp" <levinson_k@excite.com>
Date: Tue, 14 Jan 2003 16:55:39 -0500


"Pete Grazaitis" <pjgratz@yahoo.com> wrote in message
news:20f7835.0301141254.483e1927@posting.google.com...

> -How do remote clients authenticate to the domain? I would like to
> use Integrated Authentication with Kerberos, seems to be the standard
> - but may not be the best. I could do delegation with Basic Auth and
> Active directory. Or X.509 Certs mapped to accounts?

Integrated authentication in IIS is not really standard or advisable over
the internet, as it requires Windows, Internet Explorer and does not work
through proxy servers or firewalls [supposedly]. Other clients are out of
luck. You could have the clients use VPN to connect to the internal network
and access the server from there... however, their home computers would
probably not reliably be able to always authenticate to the domain,
especially if they have a domain controller they already log into.

Another solution, possibly better, would be to use Basic authentication with
HTTPS / certificate on the web server for encryption, and have the web
server authenticate with the domain controller. However, that would require
the domain controller be reachable from your web server, so that if a hacker
cracked your web server, they would potentially have easy access to your
domain account database and possibly more.

Or, you can set up a user table within the SQL database and authenticate the
users to that table, though passwords would not automatically sync with the
domain password without some extra coding on your part.

> -Some of these users do not have NT accounts, and really dont need to
> have it. I would like to keep this server off of my domain. Would I
> still need to create an active directory account for kerberos and then
> institute a domain trust.

Kerberos is based on time being correct between the authentication server
and the client, so I"m not sure it's a good choice for web authentication
from PCs not under your control. I also don't think it's the norm. SSL /
HTTPS encryption to and from the server or VPN is I think more typical for
encrypting the authentication, and client certificates if you feel you need
stronger authentication of clients.

I do believe you need a Windows 2000 domain controller [e.g. active
directory] to do Windows 2000 kerberos, since kerberos is built around a
central KDC server that already has the user's credentials stored
beforehand. You could try implementing a third party kerberos solution, I
suppose, but dont' know if that would be possible or desirable, and you'd
still need a central KDC server.

> -Is it possible to use SQL mixed mode and for those that happen to
> have an NT account authenticate this way for others use a hash based
> authentication scheme?

Well, yes, but AFAIK the Integrated Windows authentication again requires
NetBIOS which is not desirable across the internet or through a firewall,
unless you are using something like VPN. For internet web apps, I think it
is more typical for the web server to use a single shared logon to access
the SQL data via, say, SQL authentication, have the user authenticate with a
unique login ID to the web server, and then use a user table within SQL to
determine what rights the unique user login ID should have.

www.sqlsecurity.com should have some information on this.
http://securityadmin.info/ may have some links to articles on writing web
application code securely.

As far as the network architecture, for a serious web site, you'd want a
typical DMZ, either a tri-homed host or two firewalls with a DMZ in between
them. You'd want the web server in the DMZ and as little permissions as
possible for the web server to talk to the internal network. There is
probably some leeway for placement of the SQL server and domain controller.



Relevant Pages

  • Netlogon 5783
    ... For about there mounts I<m having small network problem, with clients, that ... The session setup to the Windows NT or Windows 2000 Domain Controller ... On DC1r there is Exchange 2000 server, witch is Exchange system manager is ... The failure code from authentication protocol Kerberos ...
    (microsoft.public.win2000.networking)
  • Re: Thumbnail security problem?
    ... have written or maybe you don't understand the HTTP 1.0 Basic Authentication ... will receive a 401 response from the web server. ... Ok, now that you see the basics, the problem we are seeing is as follows: ...
    (microsoft.public.security)
  • Re: I have a Windows 2003 server that is unable to communicate with the domain controller
    ... not work so i removed the server from the domain and added it again. ... The Security System detected an authentication error for the server ... see Help and Support Center at ... domain controller for domain PREP, ...
    (microsoft.public.win2000.active_directory)
  • Re: Create a wireless domain?
    ... > windows server and create a domain controller. ... For details on this authentication method, ... Authentication for IEEE 802.11 Wireless Network Access" ...
    (microsoft.public.windows.server.networking)
  • IIS6 - Integrated Authentication Probs
    ... server to a UNC share on another server ... It seems that when I use "integrated authentication" that the credentials ... Hence - this is a general problem with the way the web server is using my ...
    (microsoft.public.inetserver.iis.security)