Re: Client/server application and Windows Integrated Auth

From: Joe Kaplan \(MVP - ADSI\) (joseph.e.kaplan_at_removethis.accenture.com)
Date: 02/02/05 

Date: Tue, 1 Feb 2005 23:03:05 -0600

Why not let the datastore authenticate the user and do the authorization
then? Like some others have pointed out on this thread, doing authorization
on the client might be potentially dangerous. If the user is an admin and
can attach a debugger, they can do whatever they want to your code. They
can't do this to the server though.

Hacking the kernel mode security stuff on the workstation is actually fairly
hard to do (overcoming file ACLs and stuff that is protected by kernel
objects), but all bets are still off if the local user is an admin.

It really depends on how important it is that your security can't be hacked
(what is the real threat) and what your deployment environment is like, but
remember that people put security on the server and try to keep others from
running debuggers on it for a reason.

Joe K.

>
> The setup I described does not involve a server component - i.e. there is
> no
> webserver. There is only a client application (i.e. WinForms) than
> connects
> directly to the datastore, i.e. the client application does the
> authentication.
>
> So my thinking is that since the application's execution environment
> cannot
> be controlled you cannot merely rely on the fact that a "DOMAIN\username"
> is
> authenticated since the application can be put in a domain with the same
> name
> and run by a user with the same username.
>
> Does this make more sense?
>
> Cheers
> Joubert
>

Relevant Pages

  • Re: Client/server application and Windows Integrated Auth
    ... Why not let the datastore authenticate the user and do the authorization ... There is only a client application than ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: Client/server application and Windows Integrated Auth
    ... Why not let the datastore authenticate the user and do the authorization ... There is only a client application than ...
    (microsoft.public.dotnet.framework.windowsforms)
  • Re: Kerberized authorization service
    ... whereas the LDAP solution is already what they do. ... the mail server could have an shell group with one ... that the authorization decision is no longer truly centralized. ... Kerberized conduit for passing the data from the client to some backend ...
    (comp.protocols.kerberos)
  • Re: PDC Emulator
    ... > PDC Emulator is used to authenticate down level clients on the network ... > downlevel level client cross the WAN link to access PDC Emulator or it ...
    (microsoft.public.windows.server.active_directory)
  • Re: Grr...
    ... entered my password and "We could not authenticate your login..." ... Looked up the number for Customer Support (after going through SEVERAL ... the client hadn't been updated. ... checking uo.stratics there HAD been a client patch last week. ...
    (rec.games.computer.ultima.online)