Non-AD Kerberos authentication
- From: Gary <Gary@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Fri, 5 Jan 2007 12:31:01 -0800
I've been posting back and forth with Joe Kaplan (his most recent post is
directly below) in microsoft.public.dotnet.security and he suggested I post
here. Basically, what I'm trying to do is set up an ASP.NET application to
authenticate users through a Kerberos implementation on a Unix system. I
don't have any access to do anything on the Unix system, so I need to do
something Windows-side.
The implementation doesn't have to be .NET -- I can probably take anything
and convert it to what I need, but I just don't know how to specify the
Kerberos realm, etc. when doing the authentication. I would think this would
be something simple.
Thanks!!
--------------------------------------------------------------------------------------
I'm not sure where the piece of code is that gives you a high level Kerberos
wrapper that runs on Windows. I'm pretty sure all of the APIs are there in
Windows to do it yourself, but I'm not an expert at this.
If the code exists on the Unix side, then a web service wrapper hosted on
Apache on the Unix side would be probably be pretty easy to put together as
well.
Maybe someone else here will post on the thread and provide some ideas. You
might also try asking how to do non-AD Kerberos auth in Windows without .NET
in the microsoft.public.platformsdk.security newsgroup and see what they
say. If a native solution can be created easily, it probably would not be
hard to p/invoke that from .NET to get your integration.
Best of luck,
Joe K.
--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
"Gary" <Gary@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:EE7D0FDA-F14F-4712-8C85-CF79017254D0@xxxxxxxxxxxxxxxx
You're right -- I haven't been able to find that piece of code anywhere.
All
the code there seem to be more building block-type examples that I don't
need. I'm not concerned about port access, but I don't have a lot of help
from the folks that manage the Kerberos realm, as they're all UNIX guys.
This is a new app, so I'm not doing any authentication as of yet (I've
done
straight AD/Windows authentication and SQL Server/Forms authentication in
the
past). I'm just trying to not have usernames/passwords stored in multiple
data sources.
If you've got a lead as to where such a piece of code might be I'd greatly
appreciate it.
"Joe Kaplan" wrote:
If you want to do forms auth and use plaintext credentials (instead of
trying to make this work with integrated Windows auth), then this should
be
something that is pretty doable.
The trick is to find a piece of code running somewhere that can take a
username and password and authenticate it against your Kerb realm. Then,
you just need an appropriate wrapper around that which can be used to
call
it remotely from your ASP.NET app.
The web service approach makes a lot of sense for your remoting wrapper,
but
there are other ways to do that. If you can get some Windows code that
can
do the authentication for you, I would think you could do this as an
in-process call directly from ASP.NET in the forms authentication event
handler. This would require having appropriate port 88 access to the
kerb
realm from the web server, obviously.
How are you able to authenticate programmatically now?
Joe K.
--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services
Programming"
http://www.directoryprogramming.net
--
"Gary" <Gary@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:9B8F838D-62D5-4B4F-A3D0-357183419ACE@xxxxxxxxxxxxxxxx
I'm looking for the second one. This is a UNIX realm, and I just can't
find
anything. I did find IISPassword
<http://www.troxo.com/products/iispassword/>, but that only does basic
authentication, and I also took a look at MADAM
<http://msdn2.microsoft.com/en-us/library/aa479391.aspx>, but that
doesn't
seem to work either. What would be nice to do would be to use forms
authentication to pass the user credentials to a web service that could
authenticate against the Kerberos realm, but all the SOAP examples out
there
are really confusing.
Thanks!
"Joe Kaplan" wrote:
I don't have a lot of experience with doing this, but I'm curious if
you
want this integration to work at the Windows level such that you can
log
in
to Windows with an external Kerb realm (possible) and thus get that
support
from IIS, or if you want to find a Kerberos stack for .NET that you
can
integrate at the app level?
I imagine that either approach could work, but you'd be skinning the
cat
two
totally different ways.
Joe K.
--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services
Programming"
http://www.directoryprogramming.net
--
"Gary" <Gary@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:03F78D62-DB86-43EE-BB25-E392A6826C73@xxxxxxxxxxxxxxxx
I'm trying to authenticate against a non-Active Directory Kerberos
realm
for
an ASP.NET application. I've seen so much stuff out there it's not
even
funny -- is there a halfway easy solution?
Thanks.
.
- Follow-Ups:
- Re: Non-AD Kerberos authentication
- From: Chuck C
- Re: Non-AD Kerberos authentication
- Prev by Date: Re: General question about CryptoAPI
- Next by Date: Re: Non-AD Kerberos authentication
- Previous by thread: Certs, Security Tokens in other sessions, & other mysteries.
- Next by thread: Re: Non-AD Kerberos authentication
- Index(es):
Relevant Pages
|
Loading
