Re: Smartcard authentication in a multi-tier application

On Apr 15, 3:56 am, DaveMo <david.mow...@xxxxxxxxx> wrote:
On Apr 14, 6:31 am, mj1977 <manu.ja...@xxxxxxx> wrote:





Hi,

We have a multi-tier intranet application. The users of this
application are windows users. We have a login screen on the client
side where the user enters the username and password and on the server
we use the function LogOnUser() to authenticte this user. We get the
SID of this user and the SID plays a major part in the businees
context of the application.

We are planning to allow the user to use the smart card as well in the
new version. I was just wondering how to go about with the
implementation as we need the domain username and password of the PIN-
authenticated smartcard user.

Generally what is the best design to use smartcard in a multi-tier
application which needs to be authentiacted on the server side?

Any suggestion on implementing this would be of great help.

Thanks

Why do you have the user enter their user name and password? Do the
users log on to their desktop/laptop computers with Active Directory
credentials? If so, then the user can authenticate to the server with
the credentials associated with the logon session.

If you are going the smartcard route then this works equally as well
since SC authentication on the Windows client results in a Kerberos
ticket which can then be used to authenticate to the server.

Unless there is some mitigating circumstance, having users type a
username/password on a Windows client that is part of an Active
Directory domain is just plain wrong and probably evil :)

HTH,
Dave- Hide quoted text -

- Show quoted text -

Dave,

Thanks for the reply. We have two options on the login dialog.

Option 1

A checkbox is provided to use the windows logged in users credentials;
and in this case user need not provide the username and password.

Option 2

Allow any domain users to log on to our application apart from the
user logged on to the operating system. In this case the user is
authenticated on the server. I was just wondering how to go about with
this case if the user wants to use a smart card.

.

Relevant Pages

  • Re: Radius question
    ... Note the following general exception to Windows CAL requirements: ... CALs are not required when access to the server software is unauthenticated ... who all can be RADIUS clients to Microsoft RADIUS Server? ... > authenticate against Active Directory if your remote access devices are not ...
    (microsoft.public.windows.server.networking)
  • Re: Native Mode possible problems...help!
    ... their password will still be able to logon to an NT 4.0 - but using their ... Windows 2003/2000/NT ... > They NT 4.0 domain controllers will still be able to authenticate users, ... > Why not just upgrade the BDCs to Windows 2000 Server? ...
    (microsoft.public.windows.server.general)
  • Re: Read User Input using X
    ... from a common windows computer to my application. ... username@server" where username is a windows environment variable. ... So I want an option that will peform ssh to the server. ...
    (comp.os.linux.x)
  • RE: NT to 2003 wierdness
    ... The following errors may occur in Windows NT when connecting to a Windows ... Server Manager: ... those user accounts in the servers group. ... NT will use the secure channel account password against to authenticate ...
    (microsoft.public.windows.server.migration)
  • Newbie needs troubleshooting help.
    ... Our intranet is on a Windows NT4.0 Server with IIS 4.0 and all the latest ... Our clients are Windows XP with all the latest service packs. ... As and a prompt comes up asking for the username and password. ...
    (microsoft.public.frontpage.programming)