Re: Smartcard authentication in a multi-tier application
- From: DaveMo <david.mowers@xxxxxxxxx>
- Date: Tue, 15 Apr 2008 08:43:35 -0700 (PDT)
On Apr 14, 10:10 pm, mj1977 <manu.ja...@xxxxxxx> wrote:
On Apr 15, 3:56 am, DaveMo <david.mow...@xxxxxxxxx> wrote:
On Apr 14, 6:31 am, mj1977 <manu.ja...@xxxxxxx> wrote:
Hi,
We have a multi-tier intranet application. The users of this
application are windows users. We have a login screen on the client
side where the user enters the username and password and on the server
we use the function LogOnUser() to authenticte this user. We get the
SID of this user and the SID plays a major part in the businees
context of the application.
We are planning to allow the user to use the smart card as well in the
new version. I was just wondering how to go about with the
implementation as we need the domain username and password of the PIN-
authenticated smartcard user.
Generally what is the best design to use smartcard in a multi-tier
application which needs to be authentiacted on the server side?
Any suggestion on implementing this would be of great help.
Thanks
Why do you have the user enter their user name and password? Do the
users log on to their desktop/laptop computers with Active Directory
credentials? If so, then the user can authenticate to the server with
the credentials associated with the logon session.
If you are going the smartcard route then this works equally as well
since SC authentication on the Windows client results in a Kerberos
ticket which can then be used to authenticate to the server.
Unless there is some mitigating circumstance, having users type a
username/password on a Windows client that is part of an Active
Directory domain is just plain wrong and probably evil :)
HTH,
Dave- Hide quoted text -
- Show quoted text -
Dave,
Thanks for the reply. We have two options on the login dialog.
Option 1
A checkbox is provided to use the windows logged in users credentials;
and in this case user need not provide the username and password.
Option 2
Allow any domain users to log on to our application apart from the
user logged on to the operating system. In this case the user is
authenticated on the server. I was just wondering how to go about with
this case if the user wants to use a smart card.- Hide quoted text -
- Show quoted text -
What is the breakdown of logons that happen with other then their
"logged on to the desktop" credentials? From there, what number of the
users who use some other credentials need to use their smartcard
credentials?
Here are the issues/points as I see them:
- Anyone can use their smartcard to logon to the desktop
- If the user logs on to their desktop w/ smartcard, then you have
bootstrapped a secure authentication mechanism using Kerb and PKInit
and you don't necessarily need to worry about doing an actual SC logon
on the server.
- If the Kerberos approach doesn't work for you, SSL/TLS supports
client certificate authentication. You can configure IIS to use client
certs if they are provided (in this case from a SC). The cert will be
mapped back to an AD account.
Dave
.
- References:
- Smartcard authentication in a multi-tier application
- From: mj1977
- Re: Smartcard authentication in a multi-tier application
- From: DaveMo
- Re: Smartcard authentication in a multi-tier application
- From: mj1977
- Smartcard authentication in a multi-tier application
- Prev by Date: Re: SHFileOperation Problem
- Next by Date: RE: C_Initialize frozen into the called CardAcquireContext function
- Previous by thread: Re: Smartcard authentication in a multi-tier application
- Next by thread: SHFileOperation Problem
- Index(es):
Relevant Pages
|
|
