|
security
newsgroups
|
|||||||||||||||||||||||
|
|||||||||||||||||||||||
Implementing Kerberos AuthenticationHi
I am developing ASP.Net(Internet) application. I am using Active directory for storing and authenticating users. I want to use Forms Authentication Can I implement Kerberos authentication ? Can I simulate the windows login from ASP.net code? Is this Achievable? Any Ideas???? Hello bkj,
there are at least two ways a) use LDAP to authenticate against AD b) call LogonUser in your application --------------------------------------- Dominick Baier - DevelopMentor http://www.leastprivilege.com Show quoteHide quote > Hi > > I am developing ASP.Net(Internet) application. I am using Active > directory for storing and authenticating users. I want to use Forms > Authentication > > Can I implement Kerberos authentication ? > Can I simulate the windows login from ASP.net code? > Is this Achievable? > > Any Ideas???? > The big question here is "why" though? There is already a built in
mechanism to support Kerberos authentication through the browser and Windows auth in IIS and ASP.NET. I never understand why people want to kill themselves trying to get the same stuff to work well with Forms auth. It is so much extra work. Joe K. Show quoteHide quote "Dominick Baier [DevelopMentor]" <dbaier@pleasepleasenospamdevelop.com> wrote in message news:794906632605986596362688@news.microsoft.com... > Hello bkj, > > there are at least two ways > > a) use LDAP to authenticate against AD > b) call LogonUser in your application > > --------------------------------------- > Dominick Baier - DevelopMentor > http://www.leastprivilege.com > >> Hi >> >> I am developing ASP.Net(Internet) application. I am using Active >> directory for storing and authenticating users. I want to use Forms >> Authentication >> >> Can I implement Kerberos authentication ? >> Can I simulate the windows login from ASP.net code? >> Is this Achievable? >> >> Any Ideas???? >> > > > Hello Joe,
you are right - thats the other questions - i started answering the first one :) --------------------------------------- Dominick Baier - DevelopMentor http://www.leastprivilege.com Show quoteHide quote > The big question here is "why" though? There is already a built in > mechanism to support Kerberos authentication through the browser and > Windows auth in IIS and ASP.NET. I never understand why people want > to kill themselves trying to get the same stuff to work well with > Forms auth. It is so much extra work. > > Joe K. > > "Dominick Baier [DevelopMentor]" > <dbaier@pleasepleasenospamdevelop.com> wrote in message > news:794906632605986596362688@news.microsoft.com... > >> Hello bkj, >> >> there are at least two ways >> >> a) use LDAP to authenticate against AD >> b) call LogonUser in your application >> --------------------------------------- >> Dominick Baier - DevelopMentor >> http://www.leastprivilege.com >>> Hi >>> >>> I am developing ASP.Net(Internet) application. I am using Active >>> directory for storing and authenticating users. I want to use Forms >>> Authentication >>> >>> Can I implement Kerberos authentication ? >>> Can I simulate the windows login from ASP.net code? >>> Is this Achievable? >>> Any Ideas???? >>> Hi Guys,
Thanks for the replies I am using LDAP to authenticate user against the active directory. It is working fine. If I use LogonUserA method will it login user to the domain and create kerberos tickets. I understand it is so much extra work.The user does not like use windows login screen appearing when they go the website. They need pretty forms insted. That is why i am using forms authentication. Is there any major security threats in doing so? Thanks and Regards Biju The major issue from my standpoint is that you need to call LogonUser on
every single request that comes through the pipeline in order to have a token for each request. Doing that means you need the user's plain text password, so you need to store that securely somewhere. You basically need to use session state or a cookie and just try to make that secure. Alternately, you could try to cache the user's token somehow and reuse that in between requests. LogonUser will use the Negotiate protocol to the log the user in the local machine, so that should use Kerberos if possible although it may fall back to NTLM. Why is it that you need Kerberos tickets out of curiosity? Joe K. Show quoteHide quote "bkj" <biju.ja***@echarris.com> wrote in message news:1125045018.911443.220680@o13g2000cwo.googlegroups.com... > Hi Guys, > > Thanks for the replies > > I am using LDAP to authenticate user against the active directory. It > is working fine. > If I use LogonUserA method will it login user to the domain and create > kerberos tickets. > > I understand it is so much extra work.The user does not like use > windows login screen appearing when they go the website. They need > pretty forms insted. That is why i am using forms authentication. > > Is there any major security threats in doing so? > > Thanks and Regards > Biju > Hi Joe,
Thanks for the reply. The scenario is users will be accessing my web application and at some point they need to go to a document library setup in sharepoint portal server03. users dont want to be challenged for security here again as they have logged in already.we need apply user level security in sharepoint as well to control what each of them has access to. I was lead to belive that if we generate Kerberos tickets then i can Impersonate that onto ASP.NET worker process, so each request made there after will be under the logged in users credentials. Is this the case? Basically, I need the requests to the application and sharepoint to be under the logged in users credential. Is this acheivable?? If I follow this model what are security risks I am facing? Thanks and regards Biju If you use the LogonUser API and use an option that provides network
credentials, then you should be able to impersonate the resulting token and use that to access SharePoint via a web service call or HttpWebRequest. Also, if you have their plain text password, you don't even need to impersonate. Just create an appropriate NetworkCredentials object and associate it with the web request. You should only need Kerberos delegation if you are using Windows authentication on your application with IWA and want to access SharePoint via impersonation. Joe K. Show quoteHide quote "bkj" <biju.ja***@echarris.com> wrote in message news:1125066674.965845.123080@g47g2000cwa.googlegroups.com... > Hi Joe, > > Thanks for the reply. > > The scenario is users will be accessing my web application and at some > point they need to go to a document library setup in sharepoint portal > server03. users dont want to be challenged for security here again as > they have logged in already.we need apply user level security in > sharepoint as well to control what each of them has access to. > > I was lead to belive that if we generate Kerberos tickets then i can > Impersonate that onto ASP.NET worker process, so each request made > there after will be under the logged in users credentials. Is this the > case? > > Basically, I need the requests to the application and sharepoint to be > under the logged in users credential. > > Is this acheivable?? > > If I follow this model what are security risks I am facing? > > Thanks and regards > Biju > 
Other interesting topics
Limiting exe permissions
signcode vs signtool Impossible to set security policy for VSTO Excel? accessing Active Directory Enabling Forms Authentication Stops Button Click Events authentication hangs after security patch .NET 2003 DLL - how secure? XmlSerializer : CS0647 Compilation Error dll Licensing package? Need to protect my API's dll Licensing package? Need to protect my API's |
|||||||||||||||||||||||
