|
security
newsgroups
|
|||||||||||||||||||||||
|
|||||||||||||||||||||||
Using SSPI with Custom AuthenticationI'm currently working on a system that is made up of multiple Databases. The
first database contains all of the user information; such as UerName, password (stored as a hash) etc... The other databases are used to provide different services, for example one of the databases may be used to store a user's auto insurance information, the other may be used to store the user's stocks. Obviously the User database is intended for authenticating the user, while the other databases provide different services; allowing users to only have one user name and password for all of our services. The issue I'm running into is this: only the User Database has enough information to perform authentication, and users need to be authenticated before accessing services on the other databases. Since the other service databases can be seperated from the User Database by an internet connection they cannot ask the User database for authentication every time. So my question is this: Is there a way that I can use SSPI to create authentication credentials, but allow me to verify the user name and password myself? It boils down to moving the security perimeter away from the server.
One way to do this is to use COM+ security. Users are authenticated outside of the server using Windows authentication, which moves the security infrastructure outside of the server. Another benefit is connection pooling--thousands of users could be supported on a single connection to the server. COM+ security can be configured with method-level granularity where you'd map methods in your classes to specific stored procedures which do all the work on the server. If you need to track users at the server level you'd need to pass that information along in your method calls to be processed as input parameters in your sprocs. On the server, security would be configured with least priviledge for the designated connection, which has execute permissions only on stored procedures in each database and is denied access to all underlying data and objects. It's a lot of work, but would get you where I think you want to go. --Mary On Tue, 28 Mar 2006 15:46:02 -0800, anonymous <anonym***@discussions.microsoft.com> wrote: Show quoteHide quote >I'm currently working on a system that is made up of multiple Databases. The >first database contains all of the user information; such as UerName, >password (stored as a hash) etc... The other databases are used to provide >different services, for example one of the databases may be used to store a >user's auto insurance information, the other may be used to store the user's >stocks. Obviously the User database is intended for authenticating the user, >while the other databases provide different services; allowing users to only >have one user name and password for all of our services. The issue I'm >running into is this: only the User Database has enough information to >perform authentication, and users need to be authenticated before accessing >services on the other databases. Since the other service databases can be >seperated from the User Database by an internet connection they cannot ask >the User database for authentication every time. So my question is this: Is >there a way that I can use SSPI to create authentication credentials, but >allow me to verify the user name and password myself? 
Other interesting topics
if I encrypt key data why do I want or need SSL?
ClickOnce and remembering permissions granted Tightening the default CAS policy How to encrypt a string with ProtectedData (.NET 2.0) JavaScience CD versus book Rights to get Data for Crystal reports How do I deistinguis between a user and a group/role Alternative to APTCA AllowPartiallyTrustedCallersAttribute? bad encryption Identifying group memberships for users authenticated with AD Trus |
|||||||||||||||||||||||
