all groups > asp.net security > april 2008 >
You're in the

asp.net security

group:

Intranet app via remote location (Internet)



Intranet app via remote location (Internet) Troy S.
4/10/2008 11:14:00 AM
asp.net security: Hello all. I am developing a 2.0 web site whereby the client wants to give
access to everyone in their company's domain (I assume that means Active
Directory). The site will be accessed from the Internet (outside the
company' intranet). Once logged in, I will grab the authenticated user's
identity and search SQL tables for their app-specific rights. I have
wrestled with the proper settings to enable this functionality but have yet
to stumble upon the correct solution.

I would think Allow Anonymous Access would be turned off via IIS and
web.config would have something similar to the folllowing in it:

<authentication mode="Windows"/>
<identity impersonate="true"/>
<authorization>
<allow roles="app-specific-role-name" />
<deny users="*" />
</authorization>

I'd greatly appreciate any insight you have or even links to proper
resources. Take care.

Re: Intranet app via remote location (Internet) Joe Kaplan
4/10/2008 3:03:34 PM
How do you want the auth to be done? Your basic options are Windows auth or
Forms auth. Making Windows auth work outside the firewall can be a
challenge as Kerberos requires access to a domain controller and NTLM can be
hard to get working well across firewalls and load balancers (although it
can work). Basic auth actually works fine but requires SSL for security and
won't provide SSO (although maybe you aren't expecting that for the
internet-based users).

All of those options assume the server is domain joined so that it can
authenticate these users.

To use forms auth, you would probably want to use the Active Directory
membership provider. Perhaps since you have custom roles in SQL you would
want to implement a custom SQL-based role provider. You might want to do
that regardless of whether you use Windows auth or Forms auth.

Joe K.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
[quoted text, click to view]

Re: Intranet app via remote location (Internet) Troy S.
4/10/2008 4:03:00 PM
Joe, thanks for your time and informative reply.

[quoted text, click to view]

I've always used Forms authentication in conjunction with my own SQL tables
(Users, Roles, etc) so I'm not sure how to answer your question. I've never
tried to utilize Active Directory for an internet application but I've had to
maintain a few apps that do (code is ugly and monstrous, using third-party
components).

I've not yet seen an elegant way to make Windows prompt the user for their
Windows un & pw and then allow them access to the site, which is the
functionality I need (just like RDPing to my work machine from home--fill in
my un & pw and I can then access all the network resources I normally have
access to).

I'm not sure about the domain controller. All I know at the moment is the
client has an intranet with many machines connected to it and wants to host
this new site on one of their machines, using existing Windows accounts for
authentication.

I will research the Active Directory membership provider and see where that
leads me. Hopefully I find the veritable pot of gold.

Take care.

Troy
Re: Intranet app via remote location (Internet) Joe Kaplan
4/10/2008 9:24:30 PM
I find it strange that you've had such bad experiences with Windows auth as
you usually don't have to do anything to make it work. Just enable Windows
auth in IIS, disable anonymous and set ASP.NET to Windows auth mode. It
just works. If the IIS box is domain-joined, it will authenticate against
AD. There is no code to write.

The question is still whether you want to use Windows auth or forms auth.
If you choose to go with forms auth, the AD membership provider is the
easiest solution.

Joe K.
--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
[quoted text, click to view]

Re: Intranet app via remote location (Internet) Troy S.
4/11/2008 7:09:02 AM
[quoted text, click to view]

Those are specific instructions that even I understand. I will give that a
go and see if it passes the client's muster.

[quoted text, click to view]

I wish I knew. From what little I understand, using Windows auth from
outside the Internet firewall is inviting headaches but that's just based on
random postings I've reviewed. I've looked at the AD m.p. and it doesn't
seem too complicated (still not a plug-n-play kind of option--I love
programming but hate the security-related quicksand). If the above option is
shot down then I'll tackle the AD MP option.

Thanks again for your time and effort.

Got something to say? Click here to post a reply to this thread.
Don't see what you're looking for? Try a search.
View other messages in the asp.net security group.
AddThis Social Bookmark Button
View Other Months
July 2003
August 2003
September 2003
October 2003
November 2003
December 2003
January 2004
February 2004
March 2004
April 2004
May 2004
June 2004
July 2004
August 2004
September 2004
October 2004
November 2004
December 2004
January 2005
February 2005
March 2005
April 2005
May 2005
June 2005
July 2005
August 2005
September 2005
October 2005
November 2005
December 2005
January 2006
February 2006
March 2006
April 2006
May 2006
June 2006
July 2006
August 2006
September 2006
October 2006
November 2006
December 2006
January 2007
February 2007
March 2007
April 2007
May 2007
June 2007
July 2007
August 2007
September 2007
October 2007
November 2007
December 2007
January 2008
February 2008
March 2008
April 2008
May 2008
June 2008
home · blog · groups Questions? Comments? Contact the dn