| Groups | Blog | Home |
asp.net security : Lightweight logon? Impersonation? - shared workstation problem
We have a business requirement to run our application on shared workstations. Additional requirement is that users are under time constraints and use the system on and off during their shift. Up to 4-5 users can share same machine during the same shift at the facility. There is no physical space to install dedicated machines, mobile devices can not be used due to security considerations and complexity of the application screens. User identity is a critical part of this application and we can not allow users share the identity. We also can not require the users to log on and log out after each data entry session that can be 15 minutes at a time, as log on takes time under our standard security profiles. We are looking at all the possible ways to meet the requirements and I am soliciting ideas, couple thoughts so far: 1. Impersonate current user on top of a generic login (I was told that impersonation "does not stick" under the Windows authentication model - can somebody confirm or prove this statement wrong?) 2. Make use of the terminal services server and autenticate users based on the smart card that they would insert into a reader and that user ID would be passed onto the session on the remote server (seems like overcomplicated solution to me) Any thoughts and pointers to possible technologies would be appreciated.
Can you disable automatic integrated authentication in IE for the machines
in question so that the users will simply be prompted to enter credentials when they access the app? Then, have them close the browser when they are done. If you have smart cards, you could also just use SSL with client cert auth. The user would need to enter their smart card and PIN to log in. Joe K. -- Joe Kaplan-MS MVP Directory Services Programming Co-author of "The .NET Developer's Guide to Directory Services Programming" http://www.directoryprogramming.net -- [quoted text, click to view] "THG" <THG@discussions.microsoft.com> wrote in message news:64150E52-C8CE-4EBD-8A03-6617B102800C@microsoft.com... > We have an Intranet ASP.NET application that is relying on AD security. > > We have a business requirement to run our application on shared > workstations. Additional requirement is that users are under time > constraints > and use the system on and off during their shift. Up to 4-5 users can > share > same machine during the same shift at the facility. There is no physical > space to install dedicated machines, mobile devices can not be used due to > security considerations and complexity of the application screens. > > User identity is a critical part of this application and we can not allow > users share the identity. We also can not require the users to log on and > log > out after each data entry session that can be 15 minutes at a time, as log > on > takes time under our standard security profiles. > > We are looking at all the possible ways to meet the requirements and I am > soliciting ideas, couple thoughts so far: > > 1. Impersonate current user on top of a generic login (I was told that > impersonation "does not stick" under the Windows authentication model - > can > somebody confirm or prove this statement wrong?) > 2. Make use of the terminal services server and autenticate users based on > the smart card that they would insert into a reader and that user ID would > be > passed onto the session on the remote server (seems like overcomplicated > solution to me) > > Any thoughts and pointers to possible technologies would be appreciated. > > > >
Joe,
Thank you for replying. Would disabling automatic integrated authentication mean that users will not have to go through a complete logon and workstation can be logged on a basic generic account? Our problem is that users might not have enough discipline to close the browser when they are done with the session, so we might have to look into closing the browser window for them at a certain time in the transaction. As for smart cards, we don't have them and the proposed solution above seems to be overly complicated, so I would use it as a last resort. Could any kind of impersonation/delegation be used on the application level on the server? [quoted text, click to view] "Joe Kaplan" wrote:
> Can you disable automatic integrated authentication in IE for the machines > in question so that the users will simply be prompted to enter credentials > when they access the app? Then, have them close the browser when they are > done. > > If you have smart cards, you could also just use SSL with client cert auth. > The user would need to enter their smart card and PIN to log in. > > Joe K. > -- > Joe Kaplan-MS MVP Directory Services Programming > Co-author of "The .NET Developer's Guide to Directory Services Programming" > http://www.directoryprogramming.net > --
Joe,
The trick here is that login takes time and therefore your proposed approach seems to result in a lengthy logon. I am looking at the ways of allowing user access to a very limited set of resources on the network, primarily on the web server for a single application, under their Windows identity, on top of a generic user account that logs the workstation on. For that, I would not want them to go through all the logon scripts and all the Windows updates that might be part of the logon process. I want them to switch context while they are in the application in a couple seconds, upon entering their login ID and password. For that, impersonation seems to be a better tool. I hope I am I explaining my problem clearly. Tamara [quoted text, click to view] "Joe Kaplan" wrote:
> Basically, if you disable automatic login with Windows Integrated Auth in > the browser, the web app will just challenge the user for credentials and > force them to log in. The login they provide to the server will then not be > coupled to the identity of the login on the workstation itself. > > You don't need any impersonation or delegation to make this work, but you > could definitely impersonate the end user in the app if you wanted to and > could delegate if you wanted to as well. > > You do need to do something to make sure the browser window is not reused by > something else. Closing it is ideal. :) > > Joe K. > -- > Joe Kaplan-MS MVP Directory Services Programming > Co-author of "The .NET Developer's Guide to Directory Services Programming" > http://www.directoryprogramming.net > -- > "THG" <THG@discussions.microsoft.com> wrote in message > news:8E838D97-2143-48A5-BDB6-63679E773FFC@microsoft.com... > > Joe, > > > > Thank you for replying. Would disabling automatic integrated > > authentication > > mean that users will not have to go through a complete logon and > > workstation > > can be logged on a basic generic account? Our problem is that users might > > not have enough discipline to close the browser when they are done with > > the > > session, so we might have to look into closing the browser window for them > > at > > a certain time in the transaction. > > > > As for smart cards, we don't have them and the proposed solution above > > seems > > to be overly complicated, so I would use it as a last resort. > > > > Could any kind of impersonation/delegation be used on the application > > level > > on the server? > > > > > > "Joe Kaplan" wrote: > > > >> Can you disable automatic integrated authentication in IE for the > >> machines > >> in question so that the users will simply be prompted to enter > >> credentials > >> when they access the app? Then, have them close the browser when they > >> are > >> done. > >> > >> If you have smart cards, you could also just use SSL with client cert > >> auth. > >> The user would need to enter their smart card and PIN to log in. > >> > >> Joe K. > >> -- > >> Joe Kaplan-MS MVP Directory Services Programming > >> Co-author of "The .NET Developer's Guide to Directory Services > >> Programming" > >> http://www.directoryprogramming.net > >> -- > > > >
Basically, if you disable automatic login with Windows Integrated Auth in
the browser, the web app will just challenge the user for credentials and force them to log in. The login they provide to the server will then not be coupled to the identity of the login on the workstation itself. You don't need any impersonation or delegation to make this work, but you could definitely impersonate the end user in the app if you wanted to and could delegate if you wanted to as well. You do need to do something to make sure the browser window is not reused by something else. Closing it is ideal. :) Joe K. -- Joe Kaplan-MS MVP Directory Services Programming Co-author of "The .NET Developer's Guide to Directory Services Programming" http://www.directoryprogramming.net -- [quoted text, click to view] "THG" <THG@discussions.microsoft.com> wrote in message news:8E838D97-2143-48A5-BDB6-63679E773FFC@microsoft.com... > Joe, > > Thank you for replying. Would disabling automatic integrated > authentication > mean that users will not have to go through a complete logon and > workstation > can be logged on a basic generic account? Our problem is that users might > not have enough discipline to close the browser when they are done with > the > session, so we might have to look into closing the browser window for them > at > a certain time in the transaction. > > As for smart cards, we don't have them and the proposed solution above > seems > to be overly complicated, so I would use it as a last resort. > > Could any kind of impersonation/delegation be used on the application > level > on the server? > > > "Joe Kaplan" wrote: > >> Can you disable automatic integrated authentication in IE for the >> machines >> in question so that the users will simply be prompted to enter >> credentials >> when they access the app? Then, have them close the browser when they >> are >> done. >> >> If you have smart cards, you could also just use SSL with client cert >> auth. >> The user would need to enter their smart card and PIN to log in. >> >> Joe K. >> -- >> Joe Kaplan-MS MVP Directory Services Programming >> Co-author of "The .NET Developer's Guide to Directory Services >> Programming" >> http://www.directoryprogramming.net >> -- >
I guess I still don't understand. If you are trying to access a website,
the login to IIS is a network login which is processed nearly instantaneously. There are no login scripts executed. Is this a web app or a local app you want to access? Joe K. -- Joe Kaplan-MS MVP Directory Services Programming Co-author of "The .NET Developer's Guide to Directory Services Programming" http://www.directoryprogramming.net -- [quoted text, click to view] "THG" <THG@discussions.microsoft.com> wrote in message news:47A89A0D-DD8E-48C4-9BE9-004593550CCF@microsoft.com... > Joe, > > The trick here is that login takes time and therefore your proposed > approach > seems to result in a lengthy logon. I am looking at the ways of allowing > user > access to a very limited set of resources on the network, primarily on the > web server for a single application, under their Windows identity, on top > of > a generic user account that logs the workstation on. For that, I would not > want them to go through all the logon scripts and all the Windows updates > that might be part of the logon process. I want them to switch context > while > they are in the application in a couple seconds, upon entering their login > ID > and password. For that, impersonation seems to be a better tool. I hope I > am > I explaining my problem clearly. > > Tamara > > "Joe Kaplan" wrote: > >> Basically, if you disable automatic login with Windows Integrated Auth in >> the browser, the web app will just challenge the user for credentials and >> force them to log in. The login they provide to the server will then not >> be >> coupled to the identity of the login on the workstation itself. >> >> You don't need any impersonation or delegation to make this work, but you >> could definitely impersonate the end user in the app if you wanted to and >> could delegate if you wanted to as well. >> >> You do need to do something to make sure the browser window is not reused >> by >> something else. Closing it is ideal. :) >> >> Joe K. >> -- >> Joe Kaplan-MS MVP Directory Services Programming >> Co-author of "The .NET Developer's Guide to Directory Services >> Programming" >> http://www.directoryprogramming.net >> -- >> "THG" <THG@discussions.microsoft.com> wrote in message >> news:8E838D97-2143-48A5-BDB6-63679E773FFC@microsoft.com... >> > Joe, >> > >> > Thank you for replying. Would disabling automatic integrated >> > authentication >> > mean that users will not have to go through a complete logon and >> > workstation >> > can be logged on a basic generic account? Our problem is that users >> > might >> > not have enough discipline to close the browser when they are done with >> > the >> > session, so we might have to look into closing the browser window for >> > them >> > at >> > a certain time in the transaction. >> > >> > As for smart cards, we don't have them and the proposed solution above >> > seems >> > to be overly complicated, so I would use it as a last resort. >> > >> > Could any kind of impersonation/delegation be used on the application >> > level >> > on the server? >> > >> > >> > "Joe Kaplan" wrote: >> > >> >> Can you disable automatic integrated authentication in IE for the >> >> machines >> >> in question so that the users will simply be prompted to enter >> >> credentials >> >> when they access the app? Then, have them close the browser when they >> >> are >> >> done. >> >> >> >> If you have smart cards, you could also just use SSL with client cert >> >> auth. >> >> The user would need to enter their smart card and PIN to log in. >> >> >> >> Joe K. >> >> -- >> >> Joe Kaplan-MS MVP Directory Services Programming >> >> Co-author of "The .NET Developer's Guide to Directory Services >> >> Programming" >> >> http://www.directoryprogramming.net >> >> -- >> > >> >> >>
Don't see what you're looking for? Try a search.
|
July 2003
August 2003
September 2003
October 2003
November 2003
December 2003
January 2004
February 2004
March 2004
April 2004
May 2004
June 2004
July 2004
August 2004
September 2004
October 2004
November 2004
December 2004
January 2005
February 2005
March 2005
April 2005
May 2005
June 2005
July 2005
August 2005
September 2005
October 2005
November 2005
December 2005
January 2006
February 2006
March 2006
April 2006
May 2006
June 2006
July 2006
August 2006
September 2006
October 2006
November 2006
December 2006
January 2007
February 2007
March 2007
April 2007
May 2007
June 2007
July 2007
August 2007
September 2007
October 2007
November 2007
December 2007
January 2008
February 2008
March 2008
April 2008
May 2008
June 2008
| home · blog · groups | Questions? Comments? Contact the dn |