|
|
You're in the
dotnet security
group:Implementing Kerberos Authentication
dotnet security:
I am developing ASP.Net(Internet) application. I am using Active directory for storing and authenticating users. I want to use Forms Authentication Can I implement Kerberos authentication ? Can I simulate the windows login from ASP.net code? Is this Achievable? Any Ideas????
Hello bkj,
there are at least two ways a) use LDAP to authenticate against AD b) call LogonUser in your application --------------------------------------- Dominick Baier - DevelopMentor http://www.leastprivilege.com [quoted text, click to view] > Hi > > I am developing ASP.Net(Internet) application. I am using Active > directory for storing and authenticating users. I want to use Forms > Authentication > > Can I implement Kerberos authentication ? > Can I simulate the windows login from ASP.net code? > Is this Achievable? > > Any Ideas???? >
The big question here is "why" though? There is already a built in
mechanism to support Kerberos authentication through the browser and Windows auth in IIS and ASP.NET. I never understand why people want to kill themselves trying to get the same stuff to work well with Forms auth. It is so much extra work. Joe K. "Dominick Baier [DevelopMentor]" <dbaier@pleasepleasenospamdevelop.com> [quoted text, click to view] wrote in message news:794906632605986596362688@news.microsoft.com... > Hello bkj, > > there are at least two ways > > a) use LDAP to authenticate against AD > b) call LogonUser in your application > > --------------------------------------- > Dominick Baier - DevelopMentor > http://www.leastprivilege.com > >> Hi >> >> I am developing ASP.Net(Internet) application. I am using Active >> directory for storing and authenticating users. I want to use Forms >> Authentication >> >> Can I implement Kerberos authentication ? >> Can I simulate the windows login from ASP.net code? >> Is this Achievable? >> >> Any Ideas???? >> > > >
Hello Joe,
you are right - thats the other questions - i started answering the first one :) --------------------------------------- Dominick Baier - DevelopMentor http://www.leastprivilege.com [quoted text, click to view] > The big question here is "why" though? There is already a built in > mechanism to support Kerberos authentication through the browser and > Windows auth in IIS and ASP.NET. I never understand why people want > to kill themselves trying to get the same stuff to work well with > Forms auth. It is so much extra work. > > Joe K. > > "Dominick Baier [DevelopMentor]" > <dbaier@pleasepleasenospamdevelop.com> wrote in message > news:794906632605986596362688@news.microsoft.com... > >> Hello bkj, >> >> there are at least two ways >> >> a) use LDAP to authenticate against AD >> b) call LogonUser in your application >> --------------------------------------- >> Dominick Baier - DevelopMentor >> http://www.leastprivilege.com >>> Hi >>> >>> I am developing ASP.Net(Internet) application. I am using Active >>> directory for storing and authenticating users. I want to use Forms >>> Authentication >>> >>> Can I implement Kerberos authentication ? >>> Can I simulate the windows login from ASP.net code? >>> Is this Achievable? >>> Any Ideas???? >>>
Hi Guys,
Thanks for the replies I am using LDAP to authenticate user against the active directory. It is working fine. If I use LogonUserA method will it login user to the domain and create kerberos tickets. I understand it is so much extra work.The user does not like use windows login screen appearing when they go the website. They need pretty forms insted. That is why i am using forms authentication. Is there any major security threats in doing so? Thanks and Regards Biju
Hi Joe,
Thanks for the reply. The scenario is users will be accessing my web application and at some point they need to go to a document library setup in sharepoint portal server03. users dont want to be challenged for security here again as they have logged in already.we need apply user level security in sharepoint as well to control what each of them has access to. I was lead to belive that if we generate Kerberos tickets then i can Impersonate that onto ASP.NET worker process, so each request made there after will be under the logged in users credentials. Is this the case? Basically, I need the requests to the application and sharepoint to be under the logged in users credential. Is this acheivable?? If I follow this model what are security risks I am facing? Thanks and regards Biju
The major issue from my standpoint is that you need to call LogonUser on
every single request that comes through the pipeline in order to have a token for each request. Doing that means you need the user's plain text password, so you need to store that securely somewhere. You basically need to use session state or a cookie and just try to make that secure. Alternately, you could try to cache the user's token somehow and reuse that in between requests. LogonUser will use the Negotiate protocol to the log the user in the local machine, so that should use Kerberos if possible although it may fall back to NTLM. Why is it that you need Kerberos tickets out of curiosity? Joe K. [quoted text, click to view] "bkj" <biju.jacob@echarris.com> wrote in message news:1125045018.911443.220680@o13g2000cwo.googlegroups.com... > Hi Guys, > > Thanks for the replies > > I am using LDAP to authenticate user against the active directory. It > is working fine. > If I use LogonUserA method will it login user to the domain and create > kerberos tickets. > > I understand it is so much extra work.The user does not like use > windows login screen appearing when they go the website. They need > pretty forms insted. That is why i am using forms authentication. > > Is there any major security threats in doing so? > > Thanks and Regards > Biju >
If you use the LogonUser API and use an option that provides network
credentials, then you should be able to impersonate the resulting token and use that to access SharePoint via a web service call or HttpWebRequest. Also, if you have their plain text password, you don't even need to impersonate. Just create an appropriate NetworkCredentials object and associate it with the web request. You should only need Kerberos delegation if you are using Windows authentication on your application with IWA and want to access SharePoint via impersonation. Joe K. [quoted text, click to view] "bkj" <biju.jacob@echarris.com> wrote in message news:1125066674.965845.123080@g47g2000cwa.googlegroups.com... > Hi Joe, > > Thanks for the reply. > > The scenario is users will be accessing my web application and at some > point they need to go to a document library setup in sharepoint portal > server03. users dont want to be challenged for security here again as > they have logged in already.we need apply user level security in > sharepoint as well to control what each of them has access to. > > I was lead to belive that if we generate Kerberos tickets then i can > Impersonate that onto ASP.NET worker process, so each request made > there after will be under the logged in users credentials. Is this the > case? > > Basically, I need the requests to the application and sharepoint to be > under the logged in users credential. > > Is this acheivable?? > > If I follow this model what are security risks I am facing? > > Thanks and regards > Biju >
Don't see what you're looking for? Try a search.
|
June 2004
July 2004
August 2004
September 2004
October 2004
November 2004
December 2004
January 2005
February 2005
March 2005
April 2005
May 2005
June 2005
July 2005
August 2005
September 2005
October 2005
November 2005
December 2005
January 2006
February 2006
March 2006
April 2006
May 2006
June 2006
July 2006
August 2006
September 2006
October 2006
November 2006
December 2006
January 2007
February 2007
March 2007
April 2007
May 2007
June 2007
July 2007
August 2007
September 2007
October 2007
November 2007
| home · blog · groups | Questions? Comments? Contact the dn |