|
Home > Archive > IIS Server Security > October 2004 > Authentication question
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
Authentication question
|
|
| Nikolay Petrov 2004-10-22, 2:47 am |
| Can I authenticate users of my ASP .NET apps, using their windows
credentials, but using a SQL db.
Let me explain a little more.
I have an Windows XP station where i run my ASP .NET apps. I wish users to
authenticate them using their current windows usernames and passwords.
I have stored my users login names and passwords in SQL database, because I
don't wish store an account for every user in my network at my XP machine.
So is it posible to pass windows credential for verification against SQL
database? Or maybe the right question is, can I extract the username and
password as clear text from the passed credentials.
I am not quite shure are there any possibilities.
TIA
| |
| Ken Tucker [MVP] 2004-10-22, 7:49 am |
| Hi,
You can get the user name from the windowsidentity class.
http://msdn.microsoft.com/library/d...ssnametopic.asp
http://msdn.microsoft.com/library/d...ionprovider.asp
Ken
-----------------------
"Nikolay Petrov" <johntup2@mail.bg> wrote in message
news:uZKa1FAuEHA.2876@TK2MSFTNGP14.phx.gbl...
Can I authenticate users of my ASP .NET apps, using their windows
credentials, but using a SQL db.
Let me explain a little more.
I have an Windows XP station where i run my ASP .NET apps. I wish users to
authenticate them using their current windows usernames and passwords.
I have stored my users login names and passwords in SQL database, because I
don't wish store an account for every user in my network at my XP machine.
So is it posible to pass windows credential for verification against SQL
database? Or maybe the right question is, can I extract the username and
password as clear text from the passed credentials.
I am not quite shure are there any possibilities.
TIA
| |
| David Wang [Msft] 2004-10-22, 8:47 pm |
| > I have an Windows XP station where i run my ASP .NET apps. I wish users
> to authenticate them using their current windows usernames and passwords.
> I have stored my users login names and passwords in SQL database, because
> I don't wish store an account for every user in my network at my XP
machine.
Turn on Integrated Windows Authentication on the web server running ASP.NET
applications. Users will automatically authenticate using their current
windows usernames/passwords, and your ASP.NET application will run with that
credential.
I do not know why you store user login names/passwords in a separate SQL
database that can be out-of-sync with the actual remote user's
name/password.
If you want to use custom authentication where you store username/password
in your own user database, then that has nothing to with windows
username/password because the browser won't understand your custom
authentication scheme. You will have to cook up your own mechanism (why not
use ASP.NET Forms Authentication ??? ).
--
//David
IIS
This posting is provided "AS IS" with no warranties, and confers no rights.
//
"Nikolay Petrov" <johntup2@mail.bg> wrote in message
news:uZKa1FAuEHA.2876@TK2MSFTNGP14.phx.gbl...
Can I authenticate users of my ASP .NET apps, using their windows
credentials, but using a SQL db.
Let me explain a little more.
I have an Windows XP station where i run my ASP .NET apps. I wish users to
authenticate them using their current windows usernames and passwords.
I have stored my users login names and passwords in SQL database, because I
don't wish store an account for every user in my network at my XP machine.
So is it posible to pass windows credential for verification against SQL
database? Or maybe the right question is, can I extract the username and
password as clear text from the passed credentials.
I am not quite shure are there any possibilities.
TIA
| |
| richlm 2004-10-25, 5:52 pm |
| Need more information about your infrastructure to provide a sensible
answer. Here are some 'leading' questions to make sure we're on the same
track:
- are you looking for single-sign-on?
- when you are talking windows credentials does that imply AD & domain user
accounts - or is this network a workgroup with just local machine accounts?
Also a couple of pointers/ideas:
- Generally you don't store passwords - you only ever store a hash of the
password. After the hash of the password is verified, the password itself is
discarded.
If you do store passwords this is a BIG security risk.
- Have you considerd ADAM (Active Directory Application Mode) as a possible
alternative to SQL server?
see
http://www.microsoft.com/downloads/...&displaylang=en
| |
|
| Thank you,
We have no intention of using a single logon to our application. We are
aiming at domain accounts, AD.
So far I can prompt the user to enter a user id, domain name and
password. The I validate these using LogonUser and then
I start our application using the user's information, the application is
started under the user's identity.... like runas will do.
This works fine, but now we have 2 clients, one that uses smart-cards
and the other one that uses a fingerprint reader to authenticate the users
at logon. Is there a standard API I can use? or will I have to write a
custom module for each client?
Thank you!
"richlm" <rich_lm@h0tmai1.com> wrote in message
news:eOXBVesuEHA.2096@tk2msftngp13.phx.gbl...
> Need more information about your infrastructure to provide a sensible
> answer. Here are some 'leading' questions to make sure we're on the same
> track:
> - are you looking for single-sign-on?
> - when you are talking windows credentials does that imply AD & domain
> user accounts - or is this network a workgroup with just local machine
> accounts?
>
> Also a couple of pointers/ideas:
> - Generally you don't store passwords - you only ever store a hash of the
> password. After the hash of the password is verified, the password itself
> is discarded.
> If you do store passwords this is a BIG security risk.
> - Have you considerd ADAM (Active Directory Application Mode) as a
> possible alternative to SQL server?
> see
> http://www.microsoft.com/downloads/...&displaylang=en
>
>
|
|
|
|
|