ASP.NET Authentication and Windows Authentication

[Fabio Gouw]

Hello,

I'm developing a web application that will run on an Intranet. I'll use
Windows Authentication, so users can access the application without the need
of filling out a login page.

According which user is using the web app, he/she'll have a dinamic menu,
built with the pages he/she can access. This information is stored in a SQL
Server DB, where each user has his/her permissions.

My question is how can I bind the information on Users table with the user
who is accessing the web app, and how to make it secure.

First I thought to use User.Identity.Name property, so I can put an
"domain\login" column on Users table, but it doesn't sound secure... (Am I
right?)

Does anyone have a suggestion?

Thanks

[Ken Schaefer]

What do you mean by "isn't secure"? Secure against what?

Sounds like a decent idea to me. Whilst hiding usernames is probably a good
idea, authentication relies on "something I know" (password) or "something I
have" (smart card) (or combinations - multifactor authentication). So, the
trick is keeping the password secure - because that's the "secret" rather
than the username.

Cheers
Ken

"Fabio Gouw" <FabioGouw@discussions.microsoft.com> wrote in message
news:ECE6DA57-7438-475A-879C-B7BE26592ADF@microsoft.com...

> Hello,
>
> I'm developing a web application that will run on an Intranet. I'll use
> Windows Authentication, so users can access the application without the
> need
> of filling out a login page.
>
> According which user is using the web app, he/she'll have a dinamic menu,
> built with the pages he/she can access. This information is stored in a
> SQL
> Server DB, where each user has his/her permissions.
>
> My question is how can I bind the information on Users table with the user
> who is accessing the web app, and how to make it secure.
>
> First I thought to use User.Identity.Name property, so I can put an
> "domain\login" column on Users table, but it doesn't sound secure... (Am I
> right?)

[Ken Schaefer]

As an addendum, if you don't want to store the usernames in cleartext in the
database, you could use a one-way hashing function (MD5?) to generate a hash
of the username. Do the same in your code to the username presented by the
client, and compare that with what's in the database. That way, anyone who
does get access to the database can not determine which username is which
(except perhaps through deduction by looking at which users have which
permissions)

Cheers
Ken

"Ken Schaefer" <kenREMOVE@THISadopenstatic.com> wrote in message
news:up4BNq9yEHA.1204@TK2MSFTNGP10.phx.gbl...

> What do you mean by "isn't secure"? Secure against what?
>
> Sounds like a decent idea to me. Whilst hiding usernames is probably a
> good idea, authentication relies on "something I know" (password) or
> "something I have" (smart card) (or combinations - multifactor
> authentication). So, the trick is keeping the password secure - because
> that's the "secret" rather than the username.
>
> Cheers
> Ken
>
> "Fabio Gouw" <FabioGouw@discussions.microsoft.com> wrote in message
> news:ECE6DA57-7438-475A-879C-B7BE26592ADF@microsoft.com...

>> Hello,
>>
>> I'm developing a web application that will run on an Intranet. I'll use
>> Windows Authentication, so users can access the application without the
>> need
>> of filling out a login page.
>>
>> According which user is using the web app, he/she'll have a dinamic menu,
>> built with the pages he/she can access. This information is stored in a
>> SQL
>> Server DB, where each user has his/her permissions.
>>
>> My question is how can I bind the information on Users table with the
>> user
>> who is accessing the web app, and how to make it secure.
>>
>> First I thought to use User.Identity.Name property, so I can put an
>> "domain\login" column on Users table, but it doesn't sound secure... (Am
>> I
>> right?)

>
>