authentication/login scheme

[Kevin]

I am a developer, not an administrator and want to ask
you guys for advice on designing a login/authentication
scheme for a new .Net C# product.

-The product will run on customers' intranets. (The
website may be accessed remotely but we are not ruling
out forcing them to go through a VPN.)
-The logins will come from a database not from Windows
accounts.
-We would rather not pay to subscribe to a third party
service (this is my assumption about Passport and some of
the certificate methods).
-We would rather not force the user to deploy a
certificate on each client machine that might try to
access the web site. (We are looking for a highly
automated install that will require as little from the
customer as possible.)
- The authentication scheme used should affect this web
site only and not all of our customers' sites.
- We need to keep the information secure including the
login credentials that are compared against the database.

I know that I have various methods at my disposal: Forms
Authentication, various IIS Windows Authentication
methods and ISAPI filter DLLs. Although I have a general
understanding of each option, I don't yet know enough to
make thorough comparisons between the methods based on
our requirements. Any advice you guys could give will be
appreciated.

[G. Gnana Arun Ganesh]

Hai Kevin,

Intranet Web application : Windows authentication

Private corporate Web application: Windows authentication

Commercial Web application: Forms authentication

Multiple commercial Web applications: Passport
authentication.

Better option: windows authentication + Active Directory
Windows authentication using Kerberos, an authentication
protocol that is an integral component of Windows Active
Directory. Kerberos is designed to provide authentication
using secret key cryptography.

You may also forms authentication with storing encrypted
ids in the database.

Warm regards,
Arun Ganesh.
Microsoft .NET MVP.

>-----Original Message-----
>I am a developer, not an administrator and want to ask
>you guys for advice on designing a login/authentication
>scheme for a new .Net C# product.
>
>-The product will run on customers' intranets. (The
>website may be accessed remotely but we are not ruling
>out forcing them to go through a VPN.)
>-The logins will come from a database not from Windows
>accounts.
>-We would rather not pay to subscribe to a third party
>service (this is my assumption about Passport and some

of

>the certificate methods).
>-We would rather not force the user to deploy a
>certificate on each client machine that might try to
>access the web site. (We are looking for a highly
>automated install that will require as little from the
>customer as possible.)
>- The authentication scheme used should affect this web
>site only and not all of our customers' sites.
>- We need to keep the information secure including the
>login credentials that are compared against the database.
>
>I know that I have various methods at my disposal: Forms
>Authentication, various IIS Windows Authentication
>methods and ISAPI filter DLLs. Although I have a

general

>understanding of each option, I don't yet know enough to
>make thorough comparisons between the methods based on
>our requirements. Any advice you guys could give will

be

>appreciated.
>.
>