Authentication Question

[Allan]

Hi,

I'm developing an Internet site that is going to be
password protected. I have one windows 2000 domain on the
Internet side of things, and another on an Intranet side.
Is there any way to authenticate a user that hits my
Internet pages against the Intranet user database?

......I just want users from the Intranet to automatically
be able to access the Internet pages without having to
create a separate user on the Internet-side domain.

[Tom Kaminski [MVP]]

"Allan" <allanr00@hotmail.com> wrote in message
news:148801c3880a$c445dff0$a401280a@phx.gbl...

> Hi,
>
> I'm developing an Internet site that is going to be
> password protected. I have one windows 2000 domain on the
> Internet side of things, and another on an Intranet side.
> Is there any way to authenticate a user that hits my
> Internet pages against the Intranet user database?
>
> .....I just want users from the Intranet to automatically
> be able to access the Internet pages without having to
> create a separate user on the Internet-side domain.

There would have to be a trust established between the two domains, and then
you could and your intranet users to the ACLs on your content.

--
Tom Kaminski IIS MVP
[url]http://www.iistoolshed.com/[/url] - tools, scripts, and utilities for running IIS
[url]http://mvp.support.microsoft.com/[/url]
[url]http://www.microsoft.com/windowsserver2003/community/centers/iis/[/url]

[Allan]

Thanks Tom. Do you know where I could look to get started
finding out how to do this?

>-----Original Message-----
>"Allan" <allanr00@hotmail.com> wrote in message
>news:148801c3880a$c445dff0$a401280a@phx.gbl...

>> Hi,
>>
>> I'm developing an Internet site that is going to be
>> password protected. I have one windows 2000 domain on

the

>> Internet side of things, and another on an Intranet

side.

>> Is there any way to authenticate a user that hits my
>> Internet pages against the Intranet user database?
>>
>> .....I just want users from the Intranet to

automatically

>> be able to access the Internet pages without having to
>> create a separate user on the Internet-side domain.

>
>
>There would have to be a trust established between the

two domains, and then

>you could and your intranet users to the ACLs on your

content.

>
>--
>Tom Kaminski IIS MVP
>[url]http://www.iistoolshed.com/[/url] - tools, scripts, and

utilities for running IIS

>[url]http://mvp.support.microsoft.com/[/url]
>[url]http://www.microsoft.com/windowsserver2003/community/cente[/url]

rs/iis/

>
>
>
>.
>

[Tom Kaminski [MVP]]

I imagine there's documentation on TechNet in the windows server areas.

"Allan" <allanr00@hotmail.com> wrote in message
news:072901c38909$3d3e4d30$a101280a@phx.gbl...

> Thanks Tom. Do you know where I could look to get started
> finding out how to do this?
>
>

> >-----Original Message-----
> >"Allan" <allanr00@hotmail.com> wrote in message
> >news:148801c3880a$c445dff0$a401280a@phx.gbl...

> >> Hi,
> >>
> >> I'm developing an Internet site that is going to be
> >> password protected. I have one windows 2000 domain on

> the

> >> Internet side of things, and another on an Intranet

> side.

> >> Is there any way to authenticate a user that hits my
> >> Internet pages against the Intranet user database?
> >>
> >> .....I just want users from the Intranet to

> automatically

> >> be able to access the Internet pages without having to
> >> create a separate user on the Internet-side domain.

> >
> >
> >There would have to be a trust established between the

> two domains, and then

> >you could and your intranet users to the ACLs on your

> content.

> >
> >--
> >Tom Kaminski IIS MVP
> >[url]http://www.iistoolshed.com/[/url] - tools, scripts, and

> utilities for running IIS

> >[url]http://mvp.support.microsoft.com/[/url]
> >[url]http://www.microsoft.com/windowsserver2003/community/cente[/url]

> rs/iis/

> >
> >
> >
> >.
> >

[Jenna Simmer]

Hello. I'm new to .NET and I have a question regarding authentication and authorization
I am using forms authentication (because user names and passwords are stored in an Oracle db) to provide logon functionality, then I'm using a session User object (custom-made) to which I set a isAuthenticated flag. On "members-only" pages I check the isAuthenticated flag to determine if the user is authenticated or not before displaying the page
If requirements impose a restriction on using cookies, is this considered a bad design or not? If yes, then why so
What other options do I have for cookieless authentication
I would appreciate any kind of help
Thank
Jenna

[avnrao]

Forms authentication works on cookie authentication. If you donot want to
use cookies, go for windows authentication which would not make sense on
internet.

Av.

"Jenna Simmer" <anonymous@discussions.microsoft.com> wrote in message
news:7075962D-E1B7-4CE1-A735-3DA193220427@microsoft.com...

> Hello. I'm new to .NET and I have a question regarding authentication and
> authorization.
> I am using forms authentication (because user names and passwords are
> stored in an Oracle db) to provide logon functionality, then I'm using a
> session User object (custom-made) to which I set a isAuthenticated flag.
> On "members-only" pages I check the isAuthenticated flag to determine if
> the user is authenticated or not before displaying the page.
> If requirements impose a restriction on using cookies, is this considered
> a bad design or not? If yes, then why so?
> What other options do I have for cookieless authentication?
> I would appreciate any kind of help.
> Thanks
> Jenna

[Jenna Simmer]

Thanks for the reply, but I'm confused: should I use forms/cookies or windows authentication
I'm starting to become very concerned. Everything that I read on the Internet about authentication involves some forms/cookies implementation, and that I cannot use. I don't think I can use windows authentication since the member's data is stored in an Oracle database
I always thought that custom authentication (without cookies) should be a somewhat common practice; I haven't found anything like this yet and I'm worried about my design: maybe there is a simple way of breaking my application that I haven't even thought of
I would appreciate any comments from anyone on this topic
Thank you
J

[Rick Spiewak]

I think you're safe storing the authentication status in session state. This
should work fine. I use it in the admin section of an e-commerce web site.

"Jenna Simmer" <anonymous@discussions.microsoft.com> wrote in message
news:7075962D-E1B7-4CE1-A735-3DA193220427@microsoft.com...

> Hello. I'm new to .NET and I have a question regarding authentication and

authorization.

> I am using forms authentication (because user names and passwords are

stored in an Oracle db) to provide logon functionality, then I'm using a
session User object (custom-made) to which I set a isAuthenticated flag. On
"members-only" pages I check the isAuthenticated flag to determine if the
user is authenticated or not before displaying the page.

> If requirements impose a restriction on using cookies, is this considered

a bad design or not? If yes, then why so?

> What other options do I have for cookieless authentication?
> I would appreciate any kind of help.
> Thanks
> Jenna

[Hammad Rajjoub]

Hello,
A custom made user passport like object in a session should do the required job and there isnt any security problem with it. I am also using a similar technique in a banking application
regards
Hammad.Rajjoub

----- Jenna Simmer wrote: ----

Thanks for the reply, but I'm confused: should I use forms/cookies or windows authentication
I'm starting to become very concerned. Everything that I read on the Internet about authentication involves some forms/cookies implementation, and that I cannot use. I don't think I can use windows authentication since the member's data is stored in an Oracle database
I always thought that custom authentication (without cookies) should be a somewhat common practice; I haven't found anything like this yet and I'm worried about my design: maybe there is a simple way of breaking my application that I haven't even thought of
I would appreciate any comments from anyone on this topic
Thank you
J

[Jenna Simmer]

Thanks to everyone for their answers
J

[Nikolay Petrov]

Can I authenticate users of my ASP .NET apps, using their windows
credentials, but using a SQL db.
Let me explain a little more.
I have an Windows XP station where i run my ASP .NET apps. I wish users to
authenticate them using their current windows usernames and passwords.
I have stored my users login names and passwords in SQL database, because I
don't wish store an account for every user in my network at my XP machine.
So is it posible to pass windows credential for verification against SQL
database? Or maybe the right question is, can I extract the username and
password as clear text from the passed credentials.
I am not quite shure are there any possibilities.

TIA

[Ken Tucker [MVP]]

Hi,

You can get the user name from the windowsidentity class.
[url]http://msdn.microsoft.com/library/default.asp?url=/library/en-us/cpref/html/frlrfsystemsecurityprincipalwindowsidentityclassna metopic.asp[/url]

[url]http://msdn.microsoft.com/library/default.asp?url=/library/en-us/cpguide/html/cpconthewindowsauthenticationprovider.asp[/url]

Ken
-----------------------
"Nikolay Petrov" <johntup2@mail.bg> wrote in message
news:uZKa1FAuEHA.2876@TK2MSFTNGP14.phx.gbl...
Can I authenticate users of my ASP .NET apps, using their windows
credentials, but using a SQL db.
Let me explain a little more.
I have an Windows XP station where i run my ASP .NET apps. I wish users to
authenticate them using their current windows usernames and passwords.
I have stored my users login names and passwords in SQL database, because I
don't wish store an account for every user in my network at my XP machine.
So is it posible to pass windows credential for verification against SQL
database? Or maybe the right question is, can I extract the username and
password as clear text from the passed credentials.
I am not quite shure are there any possibilities.

TIA

[richlm]

Need more information about your infrastructure to provide a sensible
answer. Here are some 'leading' questions to make sure we're on the same
track:
- are you looking for single-sign-on?
- when you are talking windows credentials does that imply AD & domain user
accounts - or is this network a workgroup with just local machine accounts?

Also a couple of pointers/ideas:
- Generally you don't store passwords - you only ever store a hash of the
password. After the hash of the password is verified, the password itself is
discarded.
If you do store passwords this is a BIG security risk.
- Have you considerd ADAM (Active Directory Application Mode) as a possible
alternative to SQL server?
see
[url]http://www.microsoft.com/downloads/details.aspx?FamilyId=9688F8B9-1034-4EF6-A3E5-2A2A57B5C8E4&displaylang=en[/url]

[MP]

Thank you,
We have no intention of using a single logon to our application. We are
aiming at domain accounts, AD.

So far I can prompt the user to enter a user id, domain name and
password. The I validate these using LogonUser and then
I start our application using the user's information, the application is
started under the user's identity.... like runas will do.

This works fine, but now we have 2 clients, one that uses smart-cards
and the other one that uses a fingerprint reader to authenticate the users
at logon. Is there a standard API I can use? or will I have to write a
custom module for each client?

Thank you!

"richlm" <rich_lm@h0tmai1.com> wrote in message
news:eOXBVesuEHA.2096@tk2msftngp13.phx.gbl...

> Need more information about your infrastructure to provide a sensible
> answer. Here are some 'leading' questions to make sure we're on the same
> track:
> - are you looking for single-sign-on?
> - when you are talking windows credentials does that imply AD & domain
> user accounts - or is this network a workgroup with just local machine
> accounts?
>
> Also a couple of pointers/ideas:
> - Generally you don't store passwords - you only ever store a hash of the
> password. After the hash of the password is verified, the password itself
> is discarded.
> If you do store passwords this is a BIG security risk.
> - Have you considerd ADAM (Active Directory Application Mode) as a
> possible alternative to SQL server?
> see
> [url]http://www.microsoft.com/downloads/details.aspx?FamilyId=9688F8B9-1034-4EF6-A3E5-2A2A57B5C8E4&displaylang=en[/url]
>
>