Ask a Question related to ASP.NET Security, Design and Development.
-
STom #1
Really confused about authorization/authentication methods in ASP.Net
I have been reading and reading the Microsoft best practices, articles on
and on but still I can't figure out which method to chose to get started.
Basically, we are using Active directory where all of the users should be
authorized against before accessing the web site. Here are some of my
questions:
1. If I set the virtual directory security property to Integrated Windows
Authentication and I am using active directory (the web server is in the
Active Directory domain) won't IIS/ASP.Net automatically authenticate
against active directory even if I set the web.config file authentication
mode to 'Windows'?
2. If it does automatically authenticate and then I want to get the user or
the user object so I can tell what groups the person belongs in, would I
code that within the page load of the first page?
3. Where do I store the user information so I don't have to authenticate
against active directory for each page?
4. I have seen many examples on MSDN regarding Forms authentication and
active directory. I have 'heard' that you should avoid Forms authentication
but I don't know why. Is there a reason to avoid this way of doing it?
Thanks for any pointers.
STom
STom Guest
-
Sharing authorization/authentication between Classic ASP and ASP.NET pages?
I have an administrative website that I've built that needs to incorporate both Classic ASP and ASP.NET pages. The site needs basic password... -
windows pass through authentication\authorization....
I have a requirement for a company intranet where they want to use a single sign-on with their windows 2003 domain (AD) so I was thinking of using... -
Secure authentication and authorization
Hello, I am new to asp.net and try to lean as much as can. I read all about from based authentication and cookie based authorization. In real... -
Authorization, Authentication in Web.config
Hi I am trying to ensure that users can only enter my Web service on a specific Login web page. I've amended Web.config so that authorization... -
authentication and authorization in subfolders
Hello, I went through several posts and found out that it is only possible to have the authentication tag only at an app level but the... -
Michal A. Valasek #2 Re: Really confused about authorization/authentication methods in ASP.Net
Some answers:
| 3. Where do I store the user information so I don't have to authenticate
| against active directory for each page?
You don't. It's problem of IIS/ASP.NET, not yours.
| 4. I have seen many examples on MSDN regarding Forms authentication and
| active directory. I have 'heard' that you should avoid Forms
authentication
| but I don't know why. Is there a reason to avoid this way of doing it?
It depends on your environment. Problem with Forms Authentication is that
you must write authentication scripts and store authentication data
somewhere. If you already have the users in AD and your infrastructure
allows it, use Windows authentication, because integrates seamlessly with
AD. If you can't / don't want use AD, store users in SQL / XML / anywhere
and use FormsAuthentication.
Best of all: When changing Forms/Windows authentication, you must not
rewrite your application.
--
Michal A. Valasek, Altair Communications, [url]http://www.altaircom.net[/url]
Please do not reply to this e-mail, for contact see [url]http://www.rider.cz[/url]
Michal A. Valasek Guest
-
Tom #3 Re: Really confused about authorization/authentication methods in ASP.Net
> 1. If I set the virtual directory security property to Integrated Windows
> Authentication and I am using active directory (the web server is in the> Active Directory domain) won't IIS/ASP.Net automatically authenticate> against active directory even if I set the web.config file authenticationIt depends on web client used. When you use IE. 2.0 and higher you have> mode to 'Windows'?
granted NTLM authentication in context of current user. For
negotiate/kerberos there is need of win 2000 on both sides and IE 6.0
client(you have to enable Intergrated authen. in options menu and set one
key in registry to make negotiate default one)
or> 2. If it does automatically authenticate and then I want to get the user
> the user object so I can tell what groups the person belongs in, would IYou can do it where you want to, the information is easy to access.> code that within the page load of the first page?
> 3. Where do I store the user information so I don't have to authenticateBad question, you will be not able to authenticate using IE 6.0 else than> against active directory for each page?
using current logged user credentials for integrated authentication. So you
will never type any user and pwd using this authentication scenario,
browsing will be transparent. When you change authentication for basic one,
IIS will request user and pwd on first user access and will hold the opened
connection. This is the thing between client(in your case IE) and browser.
> 4. I have seen many examples on MSDN regarding Forms authentication andauthentication> active directory. I have 'heard' that you should avoid Forms
I think form authentication is the classical way where the user and password> but I don't know why. Is there a reason to avoid this way of doing it?
are given via simple
web form and are send from client as clear text in request made as login.
It's the same problem like with basic authentication without SSL, pwd and
user name are easy to be sniffed.
Tom
Tom Guest
Reply With QuoteSimilar Questions and Discussions
Posting Permissions
- You may not post new threads
- You may post replies
- You may not post attachments
- You may not edit your posts
