Velocity Reviews - Computer Hardware Reviews
Home Forums Reviews Guides Newsgroups Register Search
Member Login:

Velocity Reviews > Newsgroups > Programming > ASP .Net > ASP .Net Security > Really confused about authorization/authentication methods in ASP.Net

Reply
Thread Tools

Really confused about authorization/authentication methods in ASP.Net

 
 
STom
Guest
Posts: n/a
 
      08-07-2003
I have been reading and reading the Microsoft best practices, articles on
and on but still I can't figure out which method to chose to get started.

Basically, we are using Active directory where all of the users should be
authorized against before accessing the web site. Here are some of my
questions:

1. If I set the virtual directory security property to Integrated Windows
Authentication and I am using active directory (the web server is in the
Active Directory domain) won't IIS/ASP.Net automatically authenticate
against active directory even if I set the web.config file authentication
mode to 'Windows'?

2. If it does automatically authenticate and then I want to get the user or
the user object so I can tell what groups the person belongs in, would I
code that within the page load of the first page?

3. Where do I store the user information so I don't have to authenticate
against active directory for each page?

4. I have seen many examples on MSDN regarding Forms authentication and
active directory. I have 'heard' that you should avoid Forms authentication
but I don't know why. Is there a reason to avoid this way of doing it?

Thanks for any pointers.

STom
 
Reply With Quote
 
 
 
 
Michal A. Valasek
Guest
Posts: n/a
 
      08-07-2003
Some answers:

| 3. Where do I store the user information so I don't have to authenticate
| against active directory for each page?

You don't. It's problem of IIS/ASP.NET, not yours.

| 4. I have seen many examples on MSDN regarding Forms authentication and
| active directory. I have 'heard' that you should avoid Forms
authentication
| but I don't know why. Is there a reason to avoid this way of doing it?

It depends on your environment. Problem with Forms Authentication is that
you must write authentication scripts and store authentication data
somewhere. If you already have the users in AD and your infrastructure
allows it, use Windows authentication, because integrates seamlessly with
AD. If you can't / don't want use AD, store users in SQL / XML / anywhere
and use FormsAuthentication.

Best of all: When changing Forms/Windows authentication, you must not
rewrite your application.

--
Michal A. Valasek, Altair Communications, http://www.altaircom.net
Please do not reply to this e-mail, for contact see http://www.rider.cz
 
Reply With Quote
 
 
 
 
Tom
Guest
Posts: n/a
 
      08-07-2003
> 1. If I set the virtual directory security property to Integrated Windows

> Authentication and I am using active directory (the web server is in the

> Active Directory domain) won't IIS/ASP.Net automatically authenticate

> against active directory even if I set the web.config file authentication

> mode to 'Windows'?

It depends on web client used. When you use IE. 2.0 and higher you have
granted NTLM authentication in context of current user. For
negotiate/kerberos there is need of win 2000 on both sides and IE 6.0
client(you have to enable Intergrated authen. in options menu and set one
key in registry to make negotiate default one)


> 2. If it does automatically authenticate and then I want to get the user
or

> the user object so I can tell what groups the person belongs in, would I

> code that within the page load of the first page?

You can do it where you want to, the information is easy to access.


> 3. Where do I store the user information so I don't have to authenticate

> against active directory for each page?

Bad question, you will be not able to authenticate using IE 6.0 else than
using current logged user credentials for integrated authentication. So you
will never type any user and pwd using this authentication scenario,
browsing will be transparent. When you change authentication for basic one,
IIS will request user and pwd on first user access and will hold the opened
connection. This is the thing between client(in your case IE) and browser.

> 4. I have seen many examples on MSDN regarding Forms authentication and

> active directory. I have 'heard' that you should avoid Forms
authentication

> but I don't know why. Is there a reason to avoid this way of doing it?

I think form authentication is the classical way where the user and password
are given via simple

web form and are send from client as clear text in request made as login.
It's the same problem like with basic authentication without SSL, pwd and
user name are easy to be sniffed.

Tom
 
Reply With Quote
 
 
 
Reply

« authentication using CredentialCache against proxy server problem | Username not logged in IIS when using forms authentication with Active Directory »
Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
Is there a way to find the class methods of a class, just like'methods' finds the instance methods? Kenneth McDonald Ruby 5 09-26-2008 03:09 PM
I'm really confused - ObjectDataSource! William Buchanan ASP .Net 0 03-08-2006 05:23 PM
SD or MMC really confused, help Haider Kazmi Digital Photography 6 08-15-2005 08:28 AM
Really Confused? Hobart Steam Computer Information 5 08-03-2005 07:56 AM
Help. Here's a really silly question about printing but I am confused Brian Digital Photography 3 04-02-2004 12:08 PM



Advertisments
 


Powered by vBulletin®. Copyright ©2000 - 2013, vBulletin Solutions, Inc..
SEO by vBSEO ©2010, Crawlability, Inc.
Contact Us - Archive - Privacy Statement - Top

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57