Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Programming > ASP .Net > ASP .Net Security > ASP.NET Authentication and Windows Authentication

Reply
Thread Tools

ASP.NET Authentication and Windows Authentication

 
 
Fabio Gouw
Guest
Posts: n/a
 
      11-15-2004
Hello,

I'm developing a web application that will run on an Intranet. I'll use
Windows Authentication, so users can access the application without the need
of filling out a login page.

According which user is using the web app, he/she'll have a dinamic menu,
built with the pages he/she can access. This information is stored in a SQL
Server DB, where each user has his/her permissions.

My question is how can I bind the information on Users table with the user
who is accessing the web app, and how to make it secure.

First I thought to use User.Identity.Name property, so I can put an
"domain\login" column on Users table, but it doesn't sound secure... (Am I
right?)

Does anyone have a suggestion?

Thanks
 
Reply With Quote
 
 
 
 
Ken Schaefer
Guest
Posts: n/a
 
      11-16-2004
What do you mean by "isn't secure"? Secure against what?

Sounds like a decent idea to me. Whilst hiding usernames is probably a good
idea, authentication relies on "something I know" (password) or "something I
have" (smart card) (or combinations - multifactor authentication). So, the
trick is keeping the password secure - because that's the "secret" rather
than the username.

Cheers
Ken

"Fabio Gouw" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> Hello,
>
> I'm developing a web application that will run on an Intranet. I'll use
> Windows Authentication, so users can access the application without the
> need
> of filling out a login page.
>
> According which user is using the web app, he/she'll have a dinamic menu,
> built with the pages he/she can access. This information is stored in a
> SQL
> Server DB, where each user has his/her permissions.
>
> My question is how can I bind the information on Users table with the user
> who is accessing the web app, and how to make it secure.
>
> First I thought to use User.Identity.Name property, so I can put an
> "domain\login" column on Users table, but it doesn't sound secure... (Am I
> right?)



 
Reply With Quote
 
 
 
 
Ken Schaefer
Guest
Posts: n/a
 
      11-16-2004
As an addendum, if you don't want to store the usernames in cleartext in the
database, you could use a one-way hashing function (MD5?) to generate a hash
of the username. Do the same in your code to the username presented by the
client, and compare that with what's in the database. That way, anyone who
does get access to the database can not determine which username is which
(except perhaps through deduction by looking at which users have which
permissions)

Cheers
Ken

"Ken Schaefer" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> What do you mean by "isn't secure"? Secure against what?
>
> Sounds like a decent idea to me. Whilst hiding usernames is probably a
> good idea, authentication relies on "something I know" (password) or
> "something I have" (smart card) (or combinations - multifactor
> authentication). So, the trick is keeping the password secure - because
> that's the "secret" rather than the username.
>
> Cheers
> Ken
>
> "Fabio Gouw" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed)...
>> Hello,
>>
>> I'm developing a web application that will run on an Intranet. I'll use
>> Windows Authentication, so users can access the application without the
>> need
>> of filling out a login page.
>>
>> According which user is using the web app, he/she'll have a dinamic menu,
>> built with the pages he/she can access. This information is stored in a
>> SQL
>> Server DB, where each user has his/her permissions.
>>
>> My question is how can I bind the information on Users table with the
>> user
>> who is accessing the web app, and how to make it secure.
>>
>> First I thought to use User.Identity.Name property, so I can put an
>> "domain\login" column on Users table, but it doesn't sound secure... (Am
>> I
>> right?)

>
>



 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
windows authentication VS Kerberos authentication in ASP.NET 2.0? nenzax ASP .Net Security 1 12-18-2005 11:03 AM
Java - Integrated Windows Authentication - NTLM Authentication Forwarding Will Java 5 12-03-2005 01:00 AM
Forms Authentication Ticket Functionality With Windows Authentication jfer ASP .Net Security 3 09-16-2005 06:30 PM
Basic Authentication v. Integrated Windows Authentication w/ Delegation Mark ASP .Net 0 01-20-2004 03:13 PM
Forms authentication with Windows authentication Dadi ASP .Net Security 2 09-16-2003 04:47 AM



Advertisments