Authentication question

Discussion in 'ASP .Net Security' started by Nikolay Petrov, Oct 22, 2004.

  1. Can I authenticate users of my ASP .NET apps, using their windows
    credentials, but using a SQL db.
    Let me explain a little more.
    I have an Windows XP station where i run my ASP .NET apps. I wish users to
    authenticate them using their current windows usernames and passwords.
    I have stored my users login names and passwords in SQL database, because I
    don't wish store an account for every user in my network at my XP machine.
    So is it posible to pass windows credential for verification against SQL
    database? Or maybe the right question is, can I extract the username and
    password as clear text from the passed credentials.
    I am not quite shure are there any possibilities.

    TIA
    Nikolay Petrov, Oct 22, 2004
    #1
    1. Advertising

  2. Hi,

    You can get the user name from the windowsidentity class.
    http://msdn.microsoft.com/library/d...ityprincipalwindowsidentityclassnametopic.asp

    http://msdn.microsoft.com/library/d...tml/cpconthewindowsauthenticationprovider.asp

    Ken
    -----------------------
    "Nikolay Petrov" <> wrote in message
    news:...
    Can I authenticate users of my ASP .NET apps, using their windows
    credentials, but using a SQL db.
    Let me explain a little more.
    I have an Windows XP station where i run my ASP .NET apps. I wish users to
    authenticate them using their current windows usernames and passwords.
    I have stored my users login names and passwords in SQL database, because I
    don't wish store an account for every user in my network at my XP machine.
    So is it posible to pass windows credential for verification against SQL
    database? Or maybe the right question is, can I extract the username and
    password as clear text from the passed credentials.
    I am not quite shure are there any possibilities.

    TIA
    Ken Tucker [MVP], Oct 22, 2004
    #2
    1. Advertising

  3. Nikolay Petrov

    richlm Guest

    Need more information about your infrastructure to provide a sensible
    answer. Here are some 'leading' questions to make sure we're on the same
    track:
    - are you looking for single-sign-on?
    - when you are talking windows credentials does that imply AD & domain user
    accounts - or is this network a workgroup with just local machine accounts?

    Also a couple of pointers/ideas:
    - Generally you don't store passwords - you only ever store a hash of the
    password. After the hash of the password is verified, the password itself is
    discarded.
    If you do store passwords this is a BIG security risk.
    - Have you considerd ADAM (Active Directory Application Mode) as a possible
    alternative to SQL server?
    see
    http://www.microsoft.com/downloads/...B9-1034-4EF6-A3E5-2A2A57B5C8E4&displaylang=en
    richlm, Oct 25, 2004
    #3
  4. Nikolay Petrov

    MP Guest

    Thank you,
    We have no intention of using a single logon to our application. We are
    aiming at domain accounts, AD.

    So far I can prompt the user to enter a user id, domain name and
    password. The I validate these using LogonUser and then
    I start our application using the user's information, the application is
    started under the user's identity.... like runas will do.

    This works fine, but now we have 2 clients, one that uses smart-cards
    and the other one that uses a fingerprint reader to authenticate the users
    at logon. Is there a standard API I can use? or will I have to write a
    custom module for each client?

    Thank you!

    "richlm" <> wrote in message
    news:...
    > Need more information about your infrastructure to provide a sensible
    > answer. Here are some 'leading' questions to make sure we're on the same
    > track:
    > - are you looking for single-sign-on?
    > - when you are talking windows credentials does that imply AD & domain
    > user accounts - or is this network a workgroup with just local machine
    > accounts?
    >
    > Also a couple of pointers/ideas:
    > - Generally you don't store passwords - you only ever store a hash of the
    > password. After the hash of the password is verified, the password itself
    > is discarded.
    > If you do store passwords this is a BIG security risk.
    > - Have you considerd ADAM (Active Directory Application Mode) as a
    > possible alternative to SQL server?
    > see
    > http://www.microsoft.com/downloads/...B9-1034-4EF6-A3E5-2A2A57B5C8E4&displaylang=en
    >
    >
    MP, Oct 26, 2004
    #4
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Andrew Connell
    Replies:
    1
    Views:
    543
    Natty Gur
    Oct 21, 2003
  2. raj mandadi
    Replies:
    0
    Views:
    426
    raj mandadi
    Dec 22, 2003
  3. Brett Porter
    Replies:
    2
    Views:
    757
    Andrea D'Onofrio [MSFT]
    Jan 20, 2004
  4. Mark
    Replies:
    0
    Views:
    675
  5. Eric
    Replies:
    2
    Views:
    1,449
    Tommy
    Feb 13, 2004
Loading...

Share This Page