Intranet app via remote location (Internet)

Discussion in 'ASP .Net Security' started by Troy S., Apr 10, 2008.

  1. Troy S.

    Troy S. Guest

    Hello all. I am developing a 2.0 web site whereby the client wants to give
    access to everyone in their company's domain (I assume that means Active
    Directory). The site will be accessed from the Internet (outside the
    company' intranet). Once logged in, I will grab the authenticated user's
    identity and search SQL tables for their app-specific rights. I have
    wrestled with the proper settings to enable this functionality but have yet
    to stumble upon the correct solution.

    I would think Allow Anonymous Access would be turned off via IIS and
    web.config would have something similar to the folllowing in it:

    <authentication mode="Windows"/>
    <identity impersonate="true"/>
    <authorization>
    <allow roles="app-specific-role-name" />
    <deny users="*" />
    </authorization>

    I'd greatly appreciate any insight you have or even links to proper
    resources. Take care.

    Troy
     
    Troy S., Apr 10, 2008
    #1
    1. Advertising

  2. Troy S.

    Joe Kaplan Guest

    How do you want the auth to be done? Your basic options are Windows auth or
    Forms auth. Making Windows auth work outside the firewall can be a
    challenge as Kerberos requires access to a domain controller and NTLM can be
    hard to get working well across firewalls and load balancers (although it
    can work). Basic auth actually works fine but requires SSL for security and
    won't provide SSO (although maybe you aren't expecting that for the
    internet-based users).

    All of those options assume the server is domain joined so that it can
    authenticate these users.

    To use forms auth, you would probably want to use the Active Directory
    membership provider. Perhaps since you have custom roles in SQL you would
    want to implement a custom SQL-based role provider. You might want to do
    that regardless of whether you use Windows auth or Forms auth.

    Joe K.

    --
    Joe Kaplan-MS MVP Directory Services Programming
    Co-author of "The .NET Developer's Guide to Directory Services Programming"
    http://www.directoryprogramming.net
    --
    "Troy S." <Troy > wrote in message
    news:...
    > Hello all. I am developing a 2.0 web site whereby the client wants to
    > give
    > access to everyone in their company's domain (I assume that means Active
    > Directory). The site will be accessed from the Internet (outside the
    > company' intranet). Once logged in, I will grab the authenticated user's
    > identity and search SQL tables for their app-specific rights. I have
    > wrestled with the proper settings to enable this functionality but have
    > yet
    > to stumble upon the correct solution.
    >
    > I would think Allow Anonymous Access would be turned off via IIS and
    > web.config would have something similar to the folllowing in it:
    >
    > <authentication mode="Windows"/>
    > <identity impersonate="true"/>
    > <authorization>
    > <allow roles="app-specific-role-name" />
    > <deny users="*" />
    > </authorization>
    >
    > I'd greatly appreciate any insight you have or even links to proper
    > resources. Take care.
    >
    > Troy
     
    Joe Kaplan, Apr 10, 2008
    #2
    1. Advertising

  3. Troy S.

    Troy S. Guest

    Joe, thanks for your time and informative reply.

    > How do you want the auth to be done?


    I've always used Forms authentication in conjunction with my own SQL tables
    (Users, Roles, etc) so I'm not sure how to answer your question. I've never
    tried to utilize Active Directory for an internet application but I've had to
    maintain a few apps that do (code is ugly and monstrous, using third-party
    components).

    I've not yet seen an elegant way to make Windows prompt the user for their
    Windows un & pw and then allow them access to the site, which is the
    functionality I need (just like RDPing to my work machine from home--fill in
    my un & pw and I can then access all the network resources I normally have
    access to).

    I'm not sure about the domain controller. All I know at the moment is the
    client has an intranet with many machines connected to it and wants to host
    this new site on one of their machines, using existing Windows accounts for
    authentication.

    I will research the Active Directory membership provider and see where that
    leads me. Hopefully I find the veritable pot of gold.

    Take care.

    Troy
     
    Troy S., Apr 11, 2008
    #3
  4. Troy S.

    Joe Kaplan Guest

    I find it strange that you've had such bad experiences with Windows auth as
    you usually don't have to do anything to make it work. Just enable Windows
    auth in IIS, disable anonymous and set ASP.NET to Windows auth mode. It
    just works. If the IIS box is domain-joined, it will authenticate against
    AD. There is no code to write.

    The question is still whether you want to use Windows auth or forms auth.
    If you choose to go with forms auth, the AD membership provider is the
    easiest solution.

    Joe K.
    --
    Joe Kaplan-MS MVP Directory Services Programming
    Co-author of "The .NET Developer's Guide to Directory Services Programming"
    http://www.directoryprogramming.net
    --
    "Troy S." <> wrote in message
    news:...
    > Joe, thanks for your time and informative reply.
    >
    >> How do you want the auth to be done?

    >
    > I've always used Forms authentication in conjunction with my own SQL
    > tables
    > (Users, Roles, etc) so I'm not sure how to answer your question. I've
    > never
    > tried to utilize Active Directory for an internet application but I've had
    > to
    > maintain a few apps that do (code is ugly and monstrous, using third-party
    > components).
    >
    > I've not yet seen an elegant way to make Windows prompt the user for their
    > Windows un & pw and then allow them access to the site, which is the
    > functionality I need (just like RDPing to my work machine from home--fill
    > in
    > my un & pw and I can then access all the network resources I normally have
    > access to).
    >
    > I'm not sure about the domain controller. All I know at the moment is the
    > client has an intranet with many machines connected to it and wants to
    > host
    > this new site on one of their machines, using existing Windows accounts
    > for
    > authentication.
    >
    > I will research the Active Directory membership provider and see where
    > that
    > leads me. Hopefully I find the veritable pot of gold.
    >
    > Take care.
    >
    > Troy
    >
     
    Joe Kaplan, Apr 11, 2008
    #4
  5. Troy S.

    Troy S. Guest

    > ... Just enable Windows
    > auth in IIS, disable anonymous and set ASP.NET to Windows auth mode. It
    > just works. If the IIS box is domain-joined, it will authenticate against
    > AD. There is no code to write.


    Those are specific instructions that even I understand. I will give that a
    go and see if it passes the client's muster.

    > The question is still whether you want to use Windows auth or forms auth.
    > If you choose to go with forms auth, the AD membership provider is the
    > easiest solution.


    I wish I knew. From what little I understand, using Windows auth from
    outside the Internet firewall is inviting headaches but that's just based on
    random postings I've reviewed. I've looked at the AD m.p. and it doesn't
    seem too complicated (still not a plug-n-play kind of option--I love
    programming but hate the security-related quicksand). If the above option is
    shot down then I'll tackle the AD MP option.

    Thanks again for your time and effort.

    Troy S.
     
    Troy S., Apr 11, 2008
    #5
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Raj

    SSL in Internet and Intranet

    Raj, Jan 19, 2004, in forum: ASP .Net
    Replies:
    1
    Views:
    437
    Miha Markic
    Jan 19, 2004
  2. Luis Esteban Valencia
    Replies:
    0
    Views:
    415
    Luis Esteban Valencia
    Oct 26, 2004
  3. Francesco Moi
    Replies:
    5
    Views:
    470
    Michael Wojcik
    Oct 5, 2004
  4. =?Utf-8?B?RFhSaWNr?=

    cmd \\127.0.0.1 to start app as intranet app?

    =?Utf-8?B?RFhSaWNr?=, Mar 3, 2007, in forum: ASP .Net
    Replies:
    0
    Views:
    492
    =?Utf-8?B?RFhSaWNr?=
    Mar 3, 2007
  5. Michelle Ang
    Replies:
    1
    Views:
    404
Loading...

Share This Page