Lightweight logon? Impersonation? - shared workstation problem

Discussion in 'ASP .Net Security' started by THG, Jun 13, 2008.

  1. THG

    THG Guest

    We have an Intranet ASP.NET application that is relying on AD security.

    We have a business requirement to run our application on shared
    workstations. Additional requirement is that users are under time constraints
    and use the system on and off during their shift. Up to 4-5 users can share
    same machine during the same shift at the facility. There is no physical
    space to install dedicated machines, mobile devices can not be used due to
    security considerations and complexity of the application screens.

    User identity is a critical part of this application and we can not allow
    users share the identity. We also can not require the users to log on and log
    out after each data entry session that can be 15 minutes at a time, as log on
    takes time under our standard security profiles.

    We are looking at all the possible ways to meet the requirements and I am
    soliciting ideas, couple thoughts so far:

    1. Impersonate current user on top of a generic login (I was told that
    impersonation "does not stick" under the Windows authentication model - can
    somebody confirm or prove this statement wrong?)
    2. Make use of the terminal services server and autenticate users based on
    the smart card that they would insert into a reader and that user ID would be
    passed onto the session on the remote server (seems like overcomplicated
    solution to me)

    Any thoughts and pointers to possible technologies would be appreciated.
    THG, Jun 13, 2008
    #1
    1. Advertising

  2. THG

    Joe Kaplan Guest

    Can you disable automatic integrated authentication in IE for the machines
    in question so that the users will simply be prompted to enter credentials
    when they access the app? Then, have them close the browser when they are
    done.

    If you have smart cards, you could also just use SSL with client cert auth.
    The user would need to enter their smart card and PIN to log in.

    Joe K.
    --
    Joe Kaplan-MS MVP Directory Services Programming
    Co-author of "The .NET Developer's Guide to Directory Services Programming"
    http://www.directoryprogramming.net
    --
    "THG" <> wrote in message
    news:...
    > We have an Intranet ASP.NET application that is relying on AD security.
    >
    > We have a business requirement to run our application on shared
    > workstations. Additional requirement is that users are under time
    > constraints
    > and use the system on and off during their shift. Up to 4-5 users can
    > share
    > same machine during the same shift at the facility. There is no physical
    > space to install dedicated machines, mobile devices can not be used due to
    > security considerations and complexity of the application screens.
    >
    > User identity is a critical part of this application and we can not allow
    > users share the identity. We also can not require the users to log on and
    > log
    > out after each data entry session that can be 15 minutes at a time, as log
    > on
    > takes time under our standard security profiles.
    >
    > We are looking at all the possible ways to meet the requirements and I am
    > soliciting ideas, couple thoughts so far:
    >
    > 1. Impersonate current user on top of a generic login (I was told that
    > impersonation "does not stick" under the Windows authentication model -
    > can
    > somebody confirm or prove this statement wrong?)
    > 2. Make use of the terminal services server and autenticate users based on
    > the smart card that they would insert into a reader and that user ID would
    > be
    > passed onto the session on the remote server (seems like overcomplicated
    > solution to me)
    >
    > Any thoughts and pointers to possible technologies would be appreciated.
    >
    >
    >
    >
    Joe Kaplan, Jun 13, 2008
    #2
    1. Advertising

  3. THG

    Joe Kaplan Guest

    Basically, if you disable automatic login with Windows Integrated Auth in
    the browser, the web app will just challenge the user for credentials and
    force them to log in. The login they provide to the server will then not be
    coupled to the identity of the login on the workstation itself.

    You don't need any impersonation or delegation to make this work, but you
    could definitely impersonate the end user in the app if you wanted to and
    could delegate if you wanted to as well.

    You do need to do something to make sure the browser window is not reused by
    something else. Closing it is ideal. :)

    Joe K.
    --
    Joe Kaplan-MS MVP Directory Services Programming
    Co-author of "The .NET Developer's Guide to Directory Services Programming"
    http://www.directoryprogramming.net
    --
    "THG" <> wrote in message
    news:...
    > Joe,
    >
    > Thank you for replying. Would disabling automatic integrated
    > authentication
    > mean that users will not have to go through a complete logon and
    > workstation
    > can be logged on a basic generic account? Our problem is that users might
    > not have enough discipline to close the browser when they are done with
    > the
    > session, so we might have to look into closing the browser window for them
    > at
    > a certain time in the transaction.
    >
    > As for smart cards, we don't have them and the proposed solution above
    > seems
    > to be overly complicated, so I would use it as a last resort.
    >
    > Could any kind of impersonation/delegation be used on the application
    > level
    > on the server?
    >
    >
    > "Joe Kaplan" wrote:
    >
    >> Can you disable automatic integrated authentication in IE for the
    >> machines
    >> in question so that the users will simply be prompted to enter
    >> credentials
    >> when they access the app? Then, have them close the browser when they
    >> are
    >> done.
    >>
    >> If you have smart cards, you could also just use SSL with client cert
    >> auth.
    >> The user would need to enter their smart card and PIN to log in.
    >>
    >> Joe K.
    >> --
    >> Joe Kaplan-MS MVP Directory Services Programming
    >> Co-author of "The .NET Developer's Guide to Directory Services
    >> Programming"
    >> http://www.directoryprogramming.net
    >> --

    >
    Joe Kaplan, Jun 13, 2008
    #3
  4. THG

    THG Guest

    Joe,

    The trick here is that login takes time and therefore your proposed approach
    seems to result in a lengthy logon. I am looking at the ways of allowing user
    access to a very limited set of resources on the network, primarily on the
    web server for a single application, under their Windows identity, on top of
    a generic user account that logs the workstation on. For that, I would not
    want them to go through all the logon scripts and all the Windows updates
    that might be part of the logon process. I want them to switch context while
    they are in the application in a couple seconds, upon entering their login ID
    and password. For that, impersonation seems to be a better tool. I hope I am
    I explaining my problem clearly.

    Tamara

    "Joe Kaplan" wrote:

    > Basically, if you disable automatic login with Windows Integrated Auth in
    > the browser, the web app will just challenge the user for credentials and
    > force them to log in. The login they provide to the server will then not be
    > coupled to the identity of the login on the workstation itself.
    >
    > You don't need any impersonation or delegation to make this work, but you
    > could definitely impersonate the end user in the app if you wanted to and
    > could delegate if you wanted to as well.
    >
    > You do need to do something to make sure the browser window is not reused by
    > something else. Closing it is ideal. :)
    >
    > Joe K.
    > --
    > Joe Kaplan-MS MVP Directory Services Programming
    > Co-author of "The .NET Developer's Guide to Directory Services Programming"
    > http://www.directoryprogramming.net
    > --
    > "THG" <> wrote in message
    > news:...
    > > Joe,
    > >
    > > Thank you for replying. Would disabling automatic integrated
    > > authentication
    > > mean that users will not have to go through a complete logon and
    > > workstation
    > > can be logged on a basic generic account? Our problem is that users might
    > > not have enough discipline to close the browser when they are done with
    > > the
    > > session, so we might have to look into closing the browser window for them
    > > at
    > > a certain time in the transaction.
    > >
    > > As for smart cards, we don't have them and the proposed solution above
    > > seems
    > > to be overly complicated, so I would use it as a last resort.
    > >
    > > Could any kind of impersonation/delegation be used on the application
    > > level
    > > on the server?
    > >
    > >
    > > "Joe Kaplan" wrote:
    > >
    > >> Can you disable automatic integrated authentication in IE for the
    > >> machines
    > >> in question so that the users will simply be prompted to enter
    > >> credentials
    > >> when they access the app? Then, have them close the browser when they
    > >> are
    > >> done.
    > >>
    > >> If you have smart cards, you could also just use SSL with client cert
    > >> auth.
    > >> The user would need to enter their smart card and PIN to log in.
    > >>
    > >> Joe K.
    > >> --
    > >> Joe Kaplan-MS MVP Directory Services Programming
    > >> Co-author of "The .NET Developer's Guide to Directory Services
    > >> Programming"
    > >> http://www.directoryprogramming.net
    > >> --

    > >

    >
    >
    >
    THG, Jun 13, 2008
    #4
  5. THG

    Joe Kaplan Guest

    I guess I still don't understand. If you are trying to access a website,
    the login to IIS is a network login which is processed nearly
    instantaneously. There are no login scripts executed.

    Is this a web app or a local app you want to access?

    Joe K.
    --
    Joe Kaplan-MS MVP Directory Services Programming
    Co-author of "The .NET Developer's Guide to Directory Services Programming"
    http://www.directoryprogramming.net
    --
    "THG" <> wrote in message
    news:...
    > Joe,
    >
    > The trick here is that login takes time and therefore your proposed
    > approach
    > seems to result in a lengthy logon. I am looking at the ways of allowing
    > user
    > access to a very limited set of resources on the network, primarily on the
    > web server for a single application, under their Windows identity, on top
    > of
    > a generic user account that logs the workstation on. For that, I would not
    > want them to go through all the logon scripts and all the Windows updates
    > that might be part of the logon process. I want them to switch context
    > while
    > they are in the application in a couple seconds, upon entering their login
    > ID
    > and password. For that, impersonation seems to be a better tool. I hope I
    > am
    > I explaining my problem clearly.
    >
    > Tamara
    >
    > "Joe Kaplan" wrote:
    >
    >> Basically, if you disable automatic login with Windows Integrated Auth in
    >> the browser, the web app will just challenge the user for credentials and
    >> force them to log in. The login they provide to the server will then not
    >> be
    >> coupled to the identity of the login on the workstation itself.
    >>
    >> You don't need any impersonation or delegation to make this work, but you
    >> could definitely impersonate the end user in the app if you wanted to and
    >> could delegate if you wanted to as well.
    >>
    >> You do need to do something to make sure the browser window is not reused
    >> by
    >> something else. Closing it is ideal. :)
    >>
    >> Joe K.
    >> --
    >> Joe Kaplan-MS MVP Directory Services Programming
    >> Co-author of "The .NET Developer's Guide to Directory Services
    >> Programming"
    >> http://www.directoryprogramming.net
    >> --
    >> "THG" <> wrote in message
    >> news:...
    >> > Joe,
    >> >
    >> > Thank you for replying. Would disabling automatic integrated
    >> > authentication
    >> > mean that users will not have to go through a complete logon and
    >> > workstation
    >> > can be logged on a basic generic account? Our problem is that users
    >> > might
    >> > not have enough discipline to close the browser when they are done with
    >> > the
    >> > session, so we might have to look into closing the browser window for
    >> > them
    >> > at
    >> > a certain time in the transaction.
    >> >
    >> > As for smart cards, we don't have them and the proposed solution above
    >> > seems
    >> > to be overly complicated, so I would use it as a last resort.
    >> >
    >> > Could any kind of impersonation/delegation be used on the application
    >> > level
    >> > on the server?
    >> >
    >> >
    >> > "Joe Kaplan" wrote:
    >> >
    >> >> Can you disable automatic integrated authentication in IE for the
    >> >> machines
    >> >> in question so that the users will simply be prompted to enter
    >> >> credentials
    >> >> when they access the app? Then, have them close the browser when they
    >> >> are
    >> >> done.
    >> >>
    >> >> If you have smart cards, you could also just use SSL with client cert
    >> >> auth.
    >> >> The user would need to enter their smart card and PIN to log in.
    >> >>
    >> >> Joe K.
    >> >> --
    >> >> Joe Kaplan-MS MVP Directory Services Programming
    >> >> Co-author of "The .NET Developer's Guide to Directory Services
    >> >> Programming"
    >> >> http://www.directoryprogramming.net
    >> >> --
    >> >

    >>
    >>
    >>
    Joe Kaplan, Jun 14, 2008
    #5
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Mike Robbins

    VS 2003 & VS 2005 on same workstation

    Mike Robbins, Feb 16, 2006, in forum: ASP .Net
    Replies:
    8
    Views:
    1,349
    Michael Nemtsev
    Feb 22, 2006
  2. Do
    Replies:
    3
    Views:
    449
    JGuyeggos
    Jan 25, 2006
  3. Günther Rühmann
    Replies:
    1
    Views:
    1,371
    Günther Rühmann
    Jan 31, 2004
  4. benny
    Replies:
    1
    Views:
    373
    Jim Cheshire [MSFT]
    Jul 16, 2004
  5. Kjell Kristiansson
    Replies:
    0
    Views:
    286
    Kjell Kristiansson
    Nov 30, 2005
Loading...

Share This Page