T
THG
We have an Intranet ASP.NET application that is relying on AD security.
We have a business requirement to run our application on shared
workstations. Additional requirement is that users are under time constraints
and use the system on and off during their shift. Up to 4-5 users can share
same machine during the same shift at the facility. There is no physical
space to install dedicated machines, mobile devices can not be used due to
security considerations and complexity of the application screens.
User identity is a critical part of this application and we can not allow
users share the identity. We also can not require the users to log on and log
out after each data entry session that can be 15 minutes at a time, as log on
takes time under our standard security profiles.
We are looking at all the possible ways to meet the requirements and I am
soliciting ideas, couple thoughts so far:
1. Impersonate current user on top of a generic login (I was told that
impersonation "does not stick" under the Windows authentication model - can
somebody confirm or prove this statement wrong?)
2. Make use of the terminal services server and autenticate users based on
the smart card that they would insert into a reader and that user ID would be
passed onto the session on the remote server (seems like overcomplicated
solution to me)
Any thoughts and pointers to possible technologies would be appreciated.
We have a business requirement to run our application on shared
workstations. Additional requirement is that users are under time constraints
and use the system on and off during their shift. Up to 4-5 users can share
same machine during the same shift at the facility. There is no physical
space to install dedicated machines, mobile devices can not be used due to
security considerations and complexity of the application screens.
User identity is a critical part of this application and we can not allow
users share the identity. We also can not require the users to log on and log
out after each data entry session that can be 15 minutes at a time, as log on
takes time under our standard security profiles.
We are looking at all the possible ways to meet the requirements and I am
soliciting ideas, couple thoughts so far:
1. Impersonate current user on top of a generic login (I was told that
impersonation "does not stick" under the Windows authentication model - can
somebody confirm or prove this statement wrong?)
2. Make use of the terminal services server and autenticate users based on
the smart card that they would insert into a reader and that user ID would be
passed onto the session on the remote server (seems like overcomplicated
solution to me)
Any thoughts and pointers to possible technologies would be appreciated.