Lightweight logon? Impersonation? - shared workstation problem

T

THG

We have an Intranet ASP.NET application that is relying on AD security.

We have a business requirement to run our application on shared
workstations. Additional requirement is that users are under time constraints
and use the system on and off during their shift. Up to 4-5 users can share
same machine during the same shift at the facility. There is no physical
space to install dedicated machines, mobile devices can not be used due to
security considerations and complexity of the application screens.

User identity is a critical part of this application and we can not allow
users share the identity. We also can not require the users to log on and log
out after each data entry session that can be 15 minutes at a time, as log on
takes time under our standard security profiles.

We are looking at all the possible ways to meet the requirements and I am
soliciting ideas, couple thoughts so far:

1. Impersonate current user on top of a generic login (I was told that
impersonation "does not stick" under the Windows authentication model - can
somebody confirm or prove this statement wrong?)
2. Make use of the terminal services server and autenticate users based on
the smart card that they would insert into a reader and that user ID would be
passed onto the session on the remote server (seems like overcomplicated
solution to me)

Any thoughts and pointers to possible technologies would be appreciated.
 
J

Joe Kaplan

Can you disable automatic integrated authentication in IE for the machines
in question so that the users will simply be prompted to enter credentials
when they access the app? Then, have them close the browser when they are
done.

If you have smart cards, you could also just use SSL with client cert auth.
The user would need to enter their smart card and PIN to log in.

Joe K.
 
J

Joe Kaplan

Basically, if you disable automatic login with Windows Integrated Auth in
the browser, the web app will just challenge the user for credentials and
force them to log in. The login they provide to the server will then not be
coupled to the identity of the login on the workstation itself.

You don't need any impersonation or delegation to make this work, but you
could definitely impersonate the end user in the app if you wanted to and
could delegate if you wanted to as well.

You do need to do something to make sure the browser window is not reused by
something else. Closing it is ideal. :)

Joe K.
 
T

THG

Joe,

The trick here is that login takes time and therefore your proposed approach
seems to result in a lengthy logon. I am looking at the ways of allowing user
access to a very limited set of resources on the network, primarily on the
web server for a single application, under their Windows identity, on top of
a generic user account that logs the workstation on. For that, I would not
want them to go through all the logon scripts and all the Windows updates
that might be part of the logon process. I want them to switch context while
they are in the application in a couple seconds, upon entering their login ID
and password. For that, impersonation seems to be a better tool. I hope I am
I explaining my problem clearly.

Tamara
 
J

Joe Kaplan

I guess I still don't understand. If you are trying to access a website,
the login to IIS is a network login which is processed nearly
instantaneously. There are no login scripts executed.

Is this a web app or a local app you want to access?

Joe K.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Members online

No members online now.

Forum statistics

Threads
473,744
Messages
2,569,482
Members
44,901
Latest member
Noble71S45

Latest Threads

Top