Multiple App Authentication

[GaryDean]

I have a client with a need for multiple app authentication. The apps are
all asp.net apps but may be on different servers. The user just wants a
single logon and them be free to use five or six different asp.net
applications.

Is this feasible?

 

[Guest]

You can do this using Forms Authentication against a database provided:
1) The database is acccessible from all the servers.
2) the web sites all have the same machine key (not "autogenerate")
3) The site ID in IIS metabase is the same for each site (e.g. W3Svc/"1" )

There may be a couple other items I forgot, but that's the basics.
Peter

 

[GaryDean]

All of the searches I do for "Forms Authentications against a database" only
yield discussions of using a data base to store UID and PWD. Is there
someplace this capability you speak of is discussed?

 

[Guest]

That's correct, meaning that the Authenticate method is done using a database
lookup of the user/password (or hashed password) in the database. Are you
looking for sample code to do this? Here's a very old article, but it's
still valid:
http://www.eggheadcafe.com/articles/20020906.asp

-- Peter
Site: http://www.eggheadcafe.com
UnBlog: http://petesbloggerama.blogspot.com
Short urls & more: http://ittyurl.net

 

[Andy]

Suggest you read up on Active Directory and Kerberos security.

Assuming this is on an office windows network, its likely that the
users have active directory windows accounts and that there is a
network domain already setup, where all the various servers that the
apps run on belong to a common domain.

If this is so, you can use windows credentials in your apps to
authenticate users. Credentials are established by the user when they
log onto windows and are maintained in the form of tokens.

If your apps run in IIS, you can set the security for the app's
website to require windows authenticated integration on its advanced
directory security tab from the properties menu entry when you right
click a website. Users will have to provide their windows login ID
and password if they are accessing the site externally before it will
run. Otherwise, if they are already logged into the network domain,
IIS will not prompt for credentials and will instead use the
authorization token given to them to identify them.

You can also have programs perform the login on behalf of the user to
a particular app by something similar to:

App.Credentials = System.Net.CredentialCache.DefaultCredentials

Active Directory only verifies the identity of the user; its still the
responsability of your app to decide what to do with the user once
they are verified to be who they claim to be. Active directory users
are usually assigned to arbitrary active directory groups you create.
Your app can check if an identified user belongs to a particular group
of active directory users to determine what permissions the user has.

The advantage of using active directory opposed to building your own
security system is that security is centralized - you can add or
remove a user to the network, your apps, Microsoft applications, and
the internet in a single place with a single command, all at the same
time. The active directory API is not complex, and requires far less
code to use then building and maintaining a seperate custom security
database.

 

[GaryDean]

I guess I'm not very good at making myself understood. let me try again.

I have 5 asp.net applications each doing their own Forms authentication
(maybe by using the same database table but that doesn't matter). So, users
that use several of the applications have to log onto each one separately.
They want a single place to log on to all of the applications - a central
application that will authenticate them for all 5 asp.net applications.
Database is not the issue.

 

[GaryDean]

No, these are web app users and they are not part of any domain nor do we
want them to use Windows Authentication. We want to use Forms
authentication - or at least authentication by UID/PWD.

 

[Walter Wang [MSFT]]

Hi Gary,

To share authentication cookies across multiple ASP.NET web sites, you
simply ensure use the same machineKey in your web.config files.

1) To test this, you use following tool to create a machineKey and put it
in your web site's web.config files:

http://www.eggheadcafe.com/articles/GenerateMachineKey/GenerateMachineKey.as
px

2) When you have logged in to one web site, navigate to second web site in
the same browser session should identify you as logged. Put a asp:LoginName
control and you will see the user name.


If you need to share authentication cookies across ASP.NET 1.1 and 2.0, you
need to check following article too:

#How To Share Authentication Cookies across ASP.NET V1.1 and ASP.NET V2.0
Applications - ScottGu's Blog
http://weblogs.asp.net/scottgu/archive/2005/12/10/432851.aspx


Hope this helps.


Regards,
Walter Wang ([email protected], remove 'online.')
Microsoft Online Community Support

==================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
==================================================

This posting is provided "AS IS" with no warranties, and confers no rights.

 

[GaryDean]

Walter,
WOW. it worked!

thanks,
Gary Blakely