Multiple App Authentication

Discussion in 'ASP .Net' started by GaryDean, May 30, 2007.

  1. GaryDean

    GaryDean Guest

    I have a client with a need for multiple app authentication. The apps are
    all asp.net apps but may be on different servers. The user just wants a
    single logon and them be free to use five or six different asp.net
    applications.

    Is this feasible?

    --
    Regards,
    Gary Blakely
     
    GaryDean, May 30, 2007
    #1
    1. Advertising

  2. You can do this using Forms Authentication against a database provided:
    1) The database is acccessible from all the servers.
    2) the web sites all have the same machine key (not "autogenerate")
    3) The site ID in IIS metabase is the same for each site (e.g. W3Svc/"1" )

    There may be a couple other items I forgot, but that's the basics.
    Peter


    --
    Site: http://www.eggheadcafe.com
    UnBlog: http://petesbloggerama.blogspot.com
    Short urls & more: http://ittyurl.net




    "GaryDean" wrote:

    > I have a client with a need for multiple app authentication. The apps are
    > all asp.net apps but may be on different servers. The user just wants a
    > single logon and them be free to use five or six different asp.net
    > applications.
    >
    > Is this feasible?
    >
    > --
    > Regards,
    > Gary Blakely
    >
    >
    >
     
    =?Utf-8?B?UGV0ZXIgQnJvbWJlcmcgW0MjIE1WUF0=?=, May 30, 2007
    #2
    1. Advertising

  3. GaryDean

    GaryDean Guest

    All of the searches I do for "Forms Authentications against a database" only
    yield discussions of using a data base to store UID and PWD. Is there
    someplace this capability you speak of is discussed?

    --
    Regards,
    Gary Blakely
    "Peter Bromberg [C# MVP]" <> wrote in
    message news:...
    > You can do this using Forms Authentication against a database provided:
    > 1) The database is acccessible from all the servers.
    > 2) the web sites all have the same machine key (not "autogenerate")
    > 3) The site ID in IIS metabase is the same for each site (e.g. W3Svc/"1" )
    >
    > There may be a couple other items I forgot, but that's the basics.
    > Peter
    >
    >
    > --
    > Site: http://www.eggheadcafe.com
    > UnBlog: http://petesbloggerama.blogspot.com
    > Short urls & more: http://ittyurl.net
    >
    >
    >
    >
    > "GaryDean" wrote:
    >
    >> I have a client with a need for multiple app authentication. The apps
    >> are
    >> all asp.net apps but may be on different servers. The user just wants a
    >> single logon and them be free to use five or six different asp.net
    >> applications.
    >>
    >> Is this feasible?
    >>
    >> --
    >> Regards,
    >> Gary Blakely
    >>
    >>
    >>
     
    GaryDean, May 30, 2007
    #3
  4. That's correct, meaning that the Authenticate method is done using a database
    lookup of the user/password (or hashed password) in the database. Are you
    looking for sample code to do this? Here's a very old article, but it's
    still valid:
    http://www.eggheadcafe.com/articles/20020906.asp

    -- Peter
    Site: http://www.eggheadcafe.com
    UnBlog: http://petesbloggerama.blogspot.com
    Short urls & more: http://ittyurl.net




    "GaryDean" wrote:

    > I have a client with a need for multiple app authentication. The apps are
    > all asp.net apps but may be on different servers. The user just wants a
    > single logon and them be free to use five or six different asp.net
    > applications.
    >
    > Is this feasible?
    >
    > --
    > Regards,
    > Gary Blakely
    >
    >
    >
     
    =?Utf-8?B?UGV0ZXIgQnJvbWJlcmcgW0MjIE1WUF0=?=, May 30, 2007
    #4
  5. GaryDean

    Andy Guest

    Suggest you read up on Active Directory and Kerberos security.

    Assuming this is on an office windows network, its likely that the
    users have active directory windows accounts and that there is a
    network domain already setup, where all the various servers that the
    apps run on belong to a common domain.

    If this is so, you can use windows credentials in your apps to
    authenticate users. Credentials are established by the user when they
    log onto windows and are maintained in the form of tokens.

    If your apps run in IIS, you can set the security for the app's
    website to require windows authenticated integration on its advanced
    directory security tab from the properties menu entry when you right
    click a website. Users will have to provide their windows login ID
    and password if they are accessing the site externally before it will
    run. Otherwise, if they are already logged into the network domain,
    IIS will not prompt for credentials and will instead use the
    authorization token given to them to identify them.

    You can also have programs perform the login on behalf of the user to
    a particular app by something similar to:

    App.Credentials = System.Net.CredentialCache.DefaultCredentials

    Active Directory only verifies the identity of the user; its still the
    responsability of your app to decide what to do with the user once
    they are verified to be who they claim to be. Active directory users
    are usually assigned to arbitrary active directory groups you create.
    Your app can check if an identified user belongs to a particular group
    of active directory users to determine what permissions the user has.

    The advantage of using active directory opposed to building your own
    security system is that security is centralized - you can add or
    remove a user to the network, your apps, Microsoft applications, and
    the internet in a single place with a single command, all at the same
    time. The active directory API is not complex, and requires far less
    code to use then building and maintaining a seperate custom security
    database.
     
    Andy, May 30, 2007
    #5
  6. GaryDean

    GaryDean Guest

    I guess I'm not very good at making myself understood. let me try again.

    I have 5 asp.net applications each doing their own Forms authentication
    (maybe by using the same database table but that doesn't matter). So, users
    that use several of the applications have to log onto each one separately.
    They want a single place to log on to all of the applications - a central
    application that will authenticate them for all 5 asp.net applications.
    Database is not the issue.

    --
    Regards,
    Gary Blakely
    "Peter Bromberg [C# MVP]" <> wrote in
    message news:...
    > That's correct, meaning that the Authenticate method is done using a
    > database
    > lookup of the user/password (or hashed password) in the database. Are
    > you
    > looking for sample code to do this? Here's a very old article, but it's
    > still valid:
    > http://www.eggheadcafe.com/articles/20020906.asp
    >
    > -- Peter
    > Site: http://www.eggheadcafe.com
    > UnBlog: http://petesbloggerama.blogspot.com
    > Short urls & more: http://ittyurl.net
    >
    >
    >
    >
    > "GaryDean" wrote:
    >
    >> I have a client with a need for multiple app authentication. The apps
    >> are
    >> all asp.net apps but may be on different servers. The user just wants a
    >> single logon and them be free to use five or six different asp.net
    >> applications.
    >>
    >> Is this feasible?
    >>
    >> --
    >> Regards,
    >> Gary Blakely
    >>
    >>
    >>
     
    GaryDean, May 30, 2007
    #6
  7. GaryDean

    GaryDean Guest

    No, these are web app users and they are not part of any domain nor do we
    want them to use Windows Authentication. We want to use Forms
    authentication - or at least authentication by UID/PWD.

    --
    Regards,
    Gary Blakely
    "Andy" <> wrote in message
    news:...
    > Suggest you read up on Active Directory and Kerberos security.
    >
    > Assuming this is on an office windows network, its likely that the
    > users have active directory windows accounts and that there is a
    > network domain already setup, where all the various servers that the
    > apps run on belong to a common domain.
    >
    > If this is so, you can use windows credentials in your apps to
    > authenticate users. Credentials are established by the user when they
    > log onto windows and are maintained in the form of tokens.
    >
    > If your apps run in IIS, you can set the security for the app's
    > website to require windows authenticated integration on its advanced
    > directory security tab from the properties menu entry when you right
    > click a website. Users will have to provide their windows login ID
    > and password if they are accessing the site externally before it will
    > run. Otherwise, if they are already logged into the network domain,
    > IIS will not prompt for credentials and will instead use the
    > authorization token given to them to identify them.
    >
    > You can also have programs perform the login on behalf of the user to
    > a particular app by something similar to:
    >
    > App.Credentials = System.Net.CredentialCache.DefaultCredentials
    >
    > Active Directory only verifies the identity of the user; its still the
    > responsability of your app to decide what to do with the user once
    > they are verified to be who they claim to be. Active directory users
    > are usually assigned to arbitrary active directory groups you create.
    > Your app can check if an identified user belongs to a particular group
    > of active directory users to determine what permissions the user has.
    >
    > The advantage of using active directory opposed to building your own
    > security system is that security is centralized - you can add or
    > remove a user to the network, your apps, Microsoft applications, and
    > the internet in a single place with a single command, all at the same
    > time. The active directory API is not complex, and requires far less
    > code to use then building and maintaining a seperate custom security
    > database.
    >
    >
    >
    >
    >
     
    GaryDean, May 30, 2007
    #7
  8. Hi Gary,

    To share authentication cookies across multiple ASP.NET web sites, you
    simply ensure use the same machineKey in your web.config files.

    1) To test this, you use following tool to create a machineKey and put it
    in your web site's web.config files:

    http://www.eggheadcafe.com/articles/GenerateMachineKey/GenerateMachineKey.as
    px

    2) When you have logged in to one web site, navigate to second web site in
    the same browser session should identify you as logged. Put a asp:LoginName
    control and you will see the user name.


    If you need to share authentication cookies across ASP.NET 1.1 and 2.0, you
    need to check following article too:

    #How To Share Authentication Cookies across ASP.NET V1.1 and ASP.NET V2.0
    Applications - ScottGu's Blog
    http://weblogs.asp.net/scottgu/archive/2005/12/10/432851.aspx


    Hope this helps.


    Regards,
    Walter Wang (, remove 'online.')
    Microsoft Online Community Support

    ==================================================
    When responding to posts, please "Reply to Group" via your newsreader so
    that others may learn and benefit from your issue.
    ==================================================

    This posting is provided "AS IS" with no warranties, and confers no rights.
     
    Walter Wang [MSFT], May 31, 2007
    #8
  9. GaryDean

    GaryDean Guest

    Walter,
    WOW. it worked!

    thanks,
    Gary Blakely

    "Walter Wang [MSFT]" <> wrote in message
    news:...
    > Hi Gary,
    >
    > To share authentication cookies across multiple ASP.NET web sites, you
    > simply ensure use the same machineKey in your web.config files.
    >
    > 1) To test this, you use following tool to create a machineKey and put it
    > in your web site's web.config files:
    >
    > http://www.eggheadcafe.com/articles/GenerateMachineKey/GenerateMachineKey.as
    > px
    >
    > 2) When you have logged in to one web site, navigate to second web site in
    > the same browser session should identify you as logged. Put a
    > asp:LoginName
    > control and you will see the user name.
    >
    >
    > If you need to share authentication cookies across ASP.NET 1.1 and 2.0,
    > you
    > need to check following article too:
    >
    > #How To Share Authentication Cookies across ASP.NET V1.1 and ASP.NET V2.0
    > Applications - ScottGu's Blog
    > http://weblogs.asp.net/scottgu/archive/2005/12/10/432851.aspx
    >
    >
    > Hope this helps.
    >
    >
    > Regards,
    > Walter Wang (, remove 'online.')
    > Microsoft Online Community Support
    >
    > ==================================================
    > When responding to posts, please "Reply to Group" via your newsreader so
    > that others may learn and benefit from your issue.
    > ==================================================
    >
    > This posting is provided "AS IS" with no warranties, and confers no
    > rights.
    >
     
    GaryDean, Jun 1, 2007
    #9
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. tom
    Replies:
    4
    Views:
    14,280
    jpowers5882
    Oct 24, 2008
  2. NGM
    Replies:
    0
    Views:
    2,362
  3. mimi

    win app and web app

    mimi, Jul 28, 2004, in forum: ASP .Net
    Replies:
    1
    Views:
    350
    Lucas Tam
    Jul 29, 2004
  4. fooooo
    Replies:
    5
    Views:
    957
    Paul Rubin
    May 3, 2005
  5. Jp Calderone
    Replies:
    1
    Views:
    1,379
    Paul Rubin
    May 24, 2005
Loading...

Share This Page