NTLM Authentication with multi-tiered application

Discussion in 'ASP .Net' started by Andy Fish, Jan 9, 2006.

  1. Andy Fish

    Andy Fish Guest

    Hi,

    I have an asp.net application in several tiers and I would like to enable it
    for NTLM.

    Say the web front end is running on server X and the business logic is
    running on server Y. In the non-NTLM case, the user types his password into
    the web front end and server X passes it to Y in order to authenticate him.

    In the NTLM case, the user is already authenticated to X but since X does
    not have the passsword, how can it convince Y that it knows the user is who
    he says he is? It seems that I need to add a new Login() method to server Y
    which does not require a password (i.e. a security loophole)

    Ideally I would like the NTLM authentication to generate some kind of token
    that X can get hold of and pass to Y which in turn can pass it to windows
    which will say "yes, that is the correct user". is there any kind of
    mechanism like this in place?

    I desperately don't want to have to enable asp.net impersonation throughout
    the whole application because I know this will give me heaps of other
    problems to deal with (file permissions etc)

    Andy
    Andy Fish, Jan 9, 2006
    #1
    1. Advertising

  2. Andy Fish

    Jim Cheshire Guest

    Andy Fish wrote:
    > Hi,
    >
    > I have an asp.net application in several tiers and I would like to
    > enable it for NTLM.
    >
    > Ideally I would like the NTLM authentication to generate some kind of
    > token that X can get hold of and pass to Y which in turn can pass it
    > to windows which will say "yes, that is the correct user". is there
    > any kind of mechanism like this in place?
    >


    Hi Andy,

    In fact, NTLM already does that. The problem is that NTLM is explicitly
    designed to not allow delegation of credentials, so you'll see a failure in
    this scenario. The solution is to use Kerberos authentication and enable
    delegation. If you do a KB search for "delegation scenario asp.net", you'll
    hit an article that tells you how to configure it.

    --
    Jim Cheshire
    ================================
    Blog: http://blogs.msdn.com/jamesche

    Latest entry:
    Getting the PID and TID of a COM Call

    Describes how to get the PID of the
    dllhost process a COM call is executing
    in and how to locate the thread as well.
    Jim Cheshire, Jan 9, 2006
    #2
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Thirsty Traveler
    Replies:
    0
    Views:
    378
    Thirsty Traveler
    May 30, 2006
  2. Replies:
    0
    Views:
    434
  3. Matthijs
    Replies:
    0
    Views:
    808
    Matthijs
    Dec 10, 2008
  4. Andy Fish

    NTLM Authentication with multi-tiered application

    Andy Fish, Jan 9, 2006, in forum: ASP .Net Security
    Replies:
    2
    Views:
    150
    Jim Cheshire
    Jan 9, 2006
  5. Thor Johnson

    Multi-tiered services (keeping sessions straight)

    Thor Johnson, Oct 8, 2003, in forum: ASP .Net Web Services
    Replies:
    0
    Views:
    122
    Thor Johnson
    Oct 8, 2003
Loading...

Share This Page