NTLM Authentication with multi-tiered application

A

Andy Fish

Hi,

I have an asp.net application in several tiers and I would like to enable it
for NTLM.

Say the web front end is running on server X and the business logic is
running on server Y. In the non-NTLM case, the user types his password into
the web front end and server X passes it to Y in order to authenticate him.

In the NTLM case, the user is already authenticated to X but since X does
not have the passsword, how can it convince Y that it knows the user is who
he says he is? It seems that I need to add a new Login() method to server Y
which does not require a password (i.e. a security loophole)

Ideally I would like the NTLM authentication to generate some kind of token
that X can get hold of and pass to Y which in turn can pass it to windows
which will say "yes, that is the correct user". is there any kind of
mechanism like this in place?

I desperately don't want to have to enable asp.net impersonation throughout
the whole application because I know this will give me heaps of other
problems to deal with (file permissions etc)

Andy
 
J

Jim Cheshire

Andy said:
Hi,

I have an asp.net application in several tiers and I would like to
enable it for NTLM.

Ideally I would like the NTLM authentication to generate some kind of
token that X can get hold of and pass to Y which in turn can pass it
to windows which will say "yes, that is the correct user". is there
any kind of mechanism like this in place?

Hi Andy,

In fact, NTLM already does that. The problem is that NTLM is explicitly
designed to not allow delegation of credentials, so you'll see a failure in
this scenario. The solution is to use Kerberos authentication and enable
delegation. If you do a KB search for "delegation scenario asp.net", you'll
hit an article that tells you how to configure it.

--
Jim Cheshire
================================
Blog: http://blogs.msdn.com/jamesche

Latest entry:
Getting the PID and TID of a COM Call

Describes how to get the PID of the
dllhost process a COM call is executing
in and how to locate the thread as well.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Members online

No members online now.

Forum statistics

Threads
473,744
Messages
2,569,482
Members
44,901
Latest member
Noble71S45

Latest Threads

Top