A
Andy Fish
Hi,
I have an asp.net application in several tiers and I would like to enable it
for NTLM.
Say the web front end is running on server X and the business logic is
running on server Y. In the non-NTLM case, the user types his password into
the web front end and server X passes it to Y in order to authenticate him.
In the NTLM case, the user is already authenticated to X but since X does
not have the passsword, how can it convince Y that it knows the user is who
he says he is? It seems that I need to add a new Login() method to server Y
which does not require a password (i.e. a security loophole)
Ideally I would like the NTLM authentication to generate some kind of token
that X can get hold of and pass to Y which in turn can pass it to windows
which will say "yes, that is the correct user". is there any kind of
mechanism like this in place?
I desperately don't want to have to enable asp.net impersonation throughout
the whole application because I know this will give me heaps of other
problems to deal with (file permissions etc)
Andy
I have an asp.net application in several tiers and I would like to enable it
for NTLM.
Say the web front end is running on server X and the business logic is
running on server Y. In the non-NTLM case, the user types his password into
the web front end and server X passes it to Y in order to authenticate him.
In the NTLM case, the user is already authenticated to X but since X does
not have the passsword, how can it convince Y that it knows the user is who
he says he is? It seems that I need to add a new Login() method to server Y
which does not require a password (i.e. a security loophole)
Ideally I would like the NTLM authentication to generate some kind of token
that X can get hold of and pass to Y which in turn can pass it to windows
which will say "yes, that is the correct user". is there any kind of
mechanism like this in place?
I desperately don't want to have to enable asp.net impersonation throughout
the whole application because I know this will give me heaps of other
problems to deal with (file permissions etc)
Andy