Really confused about authorization/authentication methods in ASP.Net

Discussion in 'ASP .Net Security' started by STom, Aug 7, 2003.

  1. STom

    STom Guest

    I have been reading and reading the Microsoft best practices, articles on
    and on but still I can't figure out which method to chose to get started.

    Basically, we are using Active directory where all of the users should be
    authorized against before accessing the web site. Here are some of my
    questions:

    1. If I set the virtual directory security property to Integrated Windows
    Authentication and I am using active directory (the web server is in the
    Active Directory domain) won't IIS/ASP.Net automatically authenticate
    against active directory even if I set the web.config file authentication
    mode to 'Windows'?

    2. If it does automatically authenticate and then I want to get the user or
    the user object so I can tell what groups the person belongs in, would I
    code that within the page load of the first page?

    3. Where do I store the user information so I don't have to authenticate
    against active directory for each page?

    4. I have seen many examples on MSDN regarding Forms authentication and
    active directory. I have 'heard' that you should avoid Forms authentication
    but I don't know why. Is there a reason to avoid this way of doing it?

    Thanks for any pointers.

    STom
    STom, Aug 7, 2003
    #1
    1. Advertising

  2. Some answers:

    | 3. Where do I store the user information so I don't have to authenticate
    | against active directory for each page?

    You don't. It's problem of IIS/ASP.NET, not yours.

    | 4. I have seen many examples on MSDN regarding Forms authentication and
    | active directory. I have 'heard' that you should avoid Forms
    authentication
    | but I don't know why. Is there a reason to avoid this way of doing it?

    It depends on your environment. Problem with Forms Authentication is that
    you must write authentication scripts and store authentication data
    somewhere. If you already have the users in AD and your infrastructure
    allows it, use Windows authentication, because integrates seamlessly with
    AD. If you can't / don't want use AD, store users in SQL / XML / anywhere
    and use FormsAuthentication.

    Best of all: When changing Forms/Windows authentication, you must not
    rewrite your application.

    --
    Michal A. Valasek, Altair Communications, http://www.altaircom.net
    Please do not reply to this e-mail, for contact see http://www.rider.cz
    Michal A. Valasek, Aug 7, 2003
    #2
    1. Advertising

  3. STom

    Tom Guest

    > 1. If I set the virtual directory security property to Integrated Windows

    > Authentication and I am using active directory (the web server is in the


    > Active Directory domain) won't IIS/ASP.Net automatically authenticate


    > against active directory even if I set the web.config file authentication


    > mode to 'Windows'?


    It depends on web client used. When you use IE. 2.0 and higher you have
    granted NTLM authentication in context of current user. For
    negotiate/kerberos there is need of win 2000 on both sides and IE 6.0
    client(you have to enable Intergrated authen. in options menu and set one
    key in registry to make negotiate default one)


    > 2. If it does automatically authenticate and then I want to get the user

    or

    > the user object so I can tell what groups the person belongs in, would I


    > code that within the page load of the first page?


    You can do it where you want to, the information is easy to access.


    > 3. Where do I store the user information so I don't have to authenticate


    > against active directory for each page?


    Bad question, you will be not able to authenticate using IE 6.0 else than
    using current logged user credentials for integrated authentication. So you
    will never type any user and pwd using this authentication scenario,
    browsing will be transparent. When you change authentication for basic one,
    IIS will request user and pwd on first user access and will hold the opened
    connection. This is the thing between client(in your case IE) and browser.

    > 4. I have seen many examples on MSDN regarding Forms authentication and


    > active directory. I have 'heard' that you should avoid Forms

    authentication

    > but I don't know why. Is there a reason to avoid this way of doing it?


    I think form authentication is the classical way where the user and password
    are given via simple

    web form and are send from client as clear text in request made as login.
    It's the same problem like with basic authentication without SSL, pwd and
    user name are easy to be sniffed.

    Tom
    Tom, Aug 7, 2003
    #3
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. =?Utf-8?B?TmF2ZWVu?=

    Article : Authentication and Authorization in ASP.Net

    =?Utf-8?B?TmF2ZWVu?=, Oct 26, 2004, in forum: ASP .Net
    Replies:
    1
    Views:
    342
    =?Utf-8?B?UGF0cmljay5PLklnZQ==?=
    Oct 26, 2004
  2. Guest
    Replies:
    1
    Views:
    849
    Kevin Spencer
    May 19, 2005
  3. =?Utf-8?B?TFc=?=
    Replies:
    8
    Views:
    397
    =?Utf-8?B?TFc=?=
    Apr 25, 2007
  4. SeanRW
    Replies:
    1
    Views:
    348
    Dominick Baier [DevelopMentor]
    May 25, 2006
  5. LW
    Replies:
    1
    Views:
    162
    Alexey Smirnov
    May 2, 2007
Loading...

Share This Page