J
jp
Hi, I'm having a hard time deciding (figuring out) how to implement
security in my asp.net application.
Requirements:
- Use active directory as database of users to authenticate against
- Have a login screen
- IIS and SQL Server Database are on different servers (delegation and
kerberos needed) to make trustedconnection=yes in connection string
work (no username and password in connection string).
If I use Windows Authentication in IIS and web.config, everything
works fine, except there is no login screen, so someone can access an
internal application by sitting at someone else's computer, if they
are already logged in.
If I use Forms Authentication in .NET and anonymous authentication in
IIS (using a user from the domain) and impersonate=true (so the
anonymous user can access active directory for authentication), the
user being impersonated is used to access the SQL Server when I need
the authenticated user to be the one to access SQL Server.
The only way I can figure the second situation to work would be to
have the authenticated user then assume impersonation and that seems
like it's not a good idea.
Any thoughts or ideas are more than welcome!
thanks.
security in my asp.net application.
Requirements:
- Use active directory as database of users to authenticate against
- Have a login screen
- IIS and SQL Server Database are on different servers (delegation and
kerberos needed) to make trustedconnection=yes in connection string
work (no username and password in connection string).
If I use Windows Authentication in IIS and web.config, everything
works fine, except there is no login screen, so someone can access an
internal application by sitting at someone else's computer, if they
are already logged in.
If I use Forms Authentication in .NET and anonymous authentication in
IIS (using a user from the domain) and impersonate=true (so the
anonymous user can access active directory for authentication), the
user being impersonated is used to access the SQL Server when I need
the authenticated user to be the one to access SQL Server.
The only way I can figure the second situation to work would be to
have the authenticated user then assume impersonation and that seems
like it's not a good idea.
Any thoughts or ideas are more than welcome!
thanks.