login control blues

[ChandrikaHarathi]

I am cross posting from another group hoping to get a feed back:

I need to build a simple web apps with login control authenticating
with AD. Looking from security point:
1. web.config : connection strings etc.
OR
2. build my own onAuthenticate method calling ... a pre-compiled dll.
The dll will be a class file that uses directoryservices to validate
user.
This is asp.net 2.0 on win2k+3

 

[Joe Kaplan]

If you are using the .NET 2.0 and absolutely must to do forms auth with AD,
you should use the ActiveDirectoryMembershipProvider. It does the right
stuff and eliminates most of the questions.

Whatever you do, you really don't want to use S.DS for authentication. It
scales very poorly in this scenario. The AD membership provider uses
S.DS.Protocols to work around the limitations in the underlying ADSI model
for bind authentication.

Joe K

 

[ChandrikaHarathi]

Thanks Joe,
Could you expand on the ActivedirectoryMembershipProvider. I am new
to .net 2.0. I have to validate uid-pwd combination and this will not
be an intranet site, so I think form authentication is the solution
here. The requirements other parts of the web-site are straight but
need this AD validation to be strong.
Thanks,

 

[Joe Kaplan]

The AD membership provider fits into the ASP.NET 2.0 membership provider
framework which allows for flexibility with the underlying user store
mechanism. There are other membership providers as well for stores like
SQL.

There is a nice article on using the AD membership provider from the
patterns and practices team:

http://msdn2.microsoft.com/en-us/library/ms998360.aspx

Joe K.

 

[ChandrikaHarathi]

Hello Joe,
I used the article you mentioned to initially create a test site:
I do not need pwdreset/unlock acct etc not remember pwd or create
acct.

Having account Lockout on default number of failed attempts should
work -- did not test this.

My above "template" works only if I use my domain credentials on the
providers connectionUsername and ConenctionPassword. I was given a
service account that does not work, it returns the login-control
error message. I will check with infrastructure gp about the service
acct.

How to secure the web.config?? I did see an encrypt procedure on msdn,
Is that the best way ?

As always: your advice is the best.
thanks,

 

[Joe Kaplan]

I'm not an expert on encrypting the web.config, but the built in stuff in
ASP.NET 2.0 should be the way to go. You would need to read up on that or
ask someone else.

Ideally, you would be able to configure the provider to use the App Pool
identity in IIS for doing the queries to AD. If the server is domain joined
(it might not be), then the machine account for the server should have the
necessary permissions to execute the required LDAP queries.

If the machine is not domain joined, then you'll need plaintext creds and
will need to secure them somehow. I would think you would be able to use a
fixed service account instead of needing to use your personal domain creds.

Joe K.