Single Sign On - from anywhere

[David Thielen]

Hi;

I think this can be done. I want to be able to do the following:
1) User hits my ASP.NET app from a browser running on Windows XP, and there
is a trust relationship between the domain they are logged in as on their
workstation and the domain of the server I am running on -> I get their
credentials with their not having to enter a username/password and I can then
open files and access a database as them. Using any browser, not just IE.

2) They or on a workgroup (not domain) or on a system without a trust
relationship, or on a non-Windows O/S, they are then prompted for their
username/password on the domain my server is running on and once they enter
it, I get their credentials, and I never see or touch their password. And
again, I can then open files & access the database as them.

Can this be done? And if so, any urls to a simple example?

 

[Luke Zhang [MSFT]]

Hello Dave,

The scenario 1 should be Intergrated Windows authentication and the
scenario 2 sounds like form authentication or windows basic authentication.
You may consider creating two web application for different user and share
same backgroup database and business logic. Or, windows basic
authentication is also a work around, all user must input name and password
anyway.

Luke

 

[Dominick Baier [DevelopMentor]]

Hi,

what do you mean with access files, db etc - you mean via the browser interface?
Are these resource local or remote to the web server

1) IE is the only browser that supports kerberos directly. There are NTLM
plugins for Firefox and Mozilla, but AFAIK they don't provide seamless login
(without providing credentials)
2) this could be done with NTLM or some other HTTP auth mechanism

some points:

- for delegation to work you need kerberos end to end. Only IE supports Kerberos.
IIS6 (in a W2k3 functionality level domain) supports transitioning between
non-delegatable protocols like NTLM to Kerberos
- you need SSL - regardless of the authentication technique

 

[David Thielen]

Hi;

Thanks for your answer. What I want is the browser talks to my ASP.NET app
and my app gets the request, calls the business logic layer that then access
the database as the user on the browser.

I want to do this (rather than a single connection for all users to the
database) so that database access is limited to what that user has rights to.
It removes my program from all the authorization issues and uses the
authorizations already in existince for the user, their group memberships,
and their rights in the database.

In terms of identifying the user, I prefer to not make them log in since
they already logged in the Windows. I think what you are saying is this is
only possible for IE.

When they do have to log in, I'd prefer that it is done in a way where my
app never sees the password. Is that possible? Or do I need to do a form
login and use the username/password to get their credentials?

Finally, what is the best way to handle repeated logins by someone who is
not running IE from a system on the same domain? I could use a cookie to
identify that they are back (if they select that option) and store their
domain username/password in my DB - but that strikes me as a big security
vulnerability as that data holds peoples username/password.

I could make them log in for each session, but that could honk people off as
they are used to not having to re-enter each time.

??? - thanks - dave

 

[Dominick Baier [DevelopMentor]]

Hi,

as long as there are no revolutionary new plugins for non-IE browsers - SSO
only works with IE.

That's the first important point.

The 2nd is, that for the delegation of credentials scenario you describe
you need Kerberos authentication from Browser to Back-End Server (e.g. SQL
Server).
Only IE can "speak" Kerberos and only is the client is logged on to the domain
(= no external users). There are ways to "convert" a NTLM or basic auth to
Kerberos, this has some pre-req, e.g. you need windows 2003 on your web server
AND on ALL domain controllers.

read more here (essential!): http://msdn.microsoft.com/msdnmag/issues/05/09/SecurityBriefs/default.aspx

At least one plugin i saw for FireFox allowed to store the credentials for
the website on the client. (url / credentail pair). I would not recommend
"simulating" your own Windows-Login, as you say this would involve storing
the password somehow - and since "normal" auth is done in IIS and ASP.NET
runs much later - you would also have to enable anonymous access for this
approach to work.

or in other words - if the browser does not support it - you can't support
it either.

 

[David Thielen]

Hi;

Ok, between your postas and the url you gave me I think I've got it for IE.
But for other browsers - what is the best way to do this? Should I prompt
them for their username/password at the start of each session (that way I
don't have to store it)?

--
thanks - dave


:

....

 

[Dominick Baier [DevelopMentor]]

Hi,

yes - thats the only sensible way to do it....

- but - if the browser authenticates with NTLM (and thats what non-IE browsers
do) with the web app - you won't be able to do delegation of credentials.
A feature called Protocol Transition can help here - with the prereqs i described
earlier.

http://www.microsoft.com/technet/pr...3/technologies/featured/kerberos/default.mspx

 

[David Thielen]

Thank you very very much

--
thanks - dave

Hi,

yes - thats the only sensible way to do it....

- but - if the browser authenticates with NTLM (and thats what non-IE browsers
do) with the web app - you won't be able to do delegation of credentials.
A feature called Protocol Transition can help here - with the prereqs i described
earlier.

http://www.microsoft.com/technet/pr...3/technologies/featured/kerberos/default.mspx