Windows Authentication, Single sign on and Active Directory

[SP]

Hello All,

First of all, let me make it very clear that I do not have any idea about
implementing the windows authentication, so all inputs would be appreciated.

The scenario :
I have a client - server application. At the moment, the passwords for the
users are stored in a password storage (encrypted). The client app shows a
login dialog, gets the username and password and sends it to the server
where the server verifies it against the password store. I would like to
move to a position where the user does not need to enter the username and
password, If they are logged on to the domain, they should go straight in.
The application is written in C# (client app) accessing the ASP.NET web
services. All of it is done in .NET framework 2.0

The way I have figured out so far is as follows :
On the client side,
1) Get the user's identity
2) Send this to the server
On the server side :
3) Validate the user's identity against the active directory
4) If the user is valid, the normal process of using the application
continues.

In the process of trying this, I have done the following:
1) Get the user's identity
System.Security.Principal.WindowsIdentity.GetCurrent().User.Value
2) send it to server (the value returned from the above call is string) so I
send it as it is.

On the server side
3) I try and create the SecurityIdentifier object as follows :
System.Security.Principal.SecurityIdentifier sid = new
SecurityIdentifier(sddlIdentity);
this call is okay. From here I don't know where to go and how to validate
this agains the active directory. I had a look at AD objects and it seems
the SID should be available in some tokengroups but this is where I have got
completely lost. (On a sidenote :Another thing is, If I try and use AD
searching, I get an error possibly because the call is run as ASPNET user
which does not have access to AD)

Kindly help me in achieving this or if this method is not the correct way of
achieving my goal, advise me accordingly.

TIA,

SP

 

[Joe Kaplan]

The more straightforward way to do this is to enable integrated Windows
authentication on the web services. If the user is logged into the domain
when running the client app, all you need to do is set the Credentials
property on your web service proxy classes to use DefaultCredentials and the
user will log in automatically (assuming the web server is also a member of
the domain).

Your web services can then determine the identity of the authenticated user
with Context.User.Identity.Name.

The other alternatively to consider would be to use WCF or WSE3 or something
to implement some sort of message level security.

I would recommend that you NOT try to implement your own authentication
protocol. It is not easy to get right.

Joe K.

 

[SP]

Thanks for the input Joe,

I do not want to implement my own protocol and anything readymade is
definitely the best option for me. I just got carried away reading lots of
different articles on internet but could not get anywhere in practice. I
think I was looking to replace the existing mechanism on a like for like
substitute.

One of the problems is, I need to keep the login dialog as well, in case if
a user logs in to the client machine outside the domain, then he should be
able to key in his credentials. The server is always in the domain. for
example, I am a domain usee as MyDomain\SP. On a client machine, if I am
logged in as one, then I want the application to not show me a login dialog.
If I am not logged on to the domain, I would like for the application to
show me a login dialog where I may enter MyDomain\SP as user and my password
to start using the application

As I had previously said, I don't know how to do it so can you please point
me to some examples if possible?

TIA,

--SP

 

[Joe Kaplan]

The best thing to do would be to catch the appropriate exception if the web
service proxy client fails to connect due to authentication failure and then
prompt the user for credentials. You can then create a NetworkCredentials
object that contains the plain text credentials and use that instead of the
DefaultCredentials. This gives you SSO for users logged in to the desktop
but gives you a mechanism to handle situations where it doesn't work. This
is actually how the browser tends to work as well.

I can't remember the exact exception, but I'm sure you can figure it out
quickly through a little testing.

If you were working in an internet scenario instead of intranet, you might
also want to consider the possibility of using Basic authentication with
SSL. That will require you to always prompt for credentials, but is the
most flexible. Note that you should almost certainly be using SSL with the
web services anyway, as it is generally important to protect any
authenticated web traffic at the transport level, no matter what
authentication protocol you are using.

Joe K.

 

[SP]

Joe,

this does make sense, I'll try and proceed in this direction and see where
and how it goes. One thing I am not sure about is where and how active
directory is getting involved in here? Does it all happen behind the scene /
under the hood for me? What will happen if there is something else in place
of AD?

I think by now it must be obvious to you that I am a complete novice to this
whole thing.

--SP

 

[Joe Kaplan]

AD is primarily behind the scenes. At the web server, the machine is able
to authenticate incoming domain members as a result of being a domain member
and being able to communicate with AD using its Kerberos or NTLM features.
Same goes for the clients. The client can authenticate with the domain
controller's KDC and get a service ticket to access the web server if
Kerberos is being used or will negotiate down to NTLM otherwise.

If there is no AD, your web server is probably a workgroup mode machine. In
that case, the web server can only authenticate IDs defined on the local
machine. I wouldn't suggest you use this architecture if AD is not in the
mix.

Joe K.

 

[SP]

Thanks Joe,

I changed the IIS setting to not allow anonymous access and in the Proxy, I
added a line like this :
this.Credentials = System.Net.CredentialCache.DefaultNetworkCredentials;

and it seems to be doing the main thing correctly.

One obvious difference I noticed was, quite a few of the images do not
appear now. I think this might be because the images are accessible only to
ASPNET user whereas with the changes I made, these physical files are being
accessed by me (SP user) and may not have access to them. Is my thinking
correct? Is this where I'll have to use impersonation? or is there a simpler
way out?

I guess its a new topic for discussion.

--SP

 

[Joe Kaplan]

This is probably an NTFS permissions problem. Make sure the authenticate
users have rights on the file system to these objects as well.

Good idea to start a new thread.

Joe K.