I would like to know the best way to store credentials in a c# application.
I am writing some administrative tools and will need to store username and
password information for a domain account with elevated privileges. While I
am sure this is not a "best practice" I have not come up with a way around
this as not all users of the app will have the permissions on their accounts.
Any advice on is most appreciated.
Thanks
--
Adam S
13  12689 
Hi Adam,
There are a lot of discussion on the best practise of storing password
securely. Basically, you may use Data Protection API such as
CryptProtectMem ory and CryptProtectDat a to encapsulate the clear text
password, .Net also provided some encryption classes for this purpose. I
would recommend the articles below for you:
"How To Store Secrets On A Machine " http://pluralsight.com/wiki/default....StoreSecretsOn
AMachine
"The Art & Science of Storing Passwords" http://www.codeproject.com/cs/algori...gPasswords.asp
"Secure Coding Technique: A Better C# Password Dialog Box" http://www.codeproject.com/csharp/passworddialog.asp
Additionally, MSDN contains 2 best practise articles on handling password
in Win32, for your information:
"Password Threat Assessment" http://msdn2.microsoft.com/en-us/library/ms717800.aspx
"Threat Mitigation Techniques" http://msdn2.microsoft.com/en-us/library/ms717803.aspx
Hope it helps.
Best regards,
Jeffrey Tan
Microsoft Online Community Support
=============== =============== =============== =====
Get notification to my posts through email? Please refer to http://msdn.microsoft.com/subscripti...ult.aspx#notif
ications.
Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
where an initial response from the community or a Microsoft Support
Engineer within 1 business day is acceptable. Please note that each follow
up response may take approximately 2 business days as the support
professional working with you may need further investigation to reach the
most efficient resolution. The offering is not appropriate for situations
that require urgent, real-time or phone-based interactions or complex
project analysis and dump analysis issues. Issues of this nature are best
handled working with a dedicated Microsoft Support Engineer by contacting
Microsoft Customer Support Services (CSS) at http://msdn.microsoft.com/subscripti...t/default.aspx.
=============== =============== =============== =====
This posting is provided "AS IS" with no warranties, and confers no rights.
Adam,
Quite simply, don't do it. You are asking for a world of hurt if you
do. Also, to be quite honest, I'm horrified that an MS employee would
advocate such a thing.
If anything, you should query for a user account/password combo and then
use the LoginUser API (or is it Logon) to log that user in, and then
impersonate that user.
--
- Nicholas Paldino [.NET/C# MVP]
- mv*@spam.guard. caspershouse.co m
"Adam S" <Adam S@community.nos pamwrote in message
news:71******** *************** ***********@mic rosoft.com...
>I would like to know the best way to store credentials in a c# application.
I am writing some administrative tools and will need to store username and
password information for a domain account with elevated privileges. While
I
am sure this is not a "best practice" I have not come up with a way around
this as not all users of the app will have the permissions on their
accounts.
Any advice on is most appreciated.
Thanks
--
Adam S
Hi Nicholas,
I am not advocating storing password in application memory. As Adam already
pointed out himself, he knows that this is not a "best practice". However,
there will be scenario that the application really needs to store password.
Per the request of the poster, I am providing the best practise articles of
dealing with password.
Thanks.
Best regards,
Jeffrey Tan
Microsoft Online Community Support
=============== =============== =============== =====
Get notification to my posts through email? Please refer to http://msdn.microsoft.com/subscripti...ult.aspx#notif
ications.
Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
where an initial response from the community or a Microsoft Support
Engineer within 1 business day is acceptable. Please note that each follow
up response may take approximately 2 business days as the support
professional working with you may need further investigation to reach the
most efficient resolution. The offering is not appropriate for situations
that require urgent, real-time or phone-based interactions or complex
project analysis and dump analysis issues. Issues of this nature are best
handled working with a dedicated Microsoft Support Engineer by contacting
Microsoft Customer Support Services (CSS) at http://msdn.microsoft.com/subscripti...t/default.aspx.
=============== =============== =============== =====
This posting is provided "AS IS" with no warranties, and confers no rights.
"Nicholas Paldino [.NET/C# MVP]" <mv*@spam.guard .caspershouse.c omschrieb
im Newsbeitrag news:27******** *************** ***********@mic rosoft.com...
Adam,
Quite simply, don't do it. You are asking for a world of hurt if you
do. Also, to be quite honest, I'm horrified that an MS employee would
advocate such a thing.
If anything, you should query for a user account/password combo and
then use the LoginUser API (or is it Logon) to log that user in, and then
impersonate that user.
The scenario of the OP seems to be, that the user shouldn't know the login.
from OP: "not all users of the app will have the permissions on their
accounts."
Christof
If it is a network application, could you not centralise the
"Administrative " tools in an internal web service or installed component?
Then there is no need to store the password as the centralised component
would be installed to run under the correct credentials.
"Adam S" <Adam S@community.nos pamwrote in message
news:71******** *************** ***********@mic rosoft.com...
>I would like to know the best way to store credentials in a c# application.
I am writing some administrative tools and will need to store username and
password information for a domain account with elevated privileges. While
I
am sure this is not a "best practice" I have not come up with a way around
this as not all users of the app will have the permissions on their
accounts.
Any advice on is most appreciated.
Thanks
--
Adam S
Nick,
Your recommendation would be to store the username and password in a
database? I guess I am trying to figure out how that is going to help me out
in this scenario. Can you offer any additional info?
Thanks
--
Adam S
"Nicholas Paldino [.NET/C# MVP]" wrote:
Adam,
Quite simply, don't do it. You are asking for a world of hurt if you
do. Also, to be quite honest, I'm horrified that an MS employee would
advocate such a thing.
If anything, you should query for a user account/password combo and then
use the LoginUser API (or is it Logon) to log that user in, and then
impersonate that user.
--
- Nicholas Paldino [.NET/C# MVP]
- mv*@spam.guard. caspershouse.co m
"Adam S" <Adam S@community.nos pamwrote in message
news:71******** *************** ***********@mic rosoft.com...
I would like to know the best way to store credentials in a c# application.
I am writing some administrative tools and will need to store username and
password information for a domain account with elevated privileges. While
I
am sure this is not a "best practice" I have not come up with a way around
this as not all users of the app will have the permissions on their
accounts.
Any advice on is most appreciated.
Thanks
--
Adam S
I get that, but I can't even begin to tell you what a monumentally bad
idea that is. If a user doesn't have permission to perform an action, there
is a very good reason for it, and if they need to perform an action, they
should know the credentials of an account which can perform it, or they
should be given rights to do it.
--
- Nicholas Paldino [.NET/C# MVP]
- mv*@spam.guard. caspershouse.co m
"Christof Nordiek" <cn@nospam.dewr ote in message
news:uD******** *****@TK2MSFTNG P06.phx.gbl...
"Nicholas Paldino [.NET/C# MVP]" <mv*@spam.guard .caspershouse.c omschrieb
im Newsbeitrag news:27******** *************** ***********@mic rosoft.com...
>Adam,
Quite simply, don't do it. You are asking for a world of hurt if you
do. Also, to be quite honest, I'm horrified that an MS employee would
advocate such a thing.
If anything, you should query for a user account/password combo and
then use the LoginUser API (or is it Logon) to log that user in, and then
impersonate that user.
The scenario of the OP seems to be, that the user shouldn't know the
login.
from OP: "not all users of the app will have the permissions on their
accounts."
Christof
No, I'm saying that you really should get your permissions set up
correctly and not embed username and password information in your app. The
fact of the matter is that if you embed this information in your app, then
the likelihood of that information being extracted and users increases.
Better that you don't give them that opportunity.
--
- Nicholas Paldino [.NET/C# MVP]
- mv*@spam.guard. caspershouse.co m
"Adam S" <Adam S@community.nos pamwrote in message
news:4D******** *************** ***********@mic rosoft.com...
Nick,
Your recommendation would be to store the username and password in a
database? I guess I am trying to figure out how that is going to help me
out
in this scenario. Can you offer any additional info?
Thanks
--
Adam S
"Nicholas Paldino [.NET/C# MVP]" wrote:
>Adam,
Quite simply, don't do it. You are asking for a world of hurt if you
do. Also, to be quite honest, I'm horrified that an MS employee would
advocate such a thing.
If anything, you should query for a user account/password combo and
then
use the LoginUser API (or is it Logon) to log that user in, and then
impersonate that user.
--
- Nicholas Paldino [.NET/C# MVP]
- mv*@spam.guard. caspershouse.co m
"Adam S" <Adam S@community.nos pamwrote in message
news:71******* *************** ************@mi crosoft.com...
>I would like to know the best way to store credentials in a c#
application.
I am writing some administrative tools and will need to store username
and
password information for a domain account with elevated privileges.
While
I
am sure this is not a "best practice" I have not come up with a way
around
this as not all users of the app will have the permissions on their
accounts.
Any advice on is most appreciated.
Thanks
--
Adam S
"Nicholas Paldino [.NET/C# MVP]" <mv*@spam.guard .caspershouse.c omschrieb
im Newsbeitrag news:8A******** *************** ***********@mic rosoft.com...
I get that, but I can't even begin to tell you what a monumentally bad
idea that is. If a user doesn't have permission to perform an action,
there is a very good reason for it, and if they need to perform an action,
they should know the credentials of an account which can perform it, or
they should be given rights to do it.
But when I start a service, the service may run under a service account and
may have permissions that the I don't have.
Another example would be a server application like a web application on ISS.
The web application can, on behalf of the user, can do things, the user
wouldn't be able directly.
Maybe this is a solution for the OP also: Make a Webservice or a
WindowsService and then configure it, to use an account with the aproppriate
permissions.
BTW How does the Service Console store credentials?
Christof This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics | |
by: Angelo Vargheese |
last post by:
Hi,
I am trying to retrieve XML created by ASP pages on different servers
and display them on a single ASP.Net page.
I was planning to use the XMLDocument and XMLResolver objects like
below:
xmlResolver.Credentials = CredentialCache.DefaultCredentials
xmlDoc = New XmlDocument
xmlDoc.XmlResolver = xmlResolver
|
by: Grind Boy |
last post by:
Hi,
I'm writing this off the top of my head as I don't have the exact
information to hand.
We are attempting to set up a secure internet site using ASP.NET on IIS5.
We are having some authentication problems early on in the project. The
plan is to have 1 ASP.NET (IIS) forms application serving user requests
and another ASP.NET (IIS) webservice interfacing to the database.
|
by: Chris L |
last post by:
Hello,
I'm hoping to find out if it is possible to connect
within an ASP.NET application to Active Directory with
the credentials of the person who accessed the ASP.NET
application via IIS, using windows integrated
authentication.
I've tried using ADO, ADSI, and Directory Services, but I
have yet to find a way to connect to active directory
|
by: elora_c |
last post by:
I'm making a call to a webservice from my ASP.NET page. The web
application has anonymous access turned off and Integrated Windows auth
turned on. The web.config has <identity impersonate=true>. I set the
credentials of the web service proxy to the DefaultCredentials. Right
before I make the call, I print out the WindowsIdentity, and it is
showing the right identity. So I know the web application is
authenticating properly. However,...
|
by: Wild Wind |
last post by:
Hello,
I have an application which calls a web service across the
Internet from a client machine.
The site that I have deployed the application to is such that
to browse the Internet using a web browser, a person needs to
do the following:
(a) ensure that a proxy server address is specified;
| | |
by: Gerhard |
last post by:
I have an application that needs to be able to upload documents that can
latter be accessed and opened by a hyperlink. I can do this easliy if I
store the files in a subdirectory in the application, but we will be using
multiple web servers, so the files need to be stored on a common file server.
Saving them is easy enough, but how do I point a hyperlink at a file on a
file server that is different from the web server?
Could you please...
|
by: Christof Nordiek |
last post by:
I'm writing a windows service wich shall be able to access certain resources
(files etc). So accessrights will have to be configurable by a local
administrator.
One option is to use the account under wich the service runs wich can be set
while installation or in the services window.
Another option i'm looking for will be to enter the credentials in an
administration form and then use impersonation or something. Is this
feasable? How...
|
by: Mythran |
last post by:
We followed an example found on MSDN to create an encrypted
FormsAuthenticationTicket and storing the ticket in a cookie. Is this the
"correct" way to store the authentication ticket? We are attempting to
create a web service from the web application and our goal is to have the
user login to the web application and then, using the same credentials
and/or authentication objects, access the web services to retrieve our data
from other...
|
by: Wimpie van Lingen |
last post by:
Hey
I have some more questions with regards to Remoting in .NET 2. I'm using TCP with the Binary formatter.
My solution consists of 4 projects:
- Class Library containing the server classes which Inherits MarshalByRefObject (ok, at this stage it only contains one class... but its gonna grow)
- Class Library containing common classes and interfaces that will be shared between all projects. This include interfaces for the server...
|
by: Hystou |
last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can effortlessly switch the default language on Windows 10 without reinstalling. I'll walk you through it.
First, let's disable language synchronization. With a Microsoft account, language settings sync across devices. To prevent any complications,...
|
by: Oralloy |
last post by:
Hello folks,
I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>".
The problem is that using the GNU compilers, it seems that the internal comparison operator "<=>" tries to promote arguments from unsigned to signed.
This is as boiled down as I can make it.
Here is my compilation command:
g++-12 -std=c++20 -Wnarrowing bit_field.cpp
Here is the code in...
| | |
by: Hystou |
last post by:
Overview:
Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows Update option using the Control Panel or Settings app; it automatically checks for updates and installs any it finds, whether you like it or not. For most users, this new feature is actually very convenient. If you want to control the update process,...
|
by: tracyyun |
last post by:
Dear forum friends,
With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each protocol has its own unique characteristics and advantages, but as a user who is planning to build a smart home system, I am a bit confused by the choice of these technologies. I'm particularly interested in Zigbee because I've heard it does some...
|
by: isladogs |
last post by:
The next Access Europe User Group meeting will be on Wednesday 1 May 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM).
In this session, we are pleased to welcome a new presenter, Adolph Dupré who will be discussing some powerful techniques for using class modules.
He will explain when you may want to use classes instead of User Defined Types (UDT). For example, to manage the data in unbound forms.
Adolph will...
|
by: conductexam |
last post by:
I have .net C# application in which I am extracting data from word file and save it in database particularly. To store word all data as it is I am converting the whole word file firstly in HTML and then checking html paragraph one by one.
At the time of converting from word file to html my equations which are in the word document file was convert into image.
Globals.ThisAddIn.Application.ActiveDocument.Select();...
|
by: TSSRALBI |
last post by:
Hello
I'm a network technician in training and I need your help.
I am currently learning how to create and manage the different types of VPNs and I have a question about LAN-to-LAN VPNs.
The last exercise I practiced was to create a LAN-to-LAN VPN between two Pfsense firewalls, by using IPSEC protocols.
I succeeded, with both firewalls in the same network. But I'm wondering if it's possible to do the same thing, with 2 Pfsense firewalls...
|
by: adsilva |
last post by:
A Windows Forms form does not have the event Unload, like VB6. What one acts like?
| | |
by: bsmnconsultancy |
last post by:
In today's digital era, a well-designed website is crucial for businesses looking to succeed. Whether you're a small business owner or a large corporation in Toronto, having a strong online presence can significantly impact your brand's success. BSMN Consultancy, a leader in Website Development in Toronto offers valuable insights into creating effective websites that not only look great but also perform exceptionally well. In this comprehensive...
| |
