468,554 Members | 1,901 Online
Bytes | Developer Community
New Post

Home Posts Topics Members FAQ

Post your question to a community of 468,554 developers. It's quick & easy.

Smart Client Authentication

Dan
Good Day All,

I am writing a Smart Client application that will be used both internally
and externally within our organiztion. The user will need to log on to the
application. Since I can't store the external user's information within our
Active Directory my plan is to store them in SQL Server.

My idea is that I would either extend the Generic Identity class or create
my own implementing the correct interface. During the authentication process
the object would invoke a Web Service that would perform the Authentication.
I would secure the channel so that the information is not viewable.

I would the cache the returned credential on the client machine so that if
they are offline the object can authenticate against those.

Does anyone see any issues with this approach or ways to improve it? Is this
approach totally wrong?

Thanks!
Nov 16 '05 #1
1 2375
When the client is offline and authentication is still required I tend to
rely on Code Access and Windows Authentication Security for controlling
access to local resources.

If you need that additional layer, then I think caching may be your only
option, but I think its frowned upon. If the local machine is compromised,
your network passwords could be obtained. One method of mitigating this risk
is by enforcing strong passwords or passphrases.

You've probably seen this but smart client security best practices are
outlined here:
http://msdn.microsoft.com/smartclien.../scag-ch05.asp

ok,
aq

There is also a
"Dan" <Da*@discussions.microsoft.com> wrote in message
news:F1**********************************@microsof t.com...
Good Day All,

I am writing a Smart Client application that will be used both internally
and externally within our organiztion. The user will need to log on to the
application. Since I can't store the external user's information within our Active Directory my plan is to store them in SQL Server.

My idea is that I would either extend the Generic Identity class or create
my own implementing the correct interface. During the authentication process the object would invoke a Web Service that would perform the Authentication. I would secure the channel so that the information is not viewable.

I would the cache the returned credential on the client machine so that if
they are offline the object can authenticate against those.

Does anyone see any issues with this approach or ways to improve it? Is this approach totally wrong?

Thanks!

Nov 16 '05 #2

This discussion thread is closed

Replies have been disabled for this discussion.

Similar topics

27 posts views Thread by Susan Baker | last post: by
reply views Thread by sd | last post: by
1 post views Thread by noodles | last post: by
4 posts views Thread by aschmidt | last post: by
reply views Thread by danths | last post: by
1 post views Thread by HM | last post: by
2 posts views Thread by Frank Swarbrick | last post: by
reply views Thread by Ekart Laszlo | last post: by
reply views Thread by NPC403 | last post: by
1 post views Thread by UniDue | last post: by
By using this site, you agree to our Privacy Policy and Terms of Use.