"Joe" <Jo*@discussions.microsoft.comwrote in message
news:74**********************************@microsof t.com...
Jon,
Thanks for the reply. I should have remembered that hashing is one way.
So, is there anyway to securely store a password in memory? The way
the app is written, each time an action is performed a DirectoryEntry
is created and then the actions are performed (create/delete user, modify
group membership...).
We are using Forms Authentication and do not want to use Integrated Auth.
Update actions performed on an AD require "Domain Admin" credentials, your clients,
connected over the internet, aren't (shouldn't be) Domain Admin's they shouldn't even have
access to the AD.
That means you should use different identities/credentials for the web access and the
resource access. So, first you'll have to "validate" the web client credentials against a
custom "Identity Store", and once the client is validated, you'll have to switch context to
access the directory. As "Identity Store" you can use a private LDAP, a DB store or the AD,
the choice highly depends on the number of clients and your security requirements.
Once the client is authenticated, you can access the AD using "explicit" credentials being
these of a domain admin, so you have to make sure they 1) are taken from a *safe* location,
2) they aren't kept in memory for a *long* period.
A much better option is to have your AD application code in a System.ComponentServices
derived class and registered as a "Server Type" application in the COM+ catalog. The COM+
application should run in a account having "domain admin" privileges.
Willy.