473,686 Members | 2,333 Online
Bytes | Software Development & Data Engineering Community
+ Post

Home Posts Topics Members FAQ

Combine Forms Authentication with Windows

I am working a new application...w ell actually a series of applications for
my company. They want internal users to be able to go to a site and
everything regarding security is transparent, however we will have brokers
and customers that also need to connect and will require a username and
password. In this case we were going to store their credentials in a SQL
database. Internal users will have the ability to access the same resources
as the external brokers and customers. Is there an easy way that I can
combine both methods? Internal users would go off of Active Directory
security groups for security roles, and external users would go off a
internal roles database table. I was told that nothing should be set in a
web.config file for roles and users. I have seen in ASP.NET how to
impersonate a user in code, but would that really be the best solution in
this case as it would be done quite a bit? In order for transparent security
for users I could easily use forms authentication with cookies that save. As
for SQL security if I must use strictly forms authentication and have a
general database login that works for all web applicaitons I could secure it
by allowing stored procedures only and deny everything else. How could I
then secure users from accessing procedures if there is a bug in the
application. Is there a way that I can prevent users in my users table from
calling certain procedures? Thanks for anyone's input.
Nov 4 '05 #1
3 2713
I'ts quite a story you wrote.
You do not want users to be authenticated by the database by using a
username password, because this means that every user will get it's own
connection.

So you need integraded security, this means that the users need
NT-Credentials(Ker bros/NTLM). So you will need to use integrated security and
impersonation for the authenticated users.

For the non authenticated users, you will need to use a second
connectionstrin g one that uses the creaditals given to the application
(aspnet user by default)

Give less rights to these anonimous users.

Hope I answerd the right question...

Good luck,
--
Rainier van Slingerlandt
(Freelance trainer/consultant/developer)
www.slingerlandt.com
"Nick" wrote:
I am working a new application...w ell actually a series of applications for
my company. They want internal users to be able to go to a site and
everything regarding security is transparent, however we will have brokers
and customers that also need to connect and will require a username and
password. In this case we were going to store their credentials in a SQL
database. Internal users will have the ability to access the same resources
as the external brokers and customers. Is there an easy way that I can
combine both methods? Internal users would go off of Active Directory
security groups for security roles, and external users would go off a
internal roles database table. I was told that nothing should be set in a
web.config file for roles and users. I have seen in ASP.NET how to
impersonate a user in code, but would that really be the best solution in
this case as it would be done quite a bit? In order for transparent security
for users I could easily use forms authentication with cookies that save. As
for SQL security if I must use strictly forms authentication and have a
general database login that works for all web applicaitons I could secure it
by allowing stored procedures only and deny everything else. How could I
then secure users from accessing procedures if there is a bug in the
application. Is there a way that I can prevent users in my users table from
calling certain procedures? Thanks for anyone's input.

Nov 4 '05 #2
Thanks for Rainier's inputs.

Hi Nick,

As for your scenario, I'm afraid it's quite hard to meet all your
requirement. Since you'd like to make the authenticaiton transparent to
client user, of course using FormsAuthentica tion (anonynmous access in IIS)
should be choosed. However, since those internal users need to call
protected store procedures on remote SQLserver under their windows
identity, we have to programmaticall y impersonate them (throw clear text
username /password) in code when necessary. I think this is also what you
currently thinking, yes?

Also, another means is we move the protection of those store procedures out
of the SQLSERVER's buildin role based checking, and check the caller's
account in our code. In other word, we make no protection for those store
procedures in SQLSERVER so that any upstream callers and call them. And
what we need to do is checking the clientuser in our code (in the web
application's data accessing component ... )

So far I think we have the above two approachs. Just my opinion.

Thanks,

Steven Cheng
Microsoft Online Support

Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)

--------------------
| Thread-Topic: Combine Forms Authentication with Windows
| thread-index: AcXhIVpRkjMtDNp STZGoEkqxs/ZYaw==
| X-WBNR-Posting-Host: 195.50.100.20
| From: "=?Utf-8?B?UmFpbmllciB bTUNUXQ==?="
<Ra********@dis cussions.micros oft.com>
| References: <96************ *************** *******@microso ft.com>
| Subject: RE: Combine Forms Authentication with Windows
| Date: Fri, 4 Nov 2005 01:23:01 -0800
| Lines: 46
| Message-ID: <20************ *************** *******@microso ft.com>
| MIME-Version: 1.0
| Content-Type: text/plain;
| charset="Utf-8"
| Content-Transfer-Encoding: 7bit
| X-Newsreader: Microsoft CDO for Windows 2000
| Content-Class: urn:content-classes:message
| Importance: normal
| Priority: normal
| X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0
| Newsgroups: microsoft.publi c.dotnet.genera l
| NNTP-Posting-Host: TK2MSFTNGXA03.p hx.gbl 10.40.2.250
| Path: TK2MSFTNGXA01.p hx.gbl!TK2MSFTN GXA03.phx.gbl
| Xref: TK2MSFTNGXA01.p hx.gbl microsoft.publi c.dotnet.genera l:53496
| X-Tomcat-NG: microsoft.publi c.dotnet.genera l
|
| I'ts quite a story you wrote.
| You do not want users to be authenticated by the database by using a
| username password, because this means that every user will get it's own
| connection.
|
| So you need integraded security, this means that the users need
| NT-Credentials(Ker bros/NTLM). So you will need to use integrated security
and
| impersonation for the authenticated users.
|
| For the non authenticated users, you will need to use a second
| connectionstrin g one that uses the creaditals given to the application
| (aspnet user by default)
|
| Give less rights to these anonimous users.
|
| Hope I answerd the right question...
|
| Good luck,
| --
| Rainier van Slingerlandt
| (Freelance trainer/consultant/developer)
| www.slingerlandt.com
|
|
| "Nick" wrote:
|
| > I am working a new application...w ell actually a series of applications
for
| > my company. They want internal users to be able to go to a site and
| > everything regarding security is transparent, however we will have
brokers
| > and customers that also need to connect and will require a username and
| > password. In this case we were going to store their credentials in a
SQL
| > database. Internal users will have the ability to access the same
resources
| > as the external brokers and customers. Is there an easy way that I can
| > combine both methods? Internal users would go off of Active Directory
| > security groups for security roles, and external users would go off a
| > internal roles database table. I was told that nothing should be set
in a
| > web.config file for roles and users. I have seen in ASP.NET how to
| > impersonate a user in code, but would that really be the best solution
in
| > this case as it would be done quite a bit? In order for transparent
security
| > for users I could easily use forms authentication with cookies that
save. As
| > for SQL security if I must use strictly forms authentication and have a
| > general database login that works for all web applicaitons I could
secure it
| > by allowing stored procedures only and deny everything else. How could
I
| > then secure users from accessing procedures if there is a bug in the
| > application. Is there a way that I can prevent users in my users table
from
| > calling certain procedures? Thanks for anyone's input.
|

Nov 4 '05 #3
Hi Nick,

Have you got any further ideas on this question or does the things in my
last reply helps a little? If there're anything else we can help, please
feel free to post here. Thanks,

Steven Cheng
Microsoft Online Support

Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)
--------------------
| X-Tomcat-ID: 182654618
| References: <96************ *************** *******@microso ft.com>
<20************ *************** *******@microso ft.com>
| MIME-Version: 1.0
| Content-Type: text/plain
| Content-Transfer-Encoding: 7bit
| From: st*****@online. microsoft.com (Steven Cheng[MSFT])
| Organization: Microsoft
| Date: Fri, 04 Nov 2005 10:04:51 GMT
| Subject: RE: Combine Forms Authentication with Windows
| X-Tomcat-NG: microsoft.publi c.dotnet.genera l
| Message-ID: <Iv************ **@TK2MSFTNGXA0 1.phx.gbl>
| Newsgroups: microsoft.publi c.dotnet.genera l
| Lines: 119
| Path: TK2MSFTNGXA01.p hx.gbl
| Xref: TK2MSFTNGXA01.p hx.gbl microsoft.publi c.dotnet.genera l:53498
| NNTP-Posting-Host: tomcatimport2.p hx.gbl 10.201.218.182
|
| Thanks for Rainier's inputs.
|
| Hi Nick,
|
| As for your scenario, I'm afraid it's quite hard to meet all your
| requirement. Since you'd like to make the authenticaiton transparent to
| client user, of course using FormsAuthentica tion (anonynmous access in
IIS)
| should be choosed. However, since those internal users need to call
| protected store procedures on remote SQLserver under their windows
| identity, we have to programmaticall y impersonate them (throw clear text
| username /password) in code when necessary. I think this is also what
you
| currently thinking, yes?
|
| Also, another means is we move the protection of those store procedures
out
| of the SQLSERVER's buildin role based checking, and check the caller's
| account in our code. In other word, we make no protection for those store
| procedures in SQLSERVER so that any upstream callers and call them. And
| what we need to do is checking the clientuser in our code (in the web
| application's data accessing component ... )
|
| So far I think we have the above two approachs. Just my opinion.
|
| Thanks,
|
| Steven Cheng
| Microsoft Online Support
|
| Get Secure! www.microsoft.com/security
| (This posting is provided "AS IS", with no warranties, and confers no
| rights.)
|
|
|
| --------------------
| | Thread-Topic: Combine Forms Authentication with Windows
| | thread-index: AcXhIVpRkjMtDNp STZGoEkqxs/ZYaw==
| | X-WBNR-Posting-Host: 195.50.100.20
| | From: "=?Utf-8?B?UmFpbmllciB bTUNUXQ==?="
| <Ra********@dis cussions.micros oft.com>
| | References: <96************ *************** *******@microso ft.com>
| | Subject: RE: Combine Forms Authentication with Windows
| | Date: Fri, 4 Nov 2005 01:23:01 -0800
| | Lines: 46
| | Message-ID: <20************ *************** *******@microso ft.com>
| | MIME-Version: 1.0
| | Content-Type: text/plain;
| | charset="Utf-8"
| | Content-Transfer-Encoding: 7bit
| | X-Newsreader: Microsoft CDO for Windows 2000
| | Content-Class: urn:content-classes:message
| | Importance: normal
| | Priority: normal
| | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0
| | Newsgroups: microsoft.publi c.dotnet.genera l
| | NNTP-Posting-Host: TK2MSFTNGXA03.p hx.gbl 10.40.2.250
| | Path: TK2MSFTNGXA01.p hx.gbl!TK2MSFTN GXA03.phx.gbl
| | Xref: TK2MSFTNGXA01.p hx.gbl microsoft.publi c.dotnet.genera l:53496
| | X-Tomcat-NG: microsoft.publi c.dotnet.genera l
| |
| | I'ts quite a story you wrote.
| | You do not want users to be authenticated by the database by using a
| | username password, because this means that every user will get it's own
| | connection.
| |
| | So you need integraded security, this means that the users need
| | NT-Credentials(Ker bros/NTLM). So you will need to use integrated
security
| and
| | impersonation for the authenticated users.
| |
| | For the non authenticated users, you will need to use a second
| | connectionstrin g one that uses the creaditals given to the application
| | (aspnet user by default)
| |
| | Give less rights to these anonimous users.
| |
| | Hope I answerd the right question...
| |
| | Good luck,
| | --
| | Rainier van Slingerlandt
| | (Freelance trainer/consultant/developer)
| | www.slingerlandt.com
| |
| |
| | "Nick" wrote:
| |
| | > I am working a new application...w ell actually a series of
applications
| for
| | > my company. They want internal users to be able to go to a site and
| | > everything regarding security is transparent, however we will have
| brokers
| | > and customers that also need to connect and will require a username
and
| | > password. In this case we were going to store their credentials in a
| SQL
| | > database. Internal users will have the ability to access the same
| resources
| | > as the external brokers and customers. Is there an easy way that I
can
| | > combine both methods? Internal users would go off of Active
Directory
| | > security groups for security roles, and external users would go off a
| | > internal roles database table. I was told that nothing should be set
| in a
| | > web.config file for roles and users. I have seen in ASP.NET how to
| | > impersonate a user in code, but would that really be the best
solution
| in
| | > this case as it would be done quite a bit? In order for transparent
| security
| | > for users I could easily use forms authentication with cookies that
| save. As
| | > for SQL security if I must use strictly forms authentication and have
a
| | > general database login that works for all web applicaitons I could
| secure it
| | > by allowing stored procedures only and deny everything else. How
could
| I
| | > then secure users from accessing procedures if there is a bug in the
| | > application. Is there a way that I can prevent users in my users
table
| from
| | > calling certain procedures? Thanks for anyone's input.
| |
|
|

Nov 8 '05 #4

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

6
4828
by: Billy Jacobs | last post by:
I have a website which has both secure and non-secure pages. I want to uses forms authentication. How do I accomplish this? Originally I had my web.config file in the root with Forms Authentication set up and it worked just fine. Then I realized that I needed to have some pages unsecure. I then created 2 directories. One named Secure and the other named Public. I placed my web.config file in my
0
1652
by: Michael Brandt Lassen | last post by:
Hi gurus This problem is about calling Web services secured by Forms Authentication from Windows Forms user controls embedded in HTML. Using the object tag I’ve managed to include a Windows Forms user control in my HTML page (a .NET alternative to good old ActiveX). I’d like to use my control to call web-services instead of using behaviours (webservices.htc).
4
2740
by: Greg Burns | last post by:
I have built a web app that uses forms authentication. There isn't a "remember me" feature (i.e. the authentication cookie is not permanent). When you close the browser, and open a new one, you must log in again. This is the behavior I expected. I just discovered that if I have a browser window open (to anything) prior to opening my web app in a new browser window, it appears to share session information. I can then open and close my...
3
4866
by: Kris van der Mast | last post by:
Hi, I've created a little site for my sports club. In the root folder there are pages that are viewable by every anonymous user but at a certain subfolder my administration pages should be protected by forms authentication. When I create forms authentication at root level it works but when I move my code up to the subfolder I get this error: Server Error in '/TestProjects/FormsAuthenticationTestingArea' Application.
0
4229
by: Anonieko Ramos | last post by:
ASP.NET Forms Authentication Best Practices Dr. Dobb's Journal February 2004 Protecting user information is critical By Douglas Reilly Douglas is the author of Designing Microsoft ASP.NET Applications and owner of Access Microsystems. Doug can be reached at doug@accessmicrosystems.com. --------------------------------------------------------------------------------
5
1660
by: V. Jenks | last post by:
Using forms authentication, can I control which pages and/or directories a user would have access to or is that only available with Windows authentication? Thanks!
6
1419
by: dhnriverside | last post by:
Hi there I'm using Windows Authentication to automatically recognise users in my web app. However, I want directory to be password protected, so if they try to visit the page in there, they MUST enter their password in a Windows Login style popup (FOrms AUthentication). I think I need to out another web.config in the directory with authentication set to Forms? But how do I query the info received by forms in AD? OR do I even need to,...
3
252
by: Nick | last post by:
I am working a new application...well actually a series of applications for my company. They want internal users to be able to go to a site and everything regarding security is transparent, however we will have brokers and customers that also need to connect and will require a username and password. In this case we were going to store their credentials in a SQL database. Internal users will have the ability to access the same resources...
5
3551
by: Rory Becker | last post by:
Having now created a Custom MembershipProvider that seems to work correctly with my Logon and ChangePassword controls, I am, as they say, a happy bunny. The next stange is to move on to the creation of content which adjusts based on the user. I have several pages which require a user to be logged on and several which do not. Prior to this point in time I have used 2 different master pages. one with a control which checks a session...
0
8586
marktang
by: marktang | last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However, people are often confused as to whether an ONU can Work As a Router. In this blog post, well explore What is ONU, What Is Router, ONU & Routers main usage, and What is the difference between ONU and Router. Lets take a closer look ! Part I. Meaning of...
0
8523
by: Hystou | last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can effortlessly switch the default language on Windows 10 without reinstalling. I'll walk you through it. First, let's disable language synchronization. With a Microsoft account, language settings sync across devices. To prevent any complications,...
0
9057
Oralloy
by: Oralloy | last post by:
Hello folks, I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>". The problem is that using the GNU compilers, it seems that the internal comparison operator "<=>" tries to promote arguments from unsigned to signed. This is as boiled down as I can make it. Here is my compilation command: g++-12 -std=c++20 -Wnarrowing bit_field.cpp Here is the code in...
0
8942
jinu1996
by: jinu1996 | last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven tapestry of website design and digital marketing. It's not merely about having a website; it's about crafting an immersive digital experience that captivates audiences and drives business growth. The Art of Business Website Design Your website is...
1
8776
by: Hystou | last post by:
Overview: Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows Update option using the Control Panel or Settings app; it automatically checks for updates and installs any it finds, whether you like it or not. For most users, this new feature is actually very convenient. If you want to control the update process,...
0
8781
tracyyun
by: tracyyun | last post by:
Dear forum friends, With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each protocol has its own unique characteristics and advantages, but as a user who is planning to build a smart home system, I am a bit confused by the choice of these technologies. I'm particularly interested in Zigbee because I've heard it does some...
1
6444
isladogs
by: isladogs | last post by:
The next Access Europe User Group meeting will be on Wednesday 1 May 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM). In this session, we are pleased to welcome a new presenter, Adolph Dupr who will be discussing some powerful techniques for using class modules. He will explain when you may want to use classes instead of User Defined Types (UDT). For example, to manage the data in unbound forms. Adolph will...
0
4537
by: adsilva | last post by:
A Windows Forms form does not have the event Unload, like VB6. What one acts like?
1
2957
by: 6302768590 | last post by:
Hai team i want code for transfer the data from one system to another through IP address by using C# our system has to for every 5mins then we have to update the data what the data is updated we have to send another system

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.