Hi Nick,
Have you got any further ideas on this question or does the things in my
last reply helps a little? If there're anything else we can help, please
feel free to post here. Thanks,
Steven Cheng
Microsoft Online Support
Get Secure!
www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)
--------------------
| X-Tomcat-ID: 182654618
| References: <96**********************************@microsoft.co m>
<20**********************************@microsoft.co m>
| MIME-Version: 1.0
| Content-Type: text/plain
| Content-Transfer-Encoding: 7bit
| From:
st*****@online.microsoft.com (Steven Cheng[MSFT])
| Organization: Microsoft
| Date: Fri, 04 Nov 2005 10:04:51 GMT
| Subject: RE: Combine Forms Authentication with Windows
| X-Tomcat-NG: microsoft.public.dotnet.general
| Message-ID: <Iv**************@TK2MSFTNGXA01.phx.gbl>
| Newsgroups: microsoft.public.dotnet.general
| Lines: 119
| Path: TK2MSFTNGXA01.phx.gbl
| Xref: TK2MSFTNGXA01.phx.gbl microsoft.public.dotnet.general:53498
| NNTP-Posting-Host: tomcatimport2.phx.gbl 10.201.218.182
|
| Thanks for Rainier's inputs.
|
| Hi Nick,
|
| As for your scenario, I'm afraid it's quite hard to meet all your
| requirement. Since you'd like to make the authenticaiton transparent to
| client user, of course using FormsAuthentication (anonynmous access in
IIS)
| should be choosed. However, since those internal users need to call
| protected store procedures on remote SQLserver under their windows
| identity, we have to programmatically impersonate them (throw clear text
| username /password) in code when necessary. I think this is also what
you
| currently thinking, yes?
|
| Also, another means is we move the protection of those store procedures
out
| of the SQLSERVER's buildin role based checking, and check the caller's
| account in our code. In other word, we make no protection for those store
| procedures in SQLSERVER so that any upstream callers and call them. And
| what we need to do is checking the clientuser in our code (in the web
| application's data accessing component ... )
|
| So far I think we have the above two approachs. Just my opinion.
|
| Thanks,
|
| Steven Cheng
| Microsoft Online Support
|
| Get Secure!
www.microsoft.com/security
| (This posting is provided "AS IS", with no warranties, and confers no
| rights.)
|
|
|
| --------------------
| | Thread-Topic: Combine Forms Authentication with Windows
| | thread-index: AcXhIVpRkjMtDNpSTZGoEkqxs/ZYaw==
| | X-WBNR-Posting-Host: 195.50.100.20
| | From: "=?Utf-8?B?UmFpbmllciBbTUNUXQ==?="
| <Ra********@discussions.microsoft.com>
| | References: <96**********************************@microsoft.co m>
| | Subject: RE: Combine Forms Authentication with Windows
| | Date: Fri, 4 Nov 2005 01:23:01 -0800
| | Lines: 46
| | Message-ID: <20**********************************@microsoft.co m>
| | MIME-Version: 1.0
| | Content-Type: text/plain;
| | charset="Utf-8"
| | Content-Transfer-Encoding: 7bit
| | X-Newsreader: Microsoft CDO for Windows 2000
| | Content-Class: urn:content-classes:message
| | Importance: normal
| | Priority: normal
| | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0
| | Newsgroups: microsoft.public.dotnet.general
| | NNTP-Posting-Host: TK2MSFTNGXA03.phx.gbl 10.40.2.250
| | Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGXA03.phx.gbl
| | Xref: TK2MSFTNGXA01.phx.gbl microsoft.public.dotnet.general:53496
| | X-Tomcat-NG: microsoft.public.dotnet.general
| |
| | I'ts quite a story you wrote.
| | You do not want users to be authenticated by the database by using a
| | username password, because this means that every user will get it's own
| | connection.
| |
| | So you need integraded security, this means that the users need
| | NT-Credentials(Kerbros/NTLM). So you will need to use integrated
security
| and
| | impersonation for the authenticated users.
| |
| | For the non authenticated users, you will need to use a second
| | connectionstring one that uses the creaditals given to the application
| | (aspnet user by default)
| |
| | Give less rights to these anonimous users.
| |
| | Hope I answerd the right question...
| |
| | Good luck,
| | --
| | Rainier van Slingerlandt
| | (Freelance trainer/consultant/developer)
| |
www.slingerlandt.com
| |
| |
| | "Nick" wrote:
| |
| | > I am working a new application...well actually a series of
applications
| for
| | > my company. They want internal users to be able to go to a site and
| | > everything regarding security is transparent, however we will have
| brokers
| | > and customers that also need to connect and will require a username
and
| | > password. In this case we were going to store their credentials in a
| SQL
| | > database. Internal users will have the ability to access the same
| resources
| | > as the external brokers and customers. Is there an easy way that I
can
| | > combine both methods? Internal users would go off of Active
Directory
| | > security groups for security roles, and external users would go off a
| | > internal roles database table. I was told that nothing should be set
| in a
| | > web.config file for roles and users. I have seen in ASP.NET how to
| | > impersonate a user in code, but would that really be the best
solution
| in
| | > this case as it would be done quite a bit? In order for transparent
| security
| | > for users I could easily use forms authentication with cookies that
| save. As
| | > for SQL security if I must use strictly forms authentication and have
a
| | > general database login that works for all web applicaitons I could
| secure it
| | > by allowing stored procedures only and deny everything else. How
could
| I
| | > then secure users from accessing procedures if there is a bug in the
| | > application. Is there a way that I can prevent users in my users
table
| from
| | > calling certain procedures? Thanks for anyone's input.
| |
|
|