[lnkForumImage]
TotalShareware - Download Free Software

Confronta i prezzi di migliaia di prodotti.
Asp Forum
 Home | Login | Register | Search 


 

Chris Clark

10/21/2004 12:33:00 AM

I'm implementing a distributed application, and wish to take advantage of the
remoting infrastructure. I need to provide custom authentication, role based
access, auditing, and encyption but becuase the system will be used outside
our organization I cannot take advantage of windows user accounts. An ASP.NET
application and windows forms application will all share a common credential
cache. The SSPI solution would be exactly what I am looking for, however like
I said I must use my own custom credential cache. Is there some way I can
provide my own security authority to use the SSPI sample with, or some other
mechanism that is both stable, secure, and highly scalable? I've investigates
COM+ services and would like to not use it for this project, and most
security solutions for remoting that I have found in books are totally
inadequate. Thanks in advance.

Regards,
Chris Clark
2 Answers

Chris Clark

10/21/2004 4:25:00 AM

0

I have been able to modify the SSPI wrapper found in the following article
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dndotnet/html/r...

Get this: I can prompt for a users username, password and domain, pass it to
an overlaoded constructor of ClientCredential, and be authenticated. My whole
problem with the SSPI article as it was was that I couldn't prompt for
credentials, I had to rely on the current users interactive session. I
started the server application in the SSPI sample on a computer that was
joined to a domain, and then ran the client on a computer that was not joined
to the domain - and it worked flawlessly. However it only works (so far) with
NTLM, and frankly, despite being able to do it I have no clue why it works.
I'd be happy to post the code for any that could use it, I think this
addresses a serious hole in .NET functionality.

Questions:
a) why does this work?
b) does this create any security holes?

"Chris Clark" wrote:

> I'm implementing a distributed application, and wish to take advantage of the
> remoting infrastructure. I need to provide custom authentication, role based
> access, auditing, and encyption but becuase the system will be used outside
> our organization I cannot take advantage of windows user accounts. An ASP.NET
> application and windows forms application will all share a common credential
> cache. The SSPI solution would be exactly what I am looking for, however like
> I said I must use my own custom credential cache. Is there some way I can
> provide my own security authority to use the SSPI sample with, or some other
> mechanism that is both stable, secure, and highly scalable? I've investigates
> COM+ services and would like to not use it for this project, and most
> security solutions for remoting that I have found in books are totally
> inadequate. Thanks in advance.
>
> Regards,
> Chris Clark

Lloyd Dupont

10/21/2004 4:37:00 AM

0

just a quick post to find this thread from home.
interesting, we'll see if I could help later...

"Chris Clark" <ChrisClark@discussions.microsoft.com> wrote in message
news:BCC01617-B424-401C-A72F-E3A4077880F0@microsoft.com...
>I have been able to modify the SSPI wrapper found in the following article:
> http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dndotnet/html/r...
>
> Get this: I can prompt for a users username, password and domain, pass it
> to
> an overlaoded constructor of ClientCredential, and be authenticated. My
> whole
> problem with the SSPI article as it was was that I couldn't prompt for
> credentials, I had to rely on the current users interactive session. I
> started the server application in the SSPI sample on a computer that was
> joined to a domain, and then ran the client on a computer that was not
> joined
> to the domain - and it worked flawlessly. However it only works (so far)
> with
> NTLM, and frankly, despite being able to do it I have no clue why it
> works.
> I'd be happy to post the code for any that could use it, I think this
> addresses a serious hole in .NET functionality.
>
> Questions:
> a) why does this work?
> b) does this create any security holes?
>
> "Chris Clark" wrote:
>
>> I'm implementing a distributed application, and wish to take advantage of
>> the
>> remoting infrastructure. I need to provide custom authentication, role
>> based
>> access, auditing, and encyption but becuase the system will be used
>> outside
>> our organization I cannot take advantage of windows user accounts. An
>> ASP.NET
>> application and windows forms application will all share a common
>> credential
>> cache. The SSPI solution would be exactly what I am looking for, however
>> like
>> I said I must use my own custom credential cache. Is there some way I can
>> provide my own security authority to use the SSPI sample with, or some
>> other
>> mechanism that is both stable, secure, and highly scalable? I've
>> investigates
>> COM+ services and would like to not use it for this project, and most
>> security solutions for remoting that I have found in books are totally
>> inadequate. Thanks in advance.
>>
>> Regards,
>> Chris Clark