Re: Security model advice, please help!!
- From: DevilsChargers <DevilsChargers@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Wed, 16 Aug 2006 05:51:01 -0700
The stock usernametokenmanager does do this, yes, I know. HOWEVER, you
cannot NOT send it a password.
I had already done the walkthrough that you linked to. It doesn't cover all
my bases.
In shop floor cases I will have both a username and password create the
usernametoken with. In the case where I'm just supposed to use the current
windows principal, I cannot obtain his password from the principal object to
create the username token, and since the point is to not bother the user with
another sign-in, I can't prompt him for it either.
What can I do, to cover both scenarios?
"Pablo Cibraro [MVP]" wrote:
Hi,.
You do not need to impersonate the windows account in order to get the user
groups.
WSE already authenticates the user against a windows domain and gets the
user's groups.
Take a look to this article in the MSDN,
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnpag2/html/WSS_Ch3_ImpDirectAuth_WSE30.asp
Regards,
Pablo Cibraro
http://weblogs.asp.net/cibrax
"DevilsChargers" <DevilsChargers@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:C2F81604-5F55-40B2-89D4-CE6D1FA03750@xxxxxxxxxxxxxxxx
We are building an solution where a web service is called from a desktop
app.
We want to secure the calls to the webservice. For right now we are only
concerned with authentication, we do not need to encrypt the message
content,etc. yet.
Working with WSE 3.0. I'm very new to it.
We have two major scenarios that seem to be at odds with one another.
We need to be able to configure the client that we always use their
current
windows login info(we don't want to prompt them to sign in again).
The other scenario is the shop floor. There may/will be a computer on a
plant floor that is used by multiple operators throughout the day. We
want
them to each sign on to the APP(no logging out of windows and logging back
in), as they use it.
We want to use roles(windows groups) to manage permissions on different
tasks.
Problem is, if I use username tokens, I can't validate the users against
the
windows groups because I don't have a windows token to impersonate with.
If I go with Kerberos/Windows, I can't have users other than the user
currently logged on to the windows session.
The only thought I'm having that MIGHT work is using Kerberos all the
time,
and for the users that need to log with different credentials, use
LSALogonUser to gain a windows token for those users. Biggest roadblocks
I
have here is that a) I cant find a clear example of calling LSALogonUser
on
the web, and b) I've tried several examples and have not been able to get
ANY
Kerberos examples to work, I always get an error that says the Security
Header is missing, or something to that effect.
- Follow-Ups:
- Re: Security model advice, please help!!
- From: Pablo Cibraro [MVP]
- Re: Security model advice, please help!!
- References:
- Re: Security model advice, please help!!
- From: Pablo Cibraro [MVP]
- Re: Security model advice, please help!!
- Prev by Date: Re: secure a WS called via GPRS
- Next by Date: Re: WSE 3.0 and AJAX
- Previous by thread: Re: Security model advice, please help!!
- Next by thread: Re: Security model advice, please help!!
- Index(es):
Relevant Pages
|
Loading
