Re: NTLM authentication
- From: "Mark Rae" <mark@xxxxxxxxxxxxxxxxx>
- Date: Thu, 4 Jan 2007 13:40:43 -0000
"Willy Denoyette [MVP]" <willy.denoyette@xxxxxxxxxx> wrote in message
news:%23WOteNAMHHA.3944@xxxxxxxxxxxxxxxxxxxxxxx
Also, using above (DirectoryServices aka. ActiveDirectory) to
authenticate a windows user is bad practice, I keep saying this.
Why? What would you recommend instead...?
Well, it depends on so many things, like the OS versions, Domain versions
(if any) client types (windows non windows) and the final purpose of the
authentication act.
Makes sense.
call Win32 LogonUser(), but while this validate a Windows user, it's
purpose is to return an access token.
Yes - I've used that before when I've needed to know more than just a simple
yes or no...
use the SSPI set of security API's, these can be used to authenticate
using different protocols even for non Windows users. Unfortunately the V2
framework classes don't expose all of their functionalities. V3 does a far
better job, but here they relate more to the WCF, than for generic
authentication purposes.
OK - haven't really got into V3 yet...
On A W2K/W2K3 realm, you can use LDAP to authenticate against an AD
domain, note here I'm talking about LDAP, that is using
System.DirectoryServices.protocol classes!!! The same remark here as
above, some network manager will not allow you to authenticate using LDAP
against a corporate Directory.
Yes - that's what I'm currently doing via the code I offered a couple of
replies up... I take your point about network managers, though - so far, I
haven't come up against the scenario where I wasn't allowed to use AD to
authenticate a user, so maybe I've just been lucky...
Anyway, using DirectoryServices just for authentication is not the right
way of doing, just watch the amount of data passed when binding to the AD
when doing so and you will understand why (but there is more). The
Directory is kind of a DB which can store a lot of objects, authentication
is part of the "authorization" process, that is, before you can access the
objects stored in the directory, you have to prove "who you are" so that
the DirectoryService can perform authorization controls. So basically it's
the start of a longer transaction, but if you only perform the
authentication step, you are needlessly hitting the service.
OK - I wasn't really aware of the internal going-on during the
authentication process, but I guess it's a trade-off...
System.DirectoryServices
more processing overhead
managed code
returns a boolean, which is all I need
Win32 LogonUser()
less processing overhead
unmanaged code (pinvoke)
returns an access token, which I don't need and would rather not have
anyway
It's funny that people never authenticate against, let's say against a SQL
server, but find is quite usual to do it against a Directory server.
I authenticate against SQL Server for all my public websites - don't have a
choice, as I've never found a 3rd-party ISP who would permit AD access...:-)
.
- Follow-Ups:
- Re: NTLM authentication
- From: Willy Denoyette [MVP]
- Re: NTLM authentication
- References:
- NTLM authentication
- From: webrod
- Re: NTLM authentication
- From: Willy Denoyette [MVP]
- Re: NTLM authentication
- From: webrod
- Re: NTLM authentication
- From: Willy Denoyette [MVP]
- Re: NTLM authentication
- From: webrod
- Re: NTLM authentication
- From: Mark Rae
- Re: NTLM authentication
- From: Willy Denoyette [MVP]
- Re: NTLM authentication
- From: Mark Rae
- Re: NTLM authentication
- From: Willy Denoyette [MVP]
- NTLM authentication
- Prev by Date: Re: how to convert a multiline textbox to a single line string?
- Next by Date: Re: Getting updated string from unmanaged DLL
- Previous by thread: Re: NTLM authentication
- Next by thread: Re: NTLM authentication
- Index(es):
Relevant Pages
|
