Re: Single Sign-On (SSO) with VB.Net 1.1 App

From: Spam Catcher <spamhoneypot@xxxxxxxxxx>
Date: Sat, 03 Nov 2007 21:24:19 GMT

Kirk <kirklarsen@xxxxxxxxx> wrote in
news:1194114952.202298.87690@xxxxxxxxxxxxxxxxxxxxxxxxxxxx:

Cor, I did not mean to insult anyone's intelligence here. I
appreciate your help.

I think it's just Cor's writing style ... I don't think anyone took
offence :-)

So, SSO applications generally do not query the AD or LDAP system
directly, but instead just get user information through the Principle
class? Am I correct in thinking that a client then would be able to
use whatever system they want for SSO and our application would work,
since we would only be dependent on the Principle class?

You query the principal - but how you retrieve the principal is upto
you.

Windows will provide a default principal for the current login account.

This seems too simple. Are there any security concerns with this
method, other than the obvious case of a user leaving their computer
unlocked? Are there any other configuration issues or anything like
that which may need to be considered before deployment?

Most of this security is handled by .NET's CAS (Code Access Security):

http://msdn2.microsoft.com/en-us/library/930b76w0(VS.71).aspx

CAS is multilayered and there are several sets of permissions:

Enterprise (Active Directory Permissions)
Machine (Machine level security policies)
User (User level policies)
AppDomain (Current app)

When you're querying the principal in your application, you're really
handling AppDomain specific permission. So say you ignore the AppDomain
Security (no security at all) and attempt a "format c:\", if the user is
restricted, one of the levels of CAS will throw a security exception.

CAS is relatively secure - provided the policies are set correctly :-)
.

Follow-Ups:
- Re: Single Sign-On (SSO) with VB.Net 1.1 App
  - From: Spam Catcher

References:
- Single Sign-On (SSO) with VB.Net 1.1 App
  - From: Kirk
- Re: Single Sign-On (SSO) with VB.Net 1.1 App
  - From: Cor Ligthert[MVP]
- Re: Single Sign-On (SSO) with VB.Net 1.1 App
  - From: Kirk

Prev by Date: Re: Single Sign-On (SSO) with VB.Net 1.1 App
Next by Date: Re: Single Sign-On (SSO) with VB.Net 1.1 App
Previous by thread: Re: Single Sign-On (SSO) with VB.Net 1.1 App
Next by thread: Re: Single Sign-On (SSO) with VB.Net 1.1 App
Index(es):
- Date
- Thread

Relevant Pages

Re: .Net Security Policies
... that the CAS policy model for .Net is obscure ... executables) from .Net may be grouped together as a code group. ... Microsoft MVP (Windows Security) ...
(microsoft.public.security)
RE: .NET security
... Thanks for your response and the further description. ... Access security feature. ... And CAS is a security restriction based on code(unlike the ... Thanks for your continual understanding and patience. ...
(microsoft.public.dotnet.general)
Re: .NET CAS vs OS security
... I was catching the SecurityException and the Exception. ... CAS won't come into play if your assembly is installed on the local file ... absolutely no interaction between CAS permissions and OS permissions. ... is layered over the top of the OS security and they are based on two totally ...
(microsoft.public.dotnet.security)
Re: Having ASPNET member of Administrators
... I felt it was risky but not ... account from Administrators. ... >> So much for the principle of least privilege... ... In general, where security is the issue, the ...
(microsoft.public.dotnet.framework.aspnet)
Re: A fundamental question about CAS
... VB6 was not a good example (I belive that majority of these programs will ... However no security administrator ... CAS provides unique possibility for administrators to control code rights ...
(microsoft.public.dotnet.framework.clr)