Re: Password encryption
- From: "Herb Martin" <news@xxxxxxxxxxxxxx>
- Date: Mon, 19 May 2008 10:18:51 -0500
"Paul Carlton" <PaulCarlton@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:DF5EE03D-CBFB-469E-BC1A-015799852CCC@xxxxxxxxxxxxxxxx
Herb
Thanks, I have source code to the database including ODBC server and
JDBC/ODBC clients. However my real goal is to avoid requiring the user to
share their password with any component of our code. Even it it is only
supported on Windows what I am really looking for is an AD client plugin
that
can encrypt the password before passing it to us so we can remain ignorant
of
the user's private credentials!
As I said, AD (and Windows credentials) don't work that way -- passwords
are not passed around -- authentication credentials are.
Even DCs don't "know" your password (by default.)
I'll explore the SDK route and kerbros tickets
Or if you must hack it look to creating some "resource" a file or other
persistent
resource while impersonating that user -- then when THAT user wants access
you can check by opening the persistent resource.
All the authentication would be handled by existing systems and APIs with
little work for you to do.
You would maintain a table of UserName->ResourceName (unless that
mapping is entirely predictable in which case you don't even need the map
table.)
Thanks
"Herb Martin" wrote:
"Paul Carlton" <Paul Carlton@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:F5232524-47D6-4228-8EEC-6BCB650D8DDB@xxxxxxxxxxxxxxxx
I am working on a project to integrate Active Directory with a database,
i.e.
support for AD integration so that customers can logon to our database
using
their AD user and password.
The problem I'm trying to overcome is that the user sends their
password
as
clear text, i.e. they enter it into the ODBC/JDBC client. This means
that
our ODBC/JDBC client and server code has access to this password in
clear
text so a rouge developer could potentially capture user's password,
which
they could use to access other company systems.
What I'd like is a client plug-in that the user could install that
would
encrypt their password so the encrypted password could be passed
through
our
database to the AD server. The AD server would then decrypt the
password,
verify it and respond to the authentication request.
Does this facility exist?
Sort of except that AD doesn't "decrypt" the password but rather compares
the encrypted version (by the client/software) with another encrypted
version
that is stored on the server -- or uses those encrypted versions for
kerberos
ticket encryption (even when no passwords are transmitted.)
What you really want to do is add "Integrated Authentication" to your
database.
Is your "database" written by you or some (known) database you have
adopted?
Microsoft has or used to have an SDK freely available for doing such
things.
You could also create flag files or other objects which only the "user"
could open and then use those to prove that the AD identity had been
authenticated (but this is actually the kludgy way.)
You might also do better asking this on one of the ADSI or other
programming newsgroups.
.
- References:
- Password encryption
- From: Paul Carlton
- Re: Password encryption
- From: Herb Martin
- Re: Password encryption
- From: Paul Carlton
- Password encryption
- Prev by Date: no access to mapped drive with offline files setting over WAN
- Next by Date: Re: no access to mapped drive with offline files setting over WAN
- Previous by thread: Re: Password encryption
- Next by thread: Getting LDAP DistingushedName for user and Group?
- Index(es):
Relevant Pages
|
