English 中文(简体)
Better approach for SSO to cater windows integrated auth as well as users not on domain
原标题:

This may be a duplicate(not sure), but since I am unable to quench my thirst for the right answer (0: so here it goes:

I have to provide single signon for my asp.net web application. Where:

Case 1. User is allowed to login without credentials, if the user is already on domain (logged on windows domain).

Case 2. User is allowed to login if the user is not on domain, by asking/validating the user login credentials from active directory.

Question 1a. I would be interested in the comments about the steps that I "am following" and "should follow" to achieve the requirement. How can I improve this? Improve meaning, is this the right way/approach of providing the above required functionality?

Question 1b. Also, currently I have hard coded roles in my database; I am planning to move it within the active directory user roles; so that I could use .IsInRole method functionality. What do you think about that?

Right now, I have implemented it in the following way.

For case 1, the application uses: Windows authentication; basically like following:

return ((WindowsIdentity)(HttpContext.Current.User.Identity)).IsAuthenticated;

The application proceeds if its an authenticated user.

For case 2, the application: Provides page that asks for domain name, user id, and password. Checks if the user exists on active directory; following is a snip.

DirectorySearcher search = new DirectorySearcher(entry);
search.Filter = "(SAMAccountName=" + username + ")";
search.PropertiesToLoad.Add("cn");
SearchResult result = search.FindOne();

The application proceeds if it finds a record of the user.

Please note that this includes the changes recommended in the web.config file, like following snip:

<authentication mode="Forms">
  <forms  loginUrl="~/UI/Pages/Login.aspx" defaultUrl="Default.aspx"  name="adAuthCookie" timeout="60" path="/" />
</authentication>

<authorization>
  <deny users="?"/>
  <allow users="*"/>
</authorization>
<identity impersonate="true"/>

Seems like adding roles(admin, supervisor, guest) to active directory roles is much better, but then when I would deploy my application how would I go about adding those hard coded roles in active directory? Well.. just thinking out loud.

问题回答

I had to research this a few months back, and found an excellent article on how to mix Forms and Windows Security in ASP.NET. I never got the chance to implement it, so I am unsure as to actual results. If you use any of this, please let me know how it works out for you.

Mixing Forms and Windows Security in ASP.NET





相关问题
Anyone feel like passing it forward?

I m the only developer in my company, and am getting along well as an autodidact, but I know I m missing out on the education one gets from working with and having code reviewed by more senior devs. ...

How to Add script codes before the </body> tag ASP.NET

Heres the problem, In Masterpage, the google analytics code were pasted before the end of body tag. In ASPX page, I need to generate a script (google addItem tracker) using codebehind ClientScript ...

Transaction handling with TransactionScope

I am implementing Transaction using TransactionScope with the help this MSDN article http://msdn.microsoft.com/en-us/library/system.transactions.transactionscope.aspx I just want to confirm that is ...

System.Web.Mvc.Controller Initialize

i have the following base controller... public class BaseController : Controller { protected override void Initialize(System.Web.Routing.RequestContext requestContext) { if (...

Microsoft.Contracts namespace

For what it is necessary Microsoft.Contracts namespace in asp.net? I mean, in what cases I could write using Microsoft.Contracts;?

Separator line in ASP.NET

I d like to add a simple separator line in an aspx web form. Does anyone know how? It sounds easy enough, but still I can t manage to find how to do it.. 10x!

热门标签