Here at work we just implemented an Apple Open Directory server. It stores everyone s usernames and passwords and implements LDAP and Kerberos. I ve been tasked with configuring all of our ASP.Net web applications to authenticate with it--so users can use their Open Directory usernames and passwords to log into our ASP.Net applications.
I need something like mod_auth_kerb, except for IIS and ASP.Net--and I d like to use forms-based authentication.
Is this possible?
IIS only supports kerberos for NTLM authentication as far as I know. I have never seen a secondary kerberos capable library or software. (true kerberos I mean) Now you could use the LDAP libraries in .Net to communicate between the servers in a kerberos fashion, but the connection between user client and asp.net server would still be an SSL plain/text connection.
I ve also never seen it done, but it should be able to be done ... if the asp.net server had a trust relationship with the Apple Open Directory server with an LDAP connection made between the two, it might be possible to enable the NTLM authentication at the IIS level, and that would (in theory) extend the kerberos connectivity to the AOD through the trust. Again, I ve never even contemplated it so I don t know what the pitfalls would be of attempting it.
I have successfully used DirectoryServices to connect to other Active Directories through the LDAP protocol, but I still have not found a way to embed the kerberos connectivity between client and authentication server without NTLM.
To use Kerberos authentication in IIS, your authentication type for the protected resource should be "Windows Authentication". This will make IIS use Negotiate (spnego) authentication. The server must be a member of a domain for Kerberos to work. I d recommend using a Server 2008 or Server 2008 R2 machine for this if possible as it handles Kerberos authentication more gracefully.
I haven t gotten a chance to work with a Mac server for a while, but It s my understanding that Open Directory is capable of serving a Windows domain member. For authorization, you ll have to query the LDAP directory from ASP or use your own internal authorization mechanism.
Edit: This Microsoft KB article might be of some use to you: http://msdn.microsoft.com/en-us/library/aa480475.aspx
In my webpages I have references to js and images as such: "../../Content/Images/"Filename" In my code if I reference a file as above, it doesnt work so i have to write: "c:/miscfiles/"filename" 1-...
I m the only developer in my company, and am getting along well as an autodidact, but I know I m missing out on the education one gets from working with and having code reviewed by more senior devs. ...
Heres the problem, In Masterpage, the google analytics code were pasted before the end of body tag. In ASPX page, I need to generate a script (google addItem tracker) using codebehind ClientScript ...
I m looking for best practices here. Sorry. I know it s subjective, but there are a lot of smart people here, so there ought to be some "very good" ways of doing this. I have a custom object called ...
I am implementing Transaction using TransactionScope with the help this MSDN article http://msdn.microsoft.com/en-us/library/system.transactions.transactionscope.aspx I just want to confirm that is ...
i have the following base controller... public class BaseController : Controller { protected override void Initialize(System.Web.Routing.RequestContext requestContext) { if (...
For what it is necessary Microsoft.Contracts namespace in asp.net? I mean, in what cases I could write using Microsoft.Contracts;?
I d like to add a simple separator line in an aspx web form. Does anyone know how? It sounds easy enough, but still I can t manage to find how to do it.. 10x!
