W
Willy Denoyette [MVP]
Mark Rae said:My mistake - apologies for not reading the OP closely enough...
Well, this is quite confusing, the OP should have been more explicit in it's original
posting.
Why? What would you recommend instead...?
Well, it depends on so many things, like the OS versions, Domain versions (if any) client
types (windows non windows) and the final purpose of the authentication act.
Some alternatives are :
call Win32 LogonUser(), but while this validate a Windows user, it's purpose is to return an
access token.
use the SSPI set of security API's, these can be used to authenticate using different
protocols even for non Windows users. Unfortunately the V2 framework classes don't expose
all of their functionalities. V3 does a far better job, but here they relate more to the
WCF, than for generic authentication purposes.
On A W2K/W2K3 realm, you can use LDAP to authenticate against an AD domain, note here I'm
talking about LDAP, that is using System.DirectoryServices.protocol classes!!! The same
remark here as above, some network manager will not allow you to authenticate using LDAP
against a corporate Directory.
Anyway, using DirectoryServices just for authentication is not the right way of doing, just
watch the amount of data passed when binding to the AD when doing so and you will understand
why (but there is more). The Directory is kind of a DB which can store a lot of objects,
authentication is part of the "authorization" process, that is, before you can access the
objects stored in the directory, you have to prove "who you are" so that the
DirectoryService can perform authorization controls. So basically it's the start of a longer
transaction, but if you only perform the authentication step, you are needlessly hitting the
service. It's funny that people never authenticate against, let's say against a SQL server,
but find is quite usual to do it against a Directory server.
Willy.