Single sign-on based on Active Directory

F

Froefel

Hi group

I am new to ASP.NET and I'm having trouble understanding how to
implement a logon mechanism based on Active Directory.
Here's what I want to achieve:
The application is an Intranet application and will be used by both
Macintosh and Windows users. The Windows users are all authenticated
against the company's Active Directory when they log on to their
computer, the Mac users aren't (still need to find out how they are
authenticated and granted access to resources). I need to support IE
and FireFox for the Windows users, and Safari for the Mac Users.

When the Windows users access my Intranet application, by default
their Windows logon credentials will be used to log them into my
application and to retrieve extra information from Active Directory
(user's first and last name, and a list of groups this user belongs
to). Based on the groups a user belongs to, the application will
behave differently. Also, I would like to give them the ability to log
on to my application as someone else. In that case, a logon dialog
will ask them for credentials, which I need to verify against Active
Directory. So in the latter case, a user could be logged on to Windows
as User1 and logged on to my application as User2. As far as my
application is concerned, all I care about after the logon is User2.

Finally, each page must be aware of the login credentials and must
have access to the user details (logon, first name, last name,
groups).

So far I have experimented a bit with Windows Authentication. Placing
a Login control on a page automatically gives me DOMAIN\User1 (which
is my windows login). But that's without doing any programming at
all...

Can someone give me some good pointers on how to approach this?

One thought crossed my mind: in order to support the Mac users, should
I create a users table in my own Sql DB to authenticate them against
and set them up with permissions. Windows users could bypass that
table and get all their info straight from Active Directory.

Any recommendations and help are greatly appreciated.

-- Hans
 
B

bruce barker

you can configure iis for windows and kerberos or basic, so all browsers
are supported. basic should only be used over ssl.

with this setup no login control is needed because IIS and browser
handle it. your code use the current identity to look up additional info
in active dir if needed. you can also use roles.

note: safari supports all 3, not sure about firefox on mac


-- bruce (sqlwork.com)
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Top