Webapp Authentication best practice...

[Guest]

I am working on a web app that required authentication to AD.
The authentication is working fine the way I am doing it, but
was wondering what the best practice is.

My code doesn't actually authenticate to AD as much as it
does authenticate to AD by using LDAP.

DirectoryEntry(szServername, szUsername, szPassword,
AuthenticationTypes.Secure) where szServername is a string that is
dynamically built as: "LDAP://" + this.txtServer.Text

Is there a way that I can have the session authenticate to AD once
and not have to store username and password and then use only
that authenticated connection to perform the functions that are needed?

Any help or pointers would be greatly appreciated.

 

[Guest]

If you are using Forms Authentication, you can authentication against the
Active Directory store. If you are using ASP.NET 2.0, you should be able to
find a sample ActiveDirectory Membership Provider to use.
Peter

 

[Willy Denoyette [MVP]]

My code doesn't actually authenticate to AD as much as it
does authenticate to AD by using LDAP.

It's not entirely clear from above how you are actually authenticating what kind of clients
(internet, intranet) and what kind of accounts you are authenticating. Not sure what exactly
is meant with "perform the functions that are needed..."

Willy.

 

[Guest]

Willy,

These are clients that are accessing the Web app via the INTERNET.

So, currently they login and I capture their login information after I
authenticate their credentials.

The functions that they are performing are Group membership maintenance.
for a specific OU.

So, I doubt that it is good practice to capture and retain their credentials
in memory and then create a new DirectoryEntry each time that I want
to perform a function (like enumerate groups, modify membership etc...).

I should be able to take the initial credentials and authenticate those
credentials and then have a pointer that is valid that I can use when
I need to perform an action in AD that I can then present the results
back to the webapp.

I'm just looking for the best practice, so that I can correct my code
while still in the Dev environment and not exposed to the INTERNET.

Thanks.

 

[Willy Denoyette [MVP]]

Willy,

These are clients that are accessing the Web app via the INTERNET.

Ok, so you can't use Windows authentication.

So, currently they login and I capture their login information after I
authenticate their credentials.

Using basic authentication? In that case, you have a serious security issue, it's your job
to authenticate incoming users in the strongest possible fashion (possibly using
certificates), failing to do so leaves yourself wide open to attack!

The functions that they are performing are Group membership maintenance.
for a specific OU.

So, I doubt that it is good practice to capture and retain their credentials
in memory and then create a new DirectoryEntry each time that I want
to perform a function (like enumerate groups, modify membership etc...).

Once the clients are authenticated you don't need to keep their credentials around, all you
should do is switch identities when accessing AD resources, that is, you should access the
AD from asp.net using "explicit" credentials, or (better) delegate the AD function to a
COM+ server application (using System.EnterpriseServices) that runs in an account with
specific/restricted AD access privileges and possibly using role based security for finer
grained access control.
The latter scenario is better because it offers both stronger security and better
scalability.

Willy.