locked
User authentication on active directory (internet) RRS feed

  • Question

  • User75390921 posted

    Hi

    I have a big problem. I have a webservice (asp .net 2.0). This webservice shoud only be accessible for active directorys user in our domain.

    We have two clients a website and a ppc (windows-mobile 2005) client (so i can't use wse because .net cf has no wse features). The service have to be accessible from the internet. Can anyone help me? I don't realy know how i can solve this active directory authentication problem...

    Thx for any help

    Tuesday, April 11, 2006 11:09 AM

All replies

  • User1354132231 posted
    Good question.  Does PPC support Window Authentication?  I think you will have to do custom authentication with headers and what not otherwise.
    Tuesday, April 11, 2006 6:38 PM
  • User75390921 posted
    Yes, a extended soap header would be a great solution. but how can i validata the user and the passwort from the extended soap header on the active directory with the service? This is my problem.
    Wednesday, April 12, 2006 3:10 AM
  • User1354132231 posted
    There are a number of ways of authenticating user with AD.  You can use native LDAP, you can use the DirectoryEntry, or you could use SSPI or LogonUser API.

    It kinda depends on your scalability needs and how many requests you think you will get.  I don't have exact benchmarks, but if I had to order them in terms of speed and flexiblity, it would be:
    • Native LDAP (with fast concurrent binds) over SSL using .NET 2.0
    • SSPI (using .NET NegotiateStream)
    • LogonUser (using p/invoke)
    • DirectoryEntry
    The nice thing about the first option is that you can get some good flexibility.  It can be configured for Kerberos, SSL, or Digest.  It can support both AD and ADAM (or another LDAP server really). The other methods are either only for Active Directory or were really not meant to be used for authentication (e.g. DirectoryEntry scales very poorly).

    If I had to do it today, I would choose the first option.  However, I might be swayed to either SSPI or LogonUser depending on my requirements/restrictions.  I would use the DirectoryEntry dead last in a server application.

    Does that help?  We have an entire chapter plus code for each method in my book.  I really like the native LDAP method using .NET 2.0.  If you wait a few weeks, I will have put the sample code from the book on its companion site and you can see each method (no purchase required).  The site will be launched with the book or just after it hits the shelves (May 4 or so).
    Wednesday, April 12, 2006 12:46 PM
  • User75390921 posted
    Thank you very much for your help! But i have to finish this applications until sunnday :(. Is it possible to get this example? Or do you have some links to any other simliar tutorial? Or does a ebook version exist of this book? So i can buy it?
    Thursday, April 13, 2006 2:19 AM
  • User75390921 posted

    Now i can authenticate users! :D

    But how shud i solve the authentication for every post. My idee is to give the client after the login a session idee witch he has to seend in the extended soap header. Is there any better solution for this?

    Thursday, April 13, 2006 9:28 AM
  • User1354132231 posted
    Great, I am not really familiar with the best practices for this type of authentication.  However, I would assume that you would start sending a session ID across each time and having your application verify it.  I also do not think it would be a good idea to login on each request.

    Can you use cookies?  I know that you can simply set a secure cookie that would be passed back with each HTTP request.  This cookie can be used to ensure the client was authenticated and can also hold things like roles, etc.

    However, if you are just using web services, I don't know enough about them to guess whether or not this would work.  In any case, I would try to avoid implementing your own security if possible.
    Thursday, April 13, 2006 2:49 PM