none
VB.net Authentication RRS feed

  • Question

  • I want to thank people in advance for helping.

    My situation is that i am currently developing an application where my workers use computers that are not part of the domain so I have to write and authentication form that doesnt use the Windows Authentication. However I still want to authenticate to the Active Directory. I am using SQL Server. Does anyone have any ideas that can help me?

    Can I write a stored procedure that takes in the user name and password and returns true if they authenticate? Then I would just store that information encrypted in memory and call upon it everytime the user access the db..yes ?

    Anyways, not having users on the domain is making my job a lot harder.

    Thanks
    Sunday, February 17, 2008 5:53 AM

Answers

  • Hello,

     

    A stupid question : why are you using OLEDB Provider versus Sql Server ?

    It would be better to use the class SqlConnection and so on ( using System.Data.SqlClient; ). It's more efficient.

     

    Which version of VB.Net do you use ? ( 2005 or 2008  Express or thru Visual Studio Standard,Pro,Team...)

     

    I suppose that you would prefer to use Windows authentification versus Sql Server ( which version : 2000,2005 ? Express or Standard... ).It's a good idea but i've some problems at home because my computers are belonging to a workgroup network so no Windows Server and no Active Directory. At home, i will not be able to help about AD, but many people will be able.

     

    Are your users connecting through terminal server or something similar ?

     

    For checking if they are a valid user in Sql Server, you have several methods :

    - impersonate to an unique user which may only use some system stored procedures or views to get which databases they may connect

    - use SMO to get these informations. I've posted some code

    http://forums.microsoft.com/MSDN/ShowPost.aspx?PostID=2844987&SiteID=1

    that code is in VC# but it will be easy for me to translate it in VB if you are interested

     

    - try directly to connect to the database and with a try/catch you will treat the error user not found or incorrect password. I think there is a message with access denied to the database, but i don't remember the correct label

     

    Could you post the connection string you have used and the exact error message ?

    It would be easier for me to find the problem ( for the password put "XXXXX" )

     

    Have a nice day  

     

     

    Sunday, February 17, 2008 10:54 AM
  • You have a client application with remote users who are not part of your network, then you need to add such users manually into your SQL Server on the server level and on the database level.  Then you need to configure permissions for the users if the levels of permissions are not the same.

     

    Monday, February 18, 2008 12:01 AM

All replies

  • Hello,

     

    I'm not sure to understand what you want to do.

     

    To connect to a Sql Server, you have 2 possibilities :

    - you use the Sql server authentification with a sql server login and its associated password. It's the usual method to use when you can't use the Windows authentification when you have not a windows user in the domain. But you must have enabled the mixed mode for the sql server instance.

     

    - you use the Windows authentification. In this case, the person trying to connect must have a windows user and its associated password existing on the domain so this user must be known in the active directory.

     

    There is a third possibility with a certificate but as i never used it i can't tell you more about it

     

    Have a look on these links :

    http://msdn2.microsoft.com/en-us/library/bb283235.aspx

    http://msdn2.microsoft.com/en-us/library/ms181127.aspx

    http://msdn2.microsoft.com/en-us/library/ms188304.aspx

     

    What is not clear, is what these users are able to do  on your network.

    If they have to access files on the network, you may use a "generic" windows user ( common for all the people having the same permissions ) to connect to the network and afterwards a sql server login to access to the databases of the instance for which the permissions are restricted.

    But you will have to create sql server logins for nearly all your outside workers and that may be long to do.

    You may create applications roles in which you will put your created logins.

     

    For windows, you group your users in windows groups .

     

    Don't forget that you always have the possibility to encrypt the connection and all the transactions ( useful if you want not to be hacked on the www network ).

     

    That's only some considerations on the security.

     

    I will continue to search in MSDN documentation ( i will face this problem in some months, so i begin already to search )

     

    Have a nice day

     

    Modification : it's always to connect to a domain and impersonate with a more precise windows user when you are connected to the domain

    Have a look about :

    http://msdn2.microsoft.com/en-us/library/system.security.principal.windowsidentity.impersonate(VS.71).aspx

    http://support.microsoft.com/kb/821546

    http://blogs.msdn.com/shawnfa/archive/2005/03/21/400088.aspx

    Sunday, February 17, 2008 8:24 AM
  • To clarify:

    These users all have access to the network. They all have accounts on the AD, but they use their personal computers at work because we do not have the funds to provide them with their own computers. We do a very limited amount of workstations. But the bulk of our users are not part of the domain.

    What I am trying to do is to develop and authentication where users enter their AD credentials and I use that to build the connection string to the database. I’ve tried the ado.net OLD DB Provider connection string and have been unsuccessful with AD users, but not with SQL Server users.

     

    Currently I am going writing code that will fist check if the user exists as a user the AD. If they are in the AD I will check if they are a valid user in SQL if they are not I will add them if they are they will be authenticated.

     

    This is the only way I can think of getting around my current situation without having to create a generic user.

     

    Let me know what you think or if you find anything else.

     

    THANKS!

    Sunday, February 17, 2008 8:36 AM
  • Hello,

     

    A stupid question : why are you using OLEDB Provider versus Sql Server ?

    It would be better to use the class SqlConnection and so on ( using System.Data.SqlClient; ). It's more efficient.

     

    Which version of VB.Net do you use ? ( 2005 or 2008  Express or thru Visual Studio Standard,Pro,Team...)

     

    I suppose that you would prefer to use Windows authentification versus Sql Server ( which version : 2000,2005 ? Express or Standard... ).It's a good idea but i've some problems at home because my computers are belonging to a workgroup network so no Windows Server and no Active Directory. At home, i will not be able to help about AD, but many people will be able.

     

    Are your users connecting through terminal server or something similar ?

     

    For checking if they are a valid user in Sql Server, you have several methods :

    - impersonate to an unique user which may only use some system stored procedures or views to get which databases they may connect

    - use SMO to get these informations. I've posted some code

    http://forums.microsoft.com/MSDN/ShowPost.aspx?PostID=2844987&SiteID=1

    that code is in VC# but it will be easy for me to translate it in VB if you are interested

     

    - try directly to connect to the database and with a try/catch you will treat the error user not found or incorrect password. I think there is a message with access denied to the database, but i don't remember the correct label

     

    Could you post the connection string you have used and the exact error message ?

    It would be easier for me to find the problem ( for the password put "XXXXX" )

     

    Have a nice day  

     

     

    Sunday, February 17, 2008 10:54 AM
  • You could use two Web.Config using the ASPNETDB membership tool for your forms authentication and AD provider for the AD users both uses forms authentications.  If there is a database for the application you can add the ASPNETDB into that db and add the AD users manually into the database and SQL Server by using mixed authentication.  The last link Microsoft covers Asp.net security with many options.  You need to run some tests for hybrid providers.

     

     


    http://blogs.msdn.com/dc995/articles/568597.aspx

     

    http://weblogs.asp.net/scottgu/archive/2005/08/25/423703.aspx


    http://msdn2.microsoft.com/en-us/library/ms978378.aspx

     

    Sunday, February 17, 2008 10:29 PM
  • Hey Everyone,

     

    Thanks for you help. I am sorry for the lack of details. Let me start all over again.

     

     

    The network I am developing for is for my small business; a day camp database. The server is located in my home office. Users at the camp site would either connect to the network via database or a remote vpn network setup. My SQL Server is the 2005 version. I currently have it set up for both Windows authentication and SQL Server authentication. Ideally I would like it strictly to be Windows, but my users are not all part of the domain which presents a problem for me as a developer.

     

    From what I have read, I am not 100 percent sure about this, but if you are using ado.net and passing a user name and pw it cant be AD credentials but it has to be a sql user. I do not know if I am right about this. If this is the case is there some way around this.

     

    At this point I have part of my code (in vb 2005) completed where I have the code authenticate to the AD server directly. And if they authenticate a user will be created for them on the SQL server using the same credentials if it has not been created for them already. However if there is a way around this...PLEASE let me know. I do not want have to manage multiple logins.

     

    My greatest concern is that passwords are traveling the network. Is there anyway, using ado.net or some namespace in the .net frame work that will encrypt the packet? I do not know if i make any sense.

     

    Thanks!

     

    Sunday, February 17, 2008 11:07 PM
  • You can use ASPNETDB which you can use to configure your users into the application, based on your description authenticating the users directly to AD is not valid.  The reason a web application comes with what you can do and how.  I think you need to spend time with the links I provided and then make some choices.

     

    Sunday, February 17, 2008 11:18 PM
  • I am creating a vb 2005 application. I do not want to develop a web based asp.net UI if this is what you are suggesting. Thanks though
    Sunday, February 17, 2008 11:23 PM
  • You have a client application with remote users who are not part of your network, then you need to add such users manually into your SQL Server on the server level and on the database level.  Then you need to configure permissions for the users if the levels of permissions are not the same.

     

    Monday, February 18, 2008 12:01 AM