classNoob

I have come up with an authentication scheme that I wanted to run past everyone to see if you all agree with my logic. Here is the process:

1) The clients windows login credentials are automatically passed (manual option also provided) with the webservice call using:

WebService.Credentials = System.Net.CredentialCache.DefaultCredentials

2) The web.config for the webservice is set to impersonate the user.

3) At this point I thought I can assume that the client is who they say they are considering the login was successful. My plan is to use the username and SID to retrieve the information for that user from the database as opposed to the traditional username and password scenario.

4) If the user's SID is ever out of sync I will provide the admin a sync option. Basically the same option I would have given them when they set up the user.

What do you think Is there a better scheme out there for this type of scenario All feedback welcome!







Re: Visual C# General Pass-Thru Authentication

Alberto Poblacion

If you are passing the Windows credentials to the Web Service and it is authenticating the user (step 2), this means that the users from the client machines are known to the server, which basically means that the clients and the server are members of the same Windows Domain (or a trusted Domain). Once you get to step 3, therefore, you know who the user is (whoever logged in at the workstation and ran the program that called the web service), and you know that the username is unique in your forest (the domain is part of the user name). So you can use that username as a key into your database, without needing the SID, and there is nothing to get out of sync with anyting else.





Re: Visual C# General Pass-Thru Authentication

classNoob

Isn't is possible on a trusted domain to have the same user name I dont want "DOMAIN_B\user" to have access to the same account information intended for "DOMAIN_A\user" just because both accounts are called "user."





Re: Visual C# General Pass-Thru Authentication

Alberto Poblacion

If you are using integrated authentication and you ask in your code for the User.Identity.Name, you get back "DOMAIN_A\user", so if you use this as a key into your database, it will be distinct from "DOMAIN_B\user".





Re: Visual C# General Pass-Thru Authentication

classNoob

Thanks, Alberto, for working that idea out with me!



Re: Visual C# General Pass-Thru Authentication

classNoob

You know. I was thinking again about storing the domain names in place of the SID's and I think I would still rather use the SID's. The only reason I would store the domain name would be to reduce the need for synchronization should something change on the user. I work with fairly sensitive data available to a large base of users. Sometimes the user group can be in the hundreds. If a user is deleted because an employee no longer works for them then I am exposed to a new future employee with the same username getting rights to the system that they should not get. In other words, I can rely on a "domain name/user name" scheme on a NOW basis but I can not rely on it in the third dimension when you apply time.

Your answer was not a wrong one. I just needed to eval my risk assesment based on potential clients and security requirements. I still thank you for your answer but I wanted to clarify why I am sticking to SID's should someone else rely on the information in this post.