Forms and integrated authentication combined

  • Thread starter Thread starter Jason
  • Start date Start date
J

Jason

I know how to use both Forms and Integrated Windows authentication. However,
both of them have a critical problem, namely :-


Windows authentication is very touchy when going through firewalls and some
user settings on the client end can completely screw up NT authentication
altogether. Works very well when it works, a royal pain when it doesn't.
Also, while 98% of our users are on a domain, there is a requirement for odd
users to be able to connect it without being a domain user.


Forms authentication suffers from the problem that users will inevitably use
the same password as their NT account, meaning passwords would be stored in
a less secure database. I could authenticate on the domain each time they
log in, but then the login.aspx page could be hacked to siphon off these
passwords.


What I am trying to get is a combination of the two, so that NT
authentication will try first and if this doesn't work, then Forms
authentication takes over.

I could achieve this if there a way, within the login.aspx page to find out
the logged on NT user. But NT authentication seems to be all or nothing. If
they don't pass authentication, then it will not allow them to view the
page.

Basically, I want to leave "Anonymous access" and "Integrated Windows
Authentication" both switched on, but for "Integrated Windows
Authentication" to be used in the first instance. Currently if "Anonymous
access" is selected, then that is what is used.


Is what I am trying to achieve possible



Jason.
 
....
Forms authentication suffers from the problem that users will inevitably use
the same password as their NT account, meaning passwords would be stored in
a less secure database. I could authenticate on the domain each time they
log in, but then the login.aspx page could be hacked to siphon off these
passwords.
Click to expand...

I don't get it. How would authenticating against the domain turn login.aspx
into a source of passwords?
 
Because when Integrated NT Authentication is used, the authentication takes
place between IIS and IE. In fact, I believe that the user password is never
sent, only an authenticated user ID (not too sure about that point though).

However, if a domain username and password is supplied to a login.aspx page,
then this page actually gets hold of both details and could do whatever it
wanted with the password after authenticating it on the domain. The password
could be stored in a text file.


Remember that it is very difficult to get a users password out of Windows
2000 Server because the password file is heavily encrypted.

An administrator can change a users password, but cannot find it out.
However a login.aspx page is very open. Any developer could add a few lines
of code to the page to capture these passwords and it is unlikely that
anyone else would notice for some time.

This is why Integrated NT authentication is much better..... if it works.


Although I do not think that the above is very likely in my organisation,
it's still a potential hole.


Jason
 
Back
Top