signlesign on..urgent

  • Thread starter Thread starter Guest
  • Start date Start date
G

Guest

Hi,
I need to implement single sign on in my application. I dont want to
use passport authentication. Do we any other way?
 
Digest isn't the most secure mechanism given the password constraints on
the user's account -- the security minded folks i talk to think these requirements
are a non-started for digest. Integrated works well, though, but has its
own limitations.

-Brock
DevelopMentor
http://staff.develop.com/ballen
 
Would you mind providing some example or proof for your statement that Digest
isn't the most secure mechanism? Can you elaborate more on "password
constraints" ? Why do the "security minded" folks you talk to think these
requirements are a non-started for digest? What does "non-started" mean
anyway?

You may be right but just stating something without giving some proof
doesn't mean too much, it almost sounds like you are stating your own
personal opinion, and if thats true then you should start your sentence with
"In my opinion,...."
 
Would you mind providing some example or proof for your statement that
Digest isn't the most secure mechanism? Can you elaborate more on
"password constraints" ? Why do the "security minded" folks you talk
to think these requirements are a non-started for digest?

Prior to Windows 2003, IIRC, digest authentication required the web server
to run on the same machine as the domain controller. I don't know how you
feel about this, but, in my opinion, IIS' distinguished history of security
makes this unappealing to me.

My comment was geared more at Windows 2003 though. I simply meant that to
do digest authentication the user's account in AD has to be created with
the option that says "the password must be stored using reversible encryption".
Those security minded people feel this is not a good idea. In my opinion,
Keith is a respectable individual in the security field and he describes
the issues a bit here:

http://msdn.microsoft.com/msdnmag/issues/0700/websecure2/
What does
"non-started" mean anyway?

It's a typo that should have read "non-starter", meaning that since the password
must be decryptable then it's not even an option to consider.
You may be right but just stating something without giving some proof
doesn't mean too much, it almost sounds like you are stating your own
personal opinion, and if thats true then you should start your
sentence with "In my opinion,...."

In my opinion, it should be obvious that no one should blindly accept anonymous
advice from people on newsgroups without doing your own research and due
diligence.

-Brock
DevelopMentor
http://staff.develop.com/ballen
 
Back
Top