|
|
|
date: Mon, 14 Apr 2008 06:31:55 -0700 (PDT),
group: microsoft.public.platformsdk.security
back
Re: Smartcard authentication in a multi-tier application
On Apr 15, 3:56 am, DaveMo wrote:
> On Apr 14, 6:31 am, mj1977 wrote:
>
>
>
>
>
> > Hi,
>
> > We have a multi-tier intranet application. The users of this
> > application are windows users. We have a login screen on the client
> > side where the user enters the username and password and on the server
> > we use the function LogOnUser() to authenticte this user. We get the
> > SID of this user and the SID plays a major part in the businees
> > context of the application.
>
> > We are planning to allow the user to use the smart card as well in the
> > new version. I was just wondering how to go about with the
> > implementation as we need the domain username and password of the PIN-
> > authenticated smartcard user.
>
> > Generally what is the best design to use smartcard in a multi-tier
> > application which needs to be authentiacted on the server side?
>
> > Any suggestion on implementing this would be of great help.
>
> > Thanks
>
> Why do you have the user enter their user name and password? Do the
> users log on to their desktop/laptop computers with Active Directory
> credentials? If so, then the user can authenticate to the server with
> the credentials associated with the logon session.
>
> If you are going the smartcard route then this works equally as well
> since SC authentication on the Windows client results in a Kerberos
> ticket which can then be used to authenticate to the server.
>
> Unless there is some mitigating circumstance, having users type a
> username/password on a Windows client that is part of an Active
> Directory domain is just plain wrong and probably evil :)
>
> HTH,
> Dave- Hide quoted text -
>
> - Show quoted text -
Dave,
Thanks for the reply. We have two options on the login dialog.
Option 1
A checkbox is provided to use the windows logged in users credentials;
and in this case user need not provide the username and password.
Option 2
Allow any domain users to log on to our application apart from the
user logged on to the operating system. In this case the user is
authenticated on the server. I was just wondering how to go about with
this case if the user wants to use a smart card.
date: Mon, 14 Apr 2008 22:10:30 -0700 (PDT)
author: mj1977
Re: Smartcard authentication in a multi-tier application
On Apr 14, 10:10 pm, mj1977 wrote:
> On Apr 15, 3:56 am, DaveMo wrote:
>
>
>
>
>
> > On Apr 14, 6:31 am, mj1977 wrote:
>
> > > Hi,
>
> > > We have a multi-tier intranet application. The users of this
> > > application are windows users. We have a login screen on the client
> > > side where the user enters the username and password and on the server> > > we use the function LogOnUser() to authenticte this user. We get the
> > > SID of this user and the SID plays a major part in the businees
> > > context of the application.
>
> > > We are planning to allow the user to use the smart card as well in the> > > new version. I was just wondering how to go about with the
> > > implementation as we need the domain username and password of the PIN-> > > authenticated smartcard user.
>
> > > Generally what is the best design to use smartcard in a multi-tier
> > > application which needs to be authentiacted on the server side?
>
> > > Any suggestion on implementing this would be of great help.
>
> > > Thanks
>
> > Why do you have the user enter their user name and password? Do the
> > users log on to their desktop/laptop computers with Active Directory
> > credentials? If so, then the user can authenticate to the server with
> > the credentials associated with the logon session.
>
> > If you are going the smartcard route then this works equally as well
> > since SC authentication on the Windows client results in a Kerberos
> > ticket which can then be used to authenticate to the server.
>
> > Unless there is some mitigating circumstance, having users type a
> > username/password on a Windows client that is part of an Active
> > Directory domain is just plain wrong and probably evil :)
>
> > HTH,
> > Dave- Hide quoted text -
>
> > - Show quoted text -
>
> Dave,
>
> Thanks for the reply. We have two options on the login dialog.
>
> Option 1
>
> A checkbox is provided to use the windows logged in users credentials;
> and in this case user need not provide the username and password.
>
> Option 2
>
> Allow any domain users to log on to our application apart from the
> user logged on to the operating system. In this case the user is
> authenticated on the server. I was just wondering how to go about with
> this case if the user wants to use a smart card.- Hide quoted text -
>
> - Show quoted text -
What is the breakdown of logons that happen with other then their
"logged on to the desktop" credentials? From there, what number of the
users who use some other credentials need to use their smartcard
credentials?
Here are the issues/points as I see them:
- Anyone can use their smartcard to logon to the desktop
- If the user logs on to their desktop w/ smartcard, then you have
bootstrapped a secure authentication mechanism using Kerb and PKInit
and you don't necessarily need to worry about doing an actual SC logon
on the server.
- If the Kerberos approach doesn't work for you, SSL/TLS supports
client certificate authentication. You can configure IIS to use client
certs if they are provided (in this case from a SC). The cert will be
mapped back to an AD account.
Dave
date: Tue, 15 Apr 2008 08:43:35 -0700 (PDT)
author: DaveMo
|
|
