I have a question concerning security. We have an issue where we would like to use Active Directory Integration for security when accessing data within our company LAN, but we also have to expose the same data to several hundred people out on the internet.
I know I can make two seperate business objects to access the data. One for internal use and one for external use. But it would be nice if there was one object that we used in both places that would work. Is it Active Directory Authentication with Custom Authentication?
I also want to accomplish that, but I've yet to try it. Basically my thinking is that there would be three options the custom authentication system would need to try in order...
There's some interesting details like in option 1 or 2 I would expect groups used for security to be AD groups, but in option 3 those would also come from the security database.
How bizarre, I also live in Westland, MI also. Check your PM box.
In Option 1, do you mean local box security and in Option 2 you mean Domain security?
No, I never considered local security since that's not applicable for me.
What I meant was if a staff member is sitting in the building using their smart client form then I can use integrated security which inherently includes AD in the sense of group memberships, etc.
What I'd like them to be able to do sitting at home and using the asp.net functionality is use their same network login that they use sitting in the office. I know this is possible via IIS configuration, but my understanding is that at IIS you have to choose one or the other and enabling that would prevent me from also allowing customers to use the same web site and have their credentials looked up in the security database. In other words, IIS needs to be ignorant and the business layer have the brains.
That's my current understanding of the problem.
I worked with IIS security when I was working researching Web Services. The initial thing IIS does with the security is to decide what the user can see and what they cannot see. If you implement security within IIS the problem is that IIS needs this information before it will display anything. The issue with that is if you are using a non-AD authentication you cannot get it. So you are required to use a login screen. If you do use a login screen, then you need a way to tell IIS that the user is authenticated even if he used a custom authorization method. In addition, you don't want your users who are in your domain to have to do a manual login.
As I type this, it occurs to me that I have already seen the solution for this in DotNetNuke (DNN). If you make DNN Active Directory aware, it can use AD to do it's security. But when we set up our latest test server, we saw a post that showed how to set up a seperate LAN web page that would automatically pick up their AD account info off the local box. The requirement was that they had to do the manual login in the <Domain>\<UserId> format once to get their account into the DNN system. After that, they could go to the automatic page and it would log them in automatically. That would take care of the manual vs automatic log-in problem.
DNN has the ability to use it's custom accounts mixed in with AD accounts. I wonder if it is possible to have CSLA use DNN's account system as a custom authentication mechanism.
OH! I don't even know. Are you planning on using DNN for your web UI?
Copyright (c) Marimer LLC