.NETGURU
  Search:  
NamespacesDiscussions.NET v1.1Dot Net Guru's BlogIT Certification
Authentication and Authorization in distributed app
Messages   Related Types
This message was discovered on microsoft.public.dotnet.distributed_apps.
Responses highlighted in red are from those people who are likely to be able to contribute good, authoratitive information to this discussion. They include Microsoft employees, MVP's and others who IMHO contribute well to these kinds of discussions.
Post a new message to this list...

N Anderton (VIP)
This seems like it should be a well known problem, but unfortunately I am
unable to find the answers I am looking for.
We want to access the User information, authentication and authorization in
a distributed application. Is this possible using the built in .Net
functionality and using a trusted sub system model, or do you have to use
impersonation. Essentially we would like to use the trusted sub system model
but still have access to the credentials of the logged in user to perform
authorization at the business and DB level, and also be able to track who did
what in the system. Is this possible with built in .Net functionality (using
Principal and Identity)
Reply to this message...
 
    
Sam Santiago
It depends on your application architecture and how you plan on deploying
your application. Also, is it a Web application, a service, or a Windows
forms application? Does it use SQL Server? Many factors effect this.
Check out these links:

App Architecture for .NET
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnbda/html/AppArchCh3.asp

and

Authorization and Profile Application Block
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnpag/html/authpro_ch_01.asp?frame=true

Thanks,

Sam
--
_______________________________
Sam Santiago
Click here to reveal e-mail address
http://www.SoftiTechture.com
_______________________________
"N Anderton" <Click here to reveal e-mail address> wrote in message
news:Click here to reveal e-mail address...
[Original message clipped]
Reply to this message...
 
    
N Anderton (VIP)
Thanks, I have reviewed some of this documentation and had one of my team
members review the application block. It is beating around the problem but
not providing the answers.. yet.

We are looking for a consistent methodology for an enterprise wide solution.
We have web sites that use Single Sign On for authentication for external
users, and we have web sites that use NT Authentication for internal users.
We have external exposed services, and we will have smart client deployment
in the near future.
The Architecture must be at least 3 tiered (corporate standard)
The communication channel between tiers is likely to include both remoting
and web services.
In the database, when we update data we need to be able to record the UserID
of the person (or service) that created the update
We have various Logging and instrumentation at different layers that also
logs the UserID.
I would like to use the built in Principal, Identity and Role's to provide
the authentication and authorization, the application block can help us to
achieve that. This works well in the UI layer (either web site or smart
client), but what I don’t understand is what happens in a lower layer.
If we use impersonation then we can have access to the same objects, but my
belief is that this will be inefficient forcing each request to run in its
own isolated thread. Is this true? Is it true for the business layer? I know
it is true for the DB layer.
If we use a trusted subsystem then how do we pass the user information to a
lower layer? My understanding is we could replace the principal with a
principal based on the user information (roles etc) but how would we pass the
user information to that tier from the tier above. In SOAP call i think we
could add it to the Headers, but how would we do that in a remoting call? I
would like this information to be available at each tier without passing it
around as a parameter.

Thanks
N Anderton

"Sam Santiago" wrote:

[Original message clipped]
Reply to this message...
 
    
Sam Santiago
I think a lot of people are looking for a consistent methodology to be able
to identify users throughout the tiers in distributed application. The
difficulty comes when you physically deploy the different layers across
different machines. It's not uncommon for the business layer and DB layer
to run under a specific identity. If you want to pass the user id through
the layers many times you have to pass it via parameters, additional data in
datasets, in the context for remoting, an additional node in an XML doc, or
any method where you send data across the layers. I'm not sure about the
threading issues you are referring to with impersonation. Here's a link
that might help if you use SQL Server in a intranet environment with IIS:

Accessing SQL Server Using Windows Integrated Security
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/vbcon/html/vbtskaccessingsqlserverusingwindowsintegratedsecurity.asp

And this link has a good discussion on trusted subsystems, delegation, and
impersonation:

Authentication and Authorization
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/html/secnetch03.asp

Good luck.

Thanks,

Sam

--
_______________________________
Sam Santiago
Click here to reveal e-mail address
http://www.SoftiTechture.com
_______________________________
"N Anderton" <Click here to reveal e-mail address> wrote in message
news:Click here to reveal e-mail address...
[Original message clipped]
Reply to this message...
 
 




ExamGuru IT Solutions - .Net Guru is owned and operated by ExamGuru, Inc., the man behind .Net Guru. If you're in the market for bespoke software or software consultancy, why not get him and his highly trained team to help? - www.examguru.net/ITCertification
Ad


Need Dot Net Interview Questions?
Ask ExamGuru, Inc. for advice and help on Passing .Net Interviews
.Net Projects
Best-of-breed application framework for .NET projects, developed by ExamGuru, Inc. and ExamGuru IT
Free .net Help
Commission ExamGuru, Inc. and his team for your next bespoke software project
FogBUGZ
The only bug tracking system carefully crafted with one goal in mind: helping teams create great software.
Awesome Tools
If you don't know about these, you're missing out... IT Certification Questions
IT Interview Questions
Free Oracle 10g Training
MCSE Boortcamp
Cisco Study Guides
Cheap Study Guides
Exact Questions
Dot Net Interview Questions
Oracle OCP
Cheap Travel
Designer Perfumes - Wholesale Prices
Free Programming Tutorials
 
ExamGuru IT Solutions - .Net Guru is owned and operated by ExamGuru, Inc., the man behind .Net Guru. If you're in the market for bespoke software or software consultancy, why not get him and his highly trained team to help? - www.examguru.net/ITCertification
 Copyright © ExamGuru, Inc. 2001-2006
Contact Us - Terms of Use - Privacy Policy - www.dot-net-guru.com - www.examguru.net - www.oraclesource.net - www.itinterviews.net - www.examguru.net/ITCertification