[Mono-devel-list] authentication mode "Windows"

Sebastien Pouliot sebastien.pouliot at gmail.com
Sat Jul 30 16:41:47 EDT 2005


Hello Jawan,

On Wed, 2005-27-07 at 12:28 +0200, Kolanowski, Jawan wrote:
> I try to migrate a web application (asp.net) from iis to mod_mono 1.0.6
> with apache 2.0.53. The web application uses 'Context.User.Identity'.
> The authentication was performed by the iis (ntlm) against a active
> directory. On the apache i've configured digest authentication with
> ldap.
> 
> apache configuration extract:
>   ...
>   <Location /WebApplication>
>     SetHandler mono
> 
>     AuthType Basic
>     AuthName "WebApplication"
>     AuthLDAPURL
> ldap://dc.somewhere.org:389/OU=User,DC=somewhere,DC=org?sAMAccountName?s
> ub?
>     AuthLDAPBindDN "ldapquery at somewhere.org"
>     AuthLDAPBindPassword "****"
>     require valid-user
>   </Location>
>   ...

Is that digest ? or basic ?

> web.config extract:
>   ...
>   <authentication mode="Windows" />
>   <identity impersonate="false" />
>   ...
> 
> The authentication with the apache works fine but the web application
> gets no authenticated 'Identity' object ('Identity.IsAuthenticated ==
> false && Identity.Name == ""'). At least I need the name of the
> authenticated account ('Identity.Name'). What's wrong?

Maybe nothing ;-) 

Asking for NTLM(Windows) authentication _isn't_ the same, at least from
a security point of view, as doing basic authentication to an LDAP
server. So I don't think we should allow this scenario to work - at
least not by default (i.e. with an identical web.config as IIS is
using).

However, from a functional point of view, this scenario is equivalent to
the original IIS/ASP.NET application - meaning that some applications,
with lower/different security requirements, could benefit from this.

AFAIK Apache/mod_mono/mono don't share enough information to make this
scenario work (at least right now) and I don't know enough about them to
say if this would be an easy task (or not). Maybe Gonzalo can clarify
this :-)

You could also (well probably) deal with this at the application level
by either :
(a) asking Apache for the information (if possible/available); or 
(b) do the LDAP authentication yourself (e.g. with
System.DirectoryServices.dll).
and finally create (and assign) the Identity object.

Sebastien




More information about the Mono-devel-list mailing list