[Mono-devel-list] authentication mode "Windows"

David Waite dwaite at gmail.com
Sat Jul 30 18:44:15 EDT 2005 

To the best of my knowledge, "Windows" authentication mode does not
mean NTLM, it means that authentication will happen at the IIS level.
So, it does make sense that the authentication from Apache would be
passed via mod_mono into the server.

-David Waite

On 7/30/05, Sebastien Pouliot <sebastien.pouliot at gmail.com> wrote:
> Hello Jawan,
> 
> On Wed, 2005-27-07 at 12:28 +0200, Kolanowski, Jawan wrote:
> > I try to migrate a web application (asp.net) from iis to mod_mono 1.0.6
> > with apache 2.0.53. The web application uses 'Context.User.Identity'.
> > The authentication was performed by the iis (ntlm) against a active
> > directory. On the apache i've configured digest authentication with
> > ldap.
> >
> > apache configuration extract:
> >   ...
> >   <Location /WebApplication>
> >     SetHandler mono
> >
> >     AuthType Basic
> >     AuthName "WebApplication"
> >     AuthLDAPURL
> > ldap://dc.somewhere.org:389/OU=User,DC=somewhere,DC=org?sAMAccountName?s
> > ub?
> >     AuthLDAPBindDN "ldapquery at somewhere.org"
> >     AuthLDAPBindPassword "****"
> >     require valid-user
> >   </Location>
> >   ...
> 
> Is that digest ? or basic ?
> 
> > web.config extract:
> >   ...
> >   <authentication mode="Windows" />
> >   <identity impersonate="false" />
> >   ...
> >
> > The authentication with the apache works fine but the web application
> > gets no authenticated 'Identity' object ('Identity.IsAuthenticated ==
> > false && Identity.Name == ""'). At least I need the name of the
> > authenticated account ('Identity.Name'). What's wrong?
> 
> Maybe nothing ;-)
> 
> Asking for NTLM(Windows) authentication _isn't_ the same, at least from
> a security point of view, as doing basic authentication to an LDAP
> server. So I don't think we should allow this scenario to work - at
> least not by default (i.e. with an identical web.config as IIS is
> using).
> 
> However, from a functional point of view, this scenario is equivalent to
> the original IIS/ASP.NET application - meaning that some applications,
> with lower/different security requirements, could benefit from this.
> 
> AFAIK Apache/mod_mono/mono don't share enough information to make this
> scenario work (at least right now) and I don't know enough about them to
> say if this would be an easy task (or not). Maybe Gonzalo can clarify
> this :-)
> 
> You could also (well probably) deal with this at the application level
> by either :
> (a) asking Apache for the information (if possible/available); or
> (b) do the LDAP authentication yourself (e.g. with
> System.DirectoryServices.dll).
> and finally create (and assign) the Identity object.
> 
> Sebastien
> 
> _______________________________________________
> Mono-devel-list mailing list
> Mono-devel-list at lists.ximian.com
> http://lists.ximian.com/mailman/listinfo/mono-devel-list
>

More information about the Mono-devel-list mailing list