[Mono-dev] Windows Integrated Authentication

Thu Nov 25 05:28:39 EST 2010

Hi Marek,

thanks for the prompt answer!
I think forms authentication could be a way to go, but your answer pushed my thoughts in to several direction. And I have to think and test these thought a bit.

Nevertheless, Windows Integrated Authentication would be the easiest way to go. Especially in the current project, which focuses on the windows platform only and has a tight schedule.

I think I tell something more about our scenario, to make things and possibilities clearer.

We want to use the Mono Server only on clients to run the MVC web app locally. In order to limit the usage of the app to a specific domain and specific users using the Integrated Authentication would be the best way.
If possible, we don't want users to have extra login via form.

As far as I can see, there are two possibilities to make use of the Integrated Authentication:
* As we start the Mono Server via console app we could read the WindowsIdentity and hand it over somehow to our web app.
* We enhance the Mono Server, so it can read the WindowsIdentity.

As I haven't put my fingers on programming a server so far, I'm a bit sceptical about the second possibility. Mainly, as I don't know how much effort it would be ...

Cheers,
Helmut

-------- Original-Nachricht --------
> Datum: Wed, 24 Nov 2010 17:46:46 +0100
> Von: Marek Habersack <grendel at twistedcode.net>
> An: agez <helmut_ziegler at gmx.de>
> CC: mono-devel-list at lists.ximian.com
> Betreff: Re: [Mono-dev] Windows Integrated Authentication

> On Wed, 24 Nov 2010 07:11:11 -0800 (PST)
> agez <helmut_ziegler at gmx.de> wrote:
> 
> > 
> > Hi,
> Hey,
>  
> > we're developing an ASP.Net MVC2 web application for the Intranet and
> wanted
> > to use Windows Integrated Authentication.
> > 
> > Everything works fine with the Visual Studio Development Server or IIS.
> But
> > we wanted to switch to a Mono Server. And there the user's identity
> isn't
> > available.  So authorization doesn't work.
> > 
> > As Mono aims to be platform independent this is understandable, but does
> > anyone know how to get around this?
> The best option, imho, is to use the forms authentication framework
> (unless you have a very
> specific application which absolutely needs to use the Unix/Windows user
> database). You can take
> advantage of the Membership and Role providers in your MVC application -
> implementations of them
> exist for basically every RDBMS and also for LDAP, plain XML, plain text
> files (alas, Mono's
> implementation of the ActiveDirectoryMembershipProvider is just a stub -
> patches welcome, of
> course :D). If you can't find a provider that suits your needs, it's easy
> to create a custom one,
> tailored to your environment.
> If this is not desirable, you can easily roll out your own authentication
> provider using any
> database (from LDAP/ActiveDirectory to any RDBMS) as the backend and just
> the forms authentication
> ticket/cookie services to keep the user logged in.
> If you wanted to authenticate users on Linux using their physical account
> credentials then things
> will get a bit complicated. In order to be absolutely compatible with the
> multitude of ways to
> authenticate users on Linux you'd have to use PAM and that would require
> either to grant your
> application special rights or use a daemon to which the application would
> talk in order to
> authenticate the users. If you want to keep your server/application users
> in one place and use the
> same credentials on Linux, Windows and your MVC app, then I'd recommend
> looking at OpenLDAP to
> implement your own directory server.
> 
> Hope that helps a bit,
> 
> marek

-- 
Neu: GMX De-Mail - Einfach wie E-Mail, sicher wie ein Brief!  
Jetzt De-Mail-Adresse reservieren: http://portal.gmx.net/de/go/demail