[Mono-dev] Windows Integrated Authentication

Marek Habersack grendel at twistedcode.net
Thu Nov 25 09:30:34 EST 2010

On Thu, 25 Nov 2010 11:28:39 +0100
"Helmut Ziegler" <helmut_ziegler at gmx.de> wrote:

> Hi Marek,

> thanks for the prompt answer!
> I think forms authentication could be a way to go, but your answer pushed my thoughts in to
> several direction. And I have to think and test these thought a bit.
> Nevertheless, Windows Integrated Authentication would be the easiest way to go. Especially in the
> current project, which focuses on the windows platform only and has a tight schedule.
> I think I tell something more about our scenario, to make things and possibilities clearer.
> We want to use the Mono Server only on clients to run the MVC web app locally. In order to limit
> the usage of the app to a specific domain and specific users using the Integrated Authentication
> would be the best way. If possible, we don't want users to have extra login via form.
So you want the app to run on a local windows machine, using local user credentials or using
windows domain credentials? From what you wrote above I have the impression that your users are
members of a windows domain, which means their accounts are in ActiveDirectory. If this is the
case, you can implement Mono's System.Web.Security.ActiveDirectoryMembershipProvider to the
directory server in order to authenticate the users against that service. Of course, it would
require completing the implementation of Mono's WindowsIdentity principal (in
corlib/System.Security.Principal/WindowsIdentity) and the
System.Web.Security.WindowsAuthenticationModule (you could use our FormsAuthenticationModule as the
model). Implementing the two latter types would give you access to local Windows user credentials.
None of those tasks should be too complicated.

> As far as I can see, there are two possibilities to make use of the Integrated Authentication:
> * As we start the Mono Server via console app we could read the WindowsIdentity and hand it over
> somehow to our web app.
If the app is ran by Mono, then this approach won't solve the problem. If it is a native app or it
runs with .NET, then you can just make sure that it's the console launcher that authorizes the user
and runs the application (perhaps under a secured local user account - using impersonation) only if
the authentication/authorization was successful.

> * We enhance the Mono Server, so it can read the WindowsIdentity.
That would be very welcome, especially if you contributed to Mono the patches :)

> As I haven't put my fingers on programming a server so far, I'm a bit sceptical about the second
> possibility. Mainly, as I don't know how much effort it would be ...
As said above, I don't think it would be a lot of work. WindowsIdentity is already partially
implemented and the WindowsAuthenticationModule should be pretty straightforward to code.



> Cheers,
> Helmut
> -------- Original-Nachricht --------
> > Datum: Wed, 24 Nov 2010 17:46:46 +0100
> > Von: Marek Habersack <grendel at twistedcode.net>
> > An: agez <helmut_ziegler at gmx.de>
> > CC: mono-devel-list at lists.ximian.com
> > Betreff: Re: [Mono-dev] Windows Integrated Authentication
> > On Wed, 24 Nov 2010 07:11:11 -0800 (PST)
> > agez <helmut_ziegler at gmx.de> wrote:
> > 
> > > 
> > > Hi,
> > Hey,
> >  
> > > we're developing an ASP.Net MVC2 web application for the Intranet and
> > wanted
> > > to use Windows Integrated Authentication.
> > > 
> > > Everything works fine with the Visual Studio Development Server or IIS.
> > But
> > > we wanted to switch to a Mono Server. And there the user's identity
> > isn't
> > > available.  So authorization doesn't work.
> > > 
> > > As Mono aims to be platform independent this is understandable, but does
> > > anyone know how to get around this?
> > The best option, imho, is to use the forms authentication framework
> > (unless you have a very
> > specific application which absolutely needs to use the Unix/Windows user
> > database). You can take
> > advantage of the Membership and Role providers in your MVC application -
> > implementations of them
> > exist for basically every RDBMS and also for LDAP, plain XML, plain text
> > files (alas, Mono's
> > implementation of the ActiveDirectoryMembershipProvider is just a stub -
> > patches welcome, of
> > course :D). If you can't find a provider that suits your needs, it's easy
> > to create a custom one,
> > tailored to your environment.
> > If this is not desirable, you can easily roll out your own authentication
> > provider using any
> > database (from LDAP/ActiveDirectory to any RDBMS) as the backend and just
> > the forms authentication
> > ticket/cookie services to keep the user logged in.
> > If you wanted to authenticate users on Linux using their physical account
> > credentials then things
> > will get a bit complicated. In order to be absolutely compatible with the
> > multitude of ways to
> > authenticate users on Linux you'd have to use PAM and that would require
> > either to grant your
> > application special rights or use a daemon to which the application would
> > talk in order to
> > authenticate the users. If you want to keep your server/application users
> > in one place and use the
> > same credentials on Linux, Windows and your MVC app, then I'd recommend
> > looking at OpenLDAP to
> > implement your own directory server.
> > 
> > Hope that helps a bit,
> > 
> > marek

More information about the Mono-devel-list mailing list