bobaol
Posts: 8
|
| Posted: 08/06/2004, 5:00 AM |
|
HI Group,
Just wanted to get the opinion from some of the various Security experts we have in this group.
I am developing applications in an intranet environment (win2k, IIS, IE, ADSI, Oracle) and am currently authenticating users in this manner: With windows integrated security turned on, I grab their the server variable "RemoteUser" and parse out the NT logon name (domain\loginname). I compare this against microsoft active directory to see if the user has had any changes in his status lately (job change, etc.) and then compare this against an oracle table that holds all of our security groups. From here I can tell what the user has access to.
My question is, is this technique considered reliable. I have read a couple of comments on this forum that microsoft active directory is easily fooled. I googled the topic and couldn't find an easy way to spoof my Remote_User value, but if there is a way then I would have big problems.
Any comments from the community?
Thanks,
Bob
|
 |
 |
ckraft
Posts: 1
|
| Posted: 08/12/2004, 4:56 PM |
|
A couple thoughts, while I'm new to code charge I have done more then a fair share of web applications. Active Directory can be tricky and some languages can have issues querying depending on how the AD tree is defined. The more complex the tree, the less likely you will get a good return. Active Directory imo is really LDAP by another name. It's meant to handle light weight activity where a database might be overkill. Where Active Directory can be advantageous is blocking access to specific files or directories on file servers or even the web server. This way no matter how they get to it, they won't be able to view it without the right permissions.
We use active directory internally for managing access, but a database for external applications.
The other thing is it's easy to get AD out of whack where a database is just updating the row.
A lot depends on the resources you have available and have to manage. The only real advantage I can see is the added benefit of protecting other network resources like shares.
|
|
|
|
bobaol
Posts: 8
|
| Posted: 08/16/2004, 12:54 AM |
|
Hi Ckraft,
Thanks for responding.
I've worked out all of the code to call AD and bring back the fields I need, so that part works fine. Technically by using the REMOTE_USER server variable I don't need to call AD, I can just look up the user in the database and determine access. My main reason for calling AD is to compare a users demographics (title, job code, etc.) to what we have in our database. We have to do this to make sure the user should still have access to our applications and that his status has not changed. Our AD is out of our control, and we only have read permission which means we cannot set up our user groups and other necessary information.
That brings me back to my question. Do you have any experience with the REMOTE_USER server variable being unreliable?
Any comments are appreciated.
Bob
|
|
|
|
ciberlin
Posts: 25
|
| Posted: 09/15/2004, 2:09 PM |
|
can you share the AD code for ASP
|
|
|
|
|
