Re: [Mono-dev] Windows Integrated Authentication
Hi Marek, we've found a short term solution to hand the user authentication to the web app, although what you described is the right way to go and I hope to find the time to implement it (for the next couple of weeks I probably have no time for it). Maybe we can work together on that issue then. Cheers, Helmut -- View this message in context: http://mono.1490590.n4.nabble.com/Windows-Integrated-Authentication-tp3057461p3070102.html Sent from the Mono - Dev mailing list archive at Nabble.com. ___ Mono-devel-list mailing list Mono-devel-list@lists.ximian.com http://lists.ximian.com/mailman/listinfo/mono-devel-list
Re: [Mono-dev] Windows Integrated Authentication
Hi Marek, thanks for the prompt answer! I think forms authentication could be a way to go, but your answer pushed my thoughts in to several direction. And I have to think and test these thought a bit. Nevertheless, Windows Integrated Authentication would be the easiest way to go. Especially in the current project, which focuses on the windows platform only and has a tight schedule. I think I tell something more about our scenario, to make things and possibilities clearer. We want to use the Mono Server only on clients to run the MVC web app locally. In order to limit the usage of the app to a specific domain and specific users using the Integrated Authentication would be the best way. If possible, we don't want users to have extra login via form. As far as I can see, there are two possibilities to make use of the Integrated Authentication: * As we start the Mono Server via console app we could read the WindowsIdentity and hand it over somehow to our web app. * We enhance the Mono Server, so it can read the WindowsIdentity. As I haven't put my fingers on programming a server so far, I'm a bit sceptical about the second possibility. Mainly, as I don't know how much effort it would be ... Cheers, Helmut Original-Nachricht Datum: Wed, 24 Nov 2010 17:46:46 +0100 Von: Marek Habersack gren...@twistedcode.net An: agez helmut_zieg...@gmx.de CC: mono-devel-list@lists.ximian.com Betreff: Re: [Mono-dev] Windows Integrated Authentication On Wed, 24 Nov 2010 07:11:11 -0800 (PST) agez helmut_zieg...@gmx.de wrote: Hi, Hey, we're developing an ASP.Net MVC2 web application for the Intranet and wanted to use Windows Integrated Authentication. Everything works fine with the Visual Studio Development Server or IIS. But we wanted to switch to a Mono Server. And there the user's identity isn't available. So authorization doesn't work. As Mono aims to be platform independent this is understandable, but does anyone know how to get around this? The best option, imho, is to use the forms authentication framework (unless you have a very specific application which absolutely needs to use the Unix/Windows user database). You can take advantage of the Membership and Role providers in your MVC application - implementations of them exist for basically every RDBMS and also for LDAP, plain XML, plain text files (alas, Mono's implementation of the ActiveDirectoryMembershipProvider is just a stub - patches welcome, of course :D). If you can't find a provider that suits your needs, it's easy to create a custom one, tailored to your environment. If this is not desirable, you can easily roll out your own authentication provider using any database (from LDAP/ActiveDirectory to any RDBMS) as the backend and just the forms authentication ticket/cookie services to keep the user logged in. If you wanted to authenticate users on Linux using their physical account credentials then things will get a bit complicated. In order to be absolutely compatible with the multitude of ways to authenticate users on Linux you'd have to use PAM and that would require either to grant your application special rights or use a daemon to which the application would talk in order to authenticate the users. If you want to keep your server/application users in one place and use the same credentials on Linux, Windows and your MVC app, then I'd recommend looking at OpenLDAP to implement your own directory server. Hope that helps a bit, marek -- Neu: GMX De-Mail - Einfach wie E-Mail, sicher wie ein Brief! Jetzt De-Mail-Adresse reservieren: http://portal.gmx.net/de/go/demail ___ Mono-devel-list mailing list Mono-devel-list@lists.ximian.com http://lists.ximian.com/mailman/listinfo/mono-devel-list
Re: [Mono-dev] Windows Integrated Authentication
On Thu, 25 Nov 2010 11:28:39 +0100 Helmut Ziegler helmut_zieg...@gmx.de wrote: Hi Marek, Hi, thanks for the prompt answer! I think forms authentication could be a way to go, but your answer pushed my thoughts in to several direction. And I have to think and test these thought a bit. Nevertheless, Windows Integrated Authentication would be the easiest way to go. Especially in the current project, which focuses on the windows platform only and has a tight schedule. I think I tell something more about our scenario, to make things and possibilities clearer. We want to use the Mono Server only on clients to run the MVC web app locally. In order to limit the usage of the app to a specific domain and specific users using the Integrated Authentication would be the best way. If possible, we don't want users to have extra login via form. So you want the app to run on a local windows machine, using local user credentials or using windows domain credentials? From what you wrote above I have the impression that your users are members of a windows domain, which means their accounts are in ActiveDirectory. If this is the case, you can implement Mono's System.Web.Security.ActiveDirectoryMembershipProvider to the directory server in order to authenticate the users against that service. Of course, it would require completing the implementation of Mono's WindowsIdentity principal (in corlib/System.Security.Principal/WindowsIdentity) and the System.Web.Security.WindowsAuthenticationModule (you could use our FormsAuthenticationModule as the model). Implementing the two latter types would give you access to local Windows user credentials. None of those tasks should be too complicated. As far as I can see, there are two possibilities to make use of the Integrated Authentication: * As we start the Mono Server via console app we could read the WindowsIdentity and hand it over somehow to our web app. If the app is ran by Mono, then this approach won't solve the problem. If it is a native app or it runs with .NET, then you can just make sure that it's the console launcher that authorizes the user and runs the application (perhaps under a secured local user account - using impersonation) only if the authentication/authorization was successful. * We enhance the Mono Server, so it can read the WindowsIdentity. That would be very welcome, especially if you contributed to Mono the patches :) As I haven't put my fingers on programming a server so far, I'm a bit sceptical about the second possibility. Mainly, as I don't know how much effort it would be ... As said above, I don't think it would be a lot of work. WindowsIdentity is already partially implemented and the WindowsAuthenticationModule should be pretty straightforward to code. best, marek Cheers, Helmut Original-Nachricht Datum: Wed, 24 Nov 2010 17:46:46 +0100 Von: Marek Habersack gren...@twistedcode.net An: agez helmut_zieg...@gmx.de CC: mono-devel-list@lists.ximian.com Betreff: Re: [Mono-dev] Windows Integrated Authentication On Wed, 24 Nov 2010 07:11:11 -0800 (PST) agez helmut_zieg...@gmx.de wrote: Hi, Hey, we're developing an ASP.Net MVC2 web application for the Intranet and wanted to use Windows Integrated Authentication. Everything works fine with the Visual Studio Development Server or IIS. But we wanted to switch to a Mono Server. And there the user's identity isn't available. So authorization doesn't work. As Mono aims to be platform independent this is understandable, but does anyone know how to get around this? The best option, imho, is to use the forms authentication framework (unless you have a very specific application which absolutely needs to use the Unix/Windows user database). You can take advantage of the Membership and Role providers in your MVC application - implementations of them exist for basically every RDBMS and also for LDAP, plain XML, plain text files (alas, Mono's implementation of the ActiveDirectoryMembershipProvider is just a stub - patches welcome, of course :D). If you can't find a provider that suits your needs, it's easy to create a custom one, tailored to your environment. If this is not desirable, you can easily roll out your own authentication provider using any database (from LDAP/ActiveDirectory to any RDBMS) as the backend and just the forms authentication ticket/cookie services to keep the user logged in. If you wanted to authenticate users on Linux using their physical account credentials then things will get a bit complicated. In order to be absolutely compatible with the multitude of ways to authenticate users on Linux you'd have to use PAM and that would require either to grant your application special rights or use a daemon to which the application would talk in order to authenticate the users. If you want to keep your
[Mono-dev] Windows Integrated Authentication
Hi, we're developing an ASP.Net MVC2 web application for the Intranet and wanted to use Windows Integrated Authentication. Everything works fine with the Visual Studio Development Server or IIS. But we wanted to switch to a Mono Server. And there the user's identity isn't available. So authorization doesn't work. As Mono aims to be platform independent this is understandable, but does anyone know how to get around this? Cheers, Helmut -- View this message in context: http://mono.1490590.n4.nabble.com/Windows-Integrated-Authentication-tp3057461p3057461.html Sent from the Mono - Dev mailing list archive at Nabble.com. ___ Mono-devel-list mailing list Mono-devel-list@lists.ximian.com http://lists.ximian.com/mailman/listinfo/mono-devel-list
Re: [Mono-dev] Windows Integrated Authentication
On Wed, 24 Nov 2010 07:11:11 -0800 (PST) agez helmut_zieg...@gmx.de wrote: Hi, Hey, we're developing an ASP.Net MVC2 web application for the Intranet and wanted to use Windows Integrated Authentication. Everything works fine with the Visual Studio Development Server or IIS. But we wanted to switch to a Mono Server. And there the user's identity isn't available. So authorization doesn't work. As Mono aims to be platform independent this is understandable, but does anyone know how to get around this? The best option, imho, is to use the forms authentication framework (unless you have a very specific application which absolutely needs to use the Unix/Windows user database). You can take advantage of the Membership and Role providers in your MVC application - implementations of them exist for basically every RDBMS and also for LDAP, plain XML, plain text files (alas, Mono's implementation of the ActiveDirectoryMembershipProvider is just a stub - patches welcome, of course :D). If you can't find a provider that suits your needs, it's easy to create a custom one, tailored to your environment. If this is not desirable, you can easily roll out your own authentication provider using any database (from LDAP/ActiveDirectory to any RDBMS) as the backend and just the forms authentication ticket/cookie services to keep the user logged in. If you wanted to authenticate users on Linux using their physical account credentials then things will get a bit complicated. In order to be absolutely compatible with the multitude of ways to authenticate users on Linux you'd have to use PAM and that would require either to grant your application special rights or use a daemon to which the application would talk in order to authenticate the users. If you want to keep your server/application users in one place and use the same credentials on Linux, Windows and your MVC app, then I'd recommend looking at OpenLDAP to implement your own directory server. Hope that helps a bit, marek ___ Mono-devel-list mailing list Mono-devel-list@lists.ximian.com http://lists.ximian.com/mailman/listinfo/mono-devel-list