C# (ASP.NET)  Windows Authentication?

Posted on 2007-10-18
Medium Priority
Last Modified: 2013-12-17
this is for ASP.NET (C#)

1) If we use Windows Authentication, I am assuming that we could use NLTM to do the Windows Authentication. Does this mean for every request to the web server, they need to do the challenge response? +-5 more handshake request? Because If I am not wrong, theoretically speaking we need to input the username/password for every request to the server but luckily I.E does this for us automatically in the background.

2) With Windows Authentication, do we still need session cookies? How are we going to implement session timeout apart from using cookies? Is there a way to implement session timeout without the cookies?
Question by:kecoak
  • 2

Accepted Solution

S31B1 earned 2000 total points
ID: 20101153
1) all browsers modern browsers are capable of using Windows Auth to connect to pages. If you require this sort of security it is the only solution. It will use Negotiation to decide on NTLM or Kerberos. What is your concern? Is it that the authentication overhead will be too much?

2)Session cookies are required as these form the index of the session state. as far as I know without implimenting custom session providers the only way to utilise session state without cookies is to use the inbuilt "cookieless" functionality however that messes about with your urls and is far from ideal.

Author Comment

ID: 20101184
1) I just wanted that my understanding is correct. Is that really the case? for every HTTP request to the server, the client needs to do 4-5 handshake before they getting the response back?

2) Well the idea of Windows Authentication is to have Single Sign On and centralised user access database. By doing this, we could also save the hassle of using session "COOKIES" but then if we don't use SESSION COOKIES, how are we going implement Authentication TIMEOUT?

On the other hand, if we use cookies to implement Authentication Timeout, it means that we rely on the cookies as part of our authorisation/authentication. Isn't going to be a mixed authentication of Windows Authentication and Form based Authentication?

What is your thought around this?

Expert Comment

ID: 20101483
I'm not sure on the technicalites of Integrated Windows authentication, I can say that on a slow network there is no percevable slowdown when using Integrated auth over anonymous access.

You talk of Authentication time out, from what I'm aware of there is no such thing as Authrntication timeout. your integrated auth credentials are vaild so long as you have an active logon session.

The point is we can have session time out which is to be dealt with seperately to authentication. I'm sure if you had the time and money you could impliment an AD based session provider that did away with the inProc session store and could probably use the logged on id as a key.

you don't have mixed auth. You have Integrated auth with cookie based session state managment.

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Simulator games are perfect for generating sample realistic data streams, especially for learning data analysis. It is even useful for demoing offerings such as Azure stream analytics, PowerBI etc.
Hello there! As a developer I have modified and refactored the unit tests which was written by fellow developers in the past. On the course, I have gone through various misconceptions and technical challenges when it comes to implementation. I would…
Is your data getting by on basic protection measures? In today’s climate of debilitating malware and ransomware—like WannaCry—that may not be enough. You need to establish more than basics, like a recovery plan that protects both data and endpoints.…
Loops Section Overview
Suggested Courses

862 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question