lobos
asked on
C# VS 2008
I am building a web based application and it needs to have security tied to it. In the past I created a local group on the server and added the appropriate users to the group. With the web config file I granted appropriate access based on whether your username was part of the group or not.
I have been made aware that the best way to do this is with Forms authentication. I have always done this concept using integrated windows authentication, but I have been told that is not the correct and best way to do this.
Could I have some input on this thought and perhaps an example on how to implement the concept using a form based authentication as opposed to using the windows authentication concept.
I have been made aware that the best way to do this is with Forms authentication. I have always done this concept using integrated windows authentication, but I have been told that is not the correct and best way to do this.
Could I have some input on this thought and perhaps an example on how to implement the concept using a form based authentication as opposed to using the windows authentication concept.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
>>If you want to use windows accounts stick with windows authentication. User forms for anything else.
Yes, that's the rule right there.
Typically that will come down to using Windows authentication for a corporate intranet but Forms for a site open to the public . There will be exceptions to that, but phead_2's rule stands.
Yes, that's the rule right there.
Typically that will come down to using Windows authentication for a corporate intranet but Forms for a site open to the public . There will be exceptions to that, but phead_2's rule stands.
If your company has it, SiteMinder works great and you practically do nothing 99% of the time.
ASKER
Thank you for all feedback.
ViceroyFizzlebottom:> your link takes me to an example that uses a sql database for users, as I mentioned above, my concept is using the users from the active directory. Its just a matter of what is more secure, using forms or windows.
yes it is for internal puproses only.
but a good example that I want to make reference to is the OWA concept of outlook, its for users who are internal and part of AD, but when out in the public and access the OWA through https:, the authentication source is using forms as opposed to the windows popup window...thats why I am a bit confused.
ViceroyFizzlebottom:> your link takes me to an example that uses a sql database for users, as I mentioned above, my concept is using the users from the active directory. Its just a matter of what is more secure, using forms or windows.
yes it is for internal puproses only.
but a good example that I want to make reference to is the OWA concept of outlook, its for users who are internal and part of AD, but when out in the public and access the OWA through https:, the authentication source is using forms as opposed to the windows popup window...thats why I am a bit confused.
You really don't have to use forms with OWA but I guess most people prefer the look of it. The only requirement there is if you use forms you have to use SSL.
ASKER
ok, what about the catching of username and password on machine 'save my password' does this factor in which method to use?
If you're referring to the browser storing it it can't for windows authentication and can for forms. it is worth mentioning that with windows authentication the credentials will be cached until the browser is closed.
http://support.microsoft.com/kb/301240