How secure is AuthenticationTypes.Secure?
I understand that AuthenticationTypes.Secure requests secure authentication using Kerberos or NTLM (??). However, here is a scenario I am trying to understand. Let us say that I am having a regular ASP.NET site - with SSL certificates not installed on the web server. The login sends the request out to an AD server which also does not have certificates installed. However, I have set Secure flag to AuthenticationTypes.Secure. When the username and password data gets transmitted between the application and the LDAP server, how secure are the password and username info? In other words is this info transmitted as plain text?
--K.
|
0 |
|
cmkp
8/28/2003 7:30:23 PM
asp.net.active-directory-ldap
2291 articles. 
0 followers.
3 Replies
2205 Views
There are two parts to this: A.) Sending the information from the client's browser to the IIS server and B.) from the IIS server to the domain controller. So, in your scenario, if you are not using SSL, then you would be sending credentials from the client's browser (assuming they type in username and password in Forms Auth) plaintext to the IIS server. The IIS server would then securely send those credentials using AuthenticationTypes.Secure to the domain controller.
All in all, the solution is insecure. The only thing that is protected is the communication between IIS server and domain controller (using NTLM or Kerberos). The link between client and IIS server is not secure and specifying AuthenticationType.Secure has no bearing on this portion.
Ryan Dunn
Weblog
The Book
LDAP Programming Help
|
|
0 |
|
dunnry
8/28/2003 7:57:55 PM
Ryan - first off - your response shows a lot of knowledge about how this whole thing works (considering that this is not a topic for the faint of heart ;-) - not to mention a whole slew of other posts that you have made that are extremely helpful. Thank you so much.
<switch_topics></switch_topics>
So, if I were to just secure the web server with an SSL certificate - this should be adequate to ensure the overall security of all transmissions - right?
--K.
|
|
0 |
|
cmkp
8/28/2003 8:06:33 PM
Yes, SSL would be the best solution in this scenario. The solution is the only as strong as the weakest link, and in this case, it is the communication between the client's browser and the IIS server. You don't have to really worry about the backend servers (IIS and domain controllers) since they can communicate securely between themselves using NTLM or Kerberos. Once you have the client/IIS link secured using SSL, then you have your bases fairly well covered.
Ryan Dunn
Weblog
The Book
LDAP Programming Help
|
|
0 |
|
dunnry
8/28/2003 8:49:06 PM
Similar Artilces:
Understanding the Security Implication of Active Directory Default Settings Part II of An Audit of Active Directory Security
http://www.securityfocus.com/focus/microsoft/aads2.html -- Regard: Joh@nnes� 1216771 Ont.Inc. "Nothing is more damaging to a new truth than an old error" ...
An Audit of Active Directory Security, Part Three: Understanding LDAP, SASL, and Kerberos in the Context of AD security.
http://www.securityfocus.com/focus/microsoft/2k/adaudit3.html -- Regard: Joh@nnes� "Nothing is more damaging to a new truth than an old error" ...
security too secure
Name: joe Product: Firefox Summary: security too secure Comments: The security thing won't let me in this sight no matter how I accept, confirm, get certificate, etc. https://www.vtext.com/customer_site/jsp/messaging_lo.jsp Browser Details: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.4; en-GB; rv:1.9.1b4) Gecko/20090423 Firefox/3.5b4 From URL: http://hendrix.mozilla.org/ Note to readers: Hendrix gives no expectation of a response to this feedback but if you wish to provide one you must BCC (not CC) the sender for them to see it. ...
How secure is secure?
Thanks to this group and all the high tech individuals who frequent it I have learned how to protect my PC from the inside out. But what about security risks to my info 'before' it gets to my computer? Like my mail box on the server. Could someone hack into that and thumb through my mail? If so, how would I ever know? (The short story) We have a rogue employee at my work who one day decided to run the web site, she got in tight with the ISP, got tools to set and delete passwords on a protected directory on the server. Who knows if she has telnet access to other things, li...
when is secure, secure?
Lo everyone, I wrote a custom authentication handler for PureFTPD, using a combination of authentication methods, for about 4 different types of users. So far, from testing it, it does look to work properly, and does it's job pretty well (and fast). I use #!/usr/bin/perl -W as well as use Strict, and use warnings, and the code returns no errors or warnings when run. I am right to presume that this basically only really tells me the my syntax and structure of the application is right? What's a good way to see whether it is actually SECURE... There is a couple of lines of...
Issue related with secure AuthenticationType i.e. AuthenticationTypes.Secure
So when i use DirectoryEntry MyDirectoryObject = new DirectoryEntry(LDAPServerString, UserName,Password, AuthenticationTypes.Serverbind); I can work with LDAP no problem, create new users etc.. But when I use DirectoryEntry MyDirectoryObject = new DirectoryEntry(LDAPServerString, UserName,Password,AuthenticationTypes.Secure); I get 2 types of errors 1] Unknown error 2] Invalid dn syntax has been specified. The user details are correct and they are the user details of the directory manager. What is going wrong here ?...
Security with Active Directory
I am currently authenticating with Windows and that is going fine but I was wondering how I can set up the system to then determine what pages a person can see once they are into the system based on what they have in active directory. Example: John Doe should have access to the home page and his site specfic page instead of all pages. Any suggestions would be great or any place that I read up on this subject would also be helpful. Thanks.Brian What you are talking about is authorization, rather than authentication. You need some kind of store that will record what authorization John...
Active Directory Security
Hi every one, I am using ActiveDirectoryMembershipProvider as shown below.. <membership defaultProvider="AspNetActiveDirectoryMembershipProvider"> <providers> <remove name="AspNetActiveDirectoryMembershipProvider" /> <add connectionStringName="ActiveDirecotryProvider" enablePasswordReset="true" requiresQuestionAndAnswer="true" applicationName="/" attributeMapUsername="userPrincipalName" attributeMapPasswordQuestion="nntHintQuestion" attributeMapPasswordAnswer="HintAnswer" attributeMapFailedPasswordAnswerCount="FailedP...
(IN)SECURE Magazine from Net-Security (PDF download)
A little more light reading :-) Latest issue, #13: http://www.net-security.org/insecuremag.php (86 pages, with ads [not animated ads] - like a printed magazine) Archives of past issues: http://www.net-security.org/insecure-archive.php ISSUE 13 (September 2007) * Interview with Janne Uusilehto, Head of Nokia Product Security * Social engineering social networking services: a LinkedIn example * The case for automated log management in meeting HIPAA compliance * Risk decision making: whose call is it? * Interview with Zulfikar Ramzan, Senior Principal Re...
Secure LDAP (ldaps)
hi I have implemented ldap authentication in our application using the sample given in "LDAP using EAServer and Powerbuilder" document. It is succefully implemented. But the network people has asked me to connect on secure port (ldaps) now. My problem is i don't know what i kind of setting i should do now on EAServer box and what i should do on the clients. I assume there is nothing to be done on the client because the call to ldap check is initiated from the EAServer Server to LDAP server using EJB (calling JNDI API). We are runnig EAServer on JDK 1.3. Can someone g...
Secure connections: how secure are they?
*QUOTE* ......... both useful and malicious information can be transmitted via network connections. Standard solutions protect computers against threats present in standard network connections, but aren't able to counter threats present in secure connections. Verifying the contents of a secure connection is impossible by virtue of its secure nature, as demonstrated by the different types of protection listed above. As a result, malicious data within secure channels can cause a significant amount of damage, and sometimes more than if it were to be transmitted via a standard, non-s...
form security against security
i have a form in my website which is to be filled by user and that form stores in database(sql server 2005). but someone told me that anyone can run script in textboxes in that form and can damage database, so how to avoid such security lack. it is common practice to use parameterized sql statements or stored procs to insure you are protected from sql injections attacks. if you concatenate user input directly into a sql statement, then you are at risk.Mike Banavige~~~~~~~~~~~~Need a site code sample in a different language? Try converting it with: http://converte...
Password secure...is it secure?
Yes I just got this baby and I LOVE it! Its great. I have stored all my passwords inside of it (and yes made a few backups from them in secure locations) How secure is this program really? It uses blowfish to encrypt the database but how strong blowfish? 128bits? 256? 448? Anything else I should think about it? I have putted it and its databases inside PGPdisk just to play it safe...but then again Im a paranoid. :) -- Markus Jansson ************************************ My privacy related homepage and PGP keys: http://www.geocities.com/jansson_markus/ ********...
How secure is secure enough?
July 28, 2008 (Computerworld) This story originally appeared in Computerworld's print edition. If there is a Holy Grail in the information security industry, it surely is the answer to the question, "How secure is secure enough?" It's a question that many security managers have either avoided answering altogether or tried to quickly sidestep by throwing a fistful of mainly pointless operational metrics at anyone who cared to ask. http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=321921&intsrc=hm_list -- "Never d...
http://www.securityfocus.com/focus/microsoft/aads2.html -- Regard: Joh@nnes� 1216771 Ont.Inc. "Nothing is more damaging to a new truth than an old error" ...
An Audit of Active Directory Security, Part Three: Understanding LDAP, SASL, and Kerberos in the Context of AD security.
http://www.securityfocus.com/focus/microsoft/2k/adaudit3.html -- Regard: Joh@nnes� "Nothing is more damaging to a new truth than an old error" ...
security too secure
Name: joe Product: Firefox Summary: security too secure Comments: The security thing won't let me in this sight no matter how I accept, confirm, get certificate, etc. https://www.vtext.com/customer_site/jsp/messaging_lo.jsp Browser Details: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.4; en-GB; rv:1.9.1b4) Gecko/20090423 Firefox/3.5b4 From URL: http://hendrix.mozilla.org/ Note to readers: Hendrix gives no expectation of a response to this feedback but if you wish to provide one you must BCC (not CC) the sender for them to see it. ...
How secure is secure?
Thanks to this group and all the high tech individuals who frequent it I have learned how to protect my PC from the inside out. But what about security risks to my info 'before' it gets to my computer? Like my mail box on the server. Could someone hack into that and thumb through my mail? If so, how would I ever know? (The short story) We have a rogue employee at my work who one day decided to run the web site, she got in tight with the ISP, got tools to set and delete passwords on a protected directory on the server. Who knows if she has telnet access to other things, li...
when is secure, secure?
Lo everyone, I wrote a custom authentication handler for PureFTPD, using a combination of authentication methods, for about 4 different types of users. So far, from testing it, it does look to work properly, and does it's job pretty well (and fast). I use #!/usr/bin/perl -W as well as use Strict, and use warnings, and the code returns no errors or warnings when run. I am right to presume that this basically only really tells me the my syntax and structure of the application is right? What's a good way to see whether it is actually SECURE... There is a couple of lines of...
Issue related with secure AuthenticationType i.e. AuthenticationTypes.Secure
So when i use DirectoryEntry MyDirectoryObject = new DirectoryEntry(LDAPServerString, UserName,Password, AuthenticationTypes.Serverbind); I can work with LDAP no problem, create new users etc.. But when I use DirectoryEntry MyDirectoryObject = new DirectoryEntry(LDAPServerString, UserName,Password,AuthenticationTypes.Secure); I get 2 types of errors 1] Unknown error 2] Invalid dn syntax has been specified. The user details are correct and they are the user details of the directory manager. What is going wrong here ?...
Security with Active Directory
I am currently authenticating with Windows and that is going fine but I was wondering how I can set up the system to then determine what pages a person can see once they are into the system based on what they have in active directory. Example: John Doe should have access to the home page and his site specfic page instead of all pages. Any suggestions would be great or any place that I read up on this subject would also be helpful. Thanks.Brian What you are talking about is authorization, rather than authentication. You need some kind of store that will record what authorization John...
Active Directory Security
Hi every one, I am using ActiveDirectoryMembershipProvider as shown below.. <membership defaultProvider="AspNetActiveDirectoryMembershipProvider"> <providers> <remove name="AspNetActiveDirectoryMembershipProvider" /> <add connectionStringName="ActiveDirecotryProvider" enablePasswordReset="true" requiresQuestionAndAnswer="true" applicationName="/" attributeMapUsername="userPrincipalName" attributeMapPasswordQuestion="nntHintQuestion" attributeMapPasswordAnswer="HintAnswer" attributeMapFailedPasswordAnswerCount="FailedP...
(IN)SECURE Magazine from Net-Security (PDF download)
A little more light reading :-) Latest issue, #13: http://www.net-security.org/insecuremag.php (86 pages, with ads [not animated ads] - like a printed magazine) Archives of past issues: http://www.net-security.org/insecure-archive.php ISSUE 13 (September 2007) * Interview with Janne Uusilehto, Head of Nokia Product Security * Social engineering social networking services: a LinkedIn example * The case for automated log management in meeting HIPAA compliance * Risk decision making: whose call is it? * Interview with Zulfikar Ramzan, Senior Principal Re...
Secure LDAP (ldaps)
hi I have implemented ldap authentication in our application using the sample given in "LDAP using EAServer and Powerbuilder" document. It is succefully implemented. But the network people has asked me to connect on secure port (ldaps) now. My problem is i don't know what i kind of setting i should do now on EAServer box and what i should do on the clients. I assume there is nothing to be done on the client because the call to ldap check is initiated from the EAServer Server to LDAP server using EJB (calling JNDI API). We are runnig EAServer on JDK 1.3. Can someone g...
Secure connections: how secure are they?
*QUOTE* ......... both useful and malicious information can be transmitted via network connections. Standard solutions protect computers against threats present in standard network connections, but aren't able to counter threats present in secure connections. Verifying the contents of a secure connection is impossible by virtue of its secure nature, as demonstrated by the different types of protection listed above. As a result, malicious data within secure channels can cause a significant amount of damage, and sometimes more than if it were to be transmitted via a standard, non-s...
form security against security
i have a form in my website which is to be filled by user and that form stores in database(sql server 2005). but someone told me that anyone can run script in textboxes in that form and can damage database, so how to avoid such security lack. it is common practice to use parameterized sql statements or stored procs to insure you are protected from sql injections attacks. if you concatenate user input directly into a sql statement, then you are at risk.Mike Banavige~~~~~~~~~~~~Need a site code sample in a different language? Try converting it with: http://converte...
Password secure...is it secure?
Yes I just got this baby and I LOVE it! Its great. I have stored all my passwords inside of it (and yes made a few backups from them in secure locations) How secure is this program really? It uses blowfish to encrypt the database but how strong blowfish? 128bits? 256? 448? Anything else I should think about it? I have putted it and its databases inside PGPdisk just to play it safe...but then again Im a paranoid. :) -- Markus Jansson ************************************ My privacy related homepage and PGP keys: http://www.geocities.com/jansson_markus/ ********...
How secure is secure enough?
July 28, 2008 (Computerworld) This story originally appeared in Computerworld's print edition. If there is a Holy Grail in the information security industry, it surely is the answer to the question, "How secure is secure enough?" It's a question that many security managers have either avoided answering altogether or tried to quickly sidestep by throwing a fistful of mainly pointless operational metrics at anyone who cared to ask. http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=321921&intsrc=hm_list -- "Never d...
Web resources about - How secure is AuthenticationTypes.Secure? - asp.net.active-directory-ldapResources last updated: 1/10/2016 3:51:53 PM