How secure is AuthenticationTypes.Secure?

I understand that AuthenticationTypes.Secure requests secure authentication using Kerberos or NTLM (??). However, here is a scenario I am trying to understand. Let us say that I am having a regular ASP.NET site - with SSL certificates not installed on the web server. The login sends the request out to an AD server which also does not have certificates installed. However, I have set Secure flag to AuthenticationTypes.Secure. When the username and password data gets transmitted between the application and the LDAP server, how secure are the password and username info? In other words is this info transmitted as plain text?

--K.
0
cmkp
8/28/2003 7:30:23 PM
📁 asp.net.active-directory-ldap
📃 2291 articles.
⭐ 0 followers.

💬 3 Replies
👁️‍🗨️ 2435 Views

There are two parts to this:  A.) Sending the information from the client's browser to the IIS server and B.) from the IIS server to the domain controller.  So, in your scenario, if you are not using SSL, then you would be sending credentials from the client's browser (assuming they type in username and password in Forms Auth) plaintext to the IIS server.  The IIS server would then securely send those credentials using AuthenticationTypes.Secure to the domain controller.

All in all, the solution is insecure. The only thing that is protected is the communication between IIS server and domain controller (using NTLM or Kerberos). The link between client and IIS server is not secure and specifying AuthenticationType.Secure has no bearing on this portion.

Ryan Dunn
Weblog
The Book
LDAP Programming Help
0
dunnry
8/28/2003 7:57:55 PM
Ryan - first off - your response shows a lot of knowledge about how this whole thing works (considering that this is not a topic for the faint of heart  ;-) - not to mention a whole slew of other posts that you have made that are extremely helpful. Thank you so much.

<switch_topics></switch_topics>
So, if I were to just secure the web server with an SSL certificate - this should be adequate to ensure the overall security of all transmissions - right?
--K.
0
cmkp
8/28/2003 8:06:33 PM
Yes, SSL would be the best solution in this scenario.  The solution is the only as strong as the weakest link, and in this case, it is the communication between the client's browser and the IIS server.  You don't have to really worry about the backend servers (IIS and domain controllers) since they can communicate securely between themselves using NTLM or Kerberos.  Once you have the client/IIS link secured using SSL, then you have your bases fairly well covered.
Ryan Dunn
Weblog
The Book
LDAP Programming Help
0
dunnry
8/28/2003 8:49:06 PM
Reply: