Restrict access to .Net web site by Active Directory computer group
Question
We're looking into doing machine-based authentication, allow any user on particular machines to access our .Net site. The list of machines will change but are all on an internal network. Their IP addresses are assumed to not be static.
To make it more manageable we'd like to be able to restrict access to an Active Directory computer group.
I can manage the AD querying, my question is where is the best place to pull out the machine name and authenticate the entire session?
I looked into creating a new HttpModule but it seems I'll have to authenticate every request. Authenticating every request doesn't seem ideal if an AD query is involved.
2 answers
solution1
3 ACCPTED 2010-12-10 22:33:58
The web is stateless, so every request is always authenticated no matter what technology you're using. However, the trick to not hammering AD is using a session http cookie. You would set this cookie on the first request and check for it on subsequent requests. You would need some kind of cryptographic protection on the cookie, but thankfully this is ready-rolled in ASP.NET. I'd say you could leverage the Forms Authentication infrastructure to set and validate a cookie - you would just offload the initial authentication to AD instead of reading from a posted form.
Here's a great place to start:
Understanding the Forms Authentication Ticket and Cookie http://support.microsoft.com/kb/910443
solution2
1 2010-12-10 22:44:25
You don't need to authenticate every request. Authenticate the first request with your HttpModule, and either add the requestor to the session, or cache the credentials for a short period of time.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.