tags:

views:

130

answers:

3
+1  Q: 

Is using AD credentials entered into form fields as opposed to the browser integrated auth window bad practice?

I’m looking for a bit of feedback on the practice of requesting users to authenticate to an intranet based web app by entering their AD credentials directly in form fields. For example, using domain\username and password fields as opposed to using the native browser based challenge window for integrated authentication. In the form based example, credentials are passed to the application in plain text and it’s essentially up to the integrity of the application to handle the data appropriately. It seems to me this is the equivalent of entering my Open ID credentials directly into a host app on the Internet.

So my questions are:

  1. Is there any best practice guidance on authenticating to a custom web app (assume predominantly .NET / Java stacks) in an AD environment?
  2. Can you think of any legitimate circumstances where this is really necessary?
  3. Is this a legitimate concern or am I just being paranoid?!
+1  A: 

If it's a browser based application, why wouldn't you just enable Windows authentication in your web.config (not sure what the equivalent is in the Java world, sorry) and let the browser handle authentication.

Otherwise, I'd say if you do this over a secure transport (SSL) then you should be ok. Microsoft's own products often use form fields to submit AD credentials (I know Outlook Web Access and Internet Security & Acceleration Server both do this).

Jeremy Wiebe  2009-07-23 02:28:55
Just to be clear, applications I have influence over would do exactly what you described. It's applications from other sources to which I have no visibility I'm concerned about. As for SSL, it only encrypts in transit and provides no assurances as to how credentials are handled on the server.
Troy Hunt  2009-07-23 03:55:21
Sorry, I misunderstood your question. :-(What do you mean by "no visibility"? Are these packaged applications that you purchase and use internally? I would say if you are willing to purchase the application, you have to trust it. Depending how big of a customer you are you might be able to request audits or assurances that the application "plays nice"
Jeremy Wiebe  2009-07-23 04:55:17
I'm talking about an environment where applications may be off the shelf or developed by a vendor and in circumstances where I don’t influence the design. As an end user of these applications I have "no visibility" as to what happens to my credentials once entered into a web form as opposed to knowing that when entered into an integrated auth form in the browser that my credentials ARE NOT passed to the app. So it really comes back to question 1 above; is there any best practice around the concept of entering AD credentials into a web form where an integrated auth approach is available?
Troy Hunt  2009-07-23 05:07:43
+2  A: 

In a highly secure environment, users would be encouraged to only enter their credentials when using the Secure Attention Sequence CTRL-ALT-DEL, which is designed so that it can't be intercepted by applications.

So in such an environment, even the browser challenge window for authentication would be suspect. Instead you would log on locally using the same AD credentials as you need to access the website, and would be authenticated without needing to be prompted.

I'd say entering AD credentials in form fields is extremely suspect if the credentials can also be used for access to other sensitive resources. Even if the app developers are well-intentioned, it is an unnecessary security hole. For example, anyone who has write access to the web directory can easily replace the login form and capture credentials.

Joe  2009-07-23 06:19:46
+1  A: 

The best approach is to use Kerberos tokens instead of an encrypted username/password.

This open source library, http://spnego.sourceforge.net, will allow your java web apps to perform integrated windows authentication using Kerberos tokens.

The library is installed as a servlet filter so you will not have to write any code.

Pat Gonzalez  2009-11-16 09:25:28

related questions

Subsonic Vs NHibernate
How to check For File Lock in C# ?
Is nAnt still supported and suitable for .net 3.5/VS2008?
Limit size of Queue<T> in .NET?
Viewstate invalid when using Safari
Free OCR library
Unhandled Exception Handler in .NET 1.1
Localising date format descriptors
Get a new object instance from a Type in C#
VFP .NET OLEdb provider does not work in Win 64-Bits. Help
.NET Testing Framework Advice
Embedded Database for .net that can run off a network
Automatically update version number
Homegrown consumption of web services
How do you migrate a large app from VB6 to VB .net ?
.NET Migrations Engine
Adding Scripting functionality to .NET applications
SQLite and XSD
Floating Point Number parsing: Is there a Catch All algorithm?
How do I programmatically create a PDF in my .NET application?
How do I sync the SVN revision number with my ASP.NET web site?
XSD DataSets and ignoring foreign keys
Anatomy of a "Memory Leak"
Reliable Timer in a Console Application
How do I calculate relative time?