tags:

views:

35

answers:

3
Q: 

Authentication using exchange.

Hello,

my client has an exchange server and offers free email accounts to his clients and partners. His clients need access to some web applications through login and password and need to be authenticated .

i thought about creating a custom asp.net membership provider that hits exchange instead of the regular aspnetdb store.

Is there a way to authenticate these users against exhange with their exchange provided email/username and password ?

thank you.

+1  A: 

If I'm not mistaken Exchange authenticates via and only via Active Directory. So you might as well use some of the built-in LDAP authentication mechanisms.

There are already quite a few viable approaches to this if you do a search for ASP.NET LDAP Authentication

However, IMO, the easiest way would be to simply use ASP.NET windows authentication mode:

<system.web>
  ...
    <authentication mode="Windows"/>
  ...
</system.web>

And join the machine where your website will be deployed to the same domain as Exchange. There will be more implementation details of course. But I think this is most painless one.

You can access domain information for the current user like this:

var user = (WindowsPrincipal)HttpContext.Current.User; // assume Windows auth.

NOTE: that however, there are various security risks that should be properly assessed before implementing.

chakrit  2010-03-24 01:22:49
This will only work if the web server and exchange are in the same domain. It gets tricky if they are in different networks or domains. In any case you are typically authenticating against a target active directory and can do that with LDAP and custom coding. There are various security risk which would need to be mitigated.
BrianLy  2010-03-24 02:11:14
Well I did said "And join the machine where your website will be deployed to the same domain as Exchange." ... but agreed w/ you on the security risk point.
chakrit  2010-03-24 02:15:01
A: 

I suspect you're being authenticated in a client controlled AD domain. This article should help

Preet Sangha  2010-03-24 01:24:15
well, i thought about active directory. but what about those users with mailboxes that do not have AD accounts.i wwanna believe there must be a way to simply login to en exchange account without being an AD user.By the way, the application is web based. I heard about exchange web services. don't they include any WS for authentication ?what about OWA ??? any thoughts are apreciated.
 2010-03-24 02:34:02
A: 

Typically I would use the ActiveDirectoryMembershipProvider in combination with Form-based authentication. This will use the same Active Directory store that Exchange is using. There's a detailed article at MSDN on the various implementation possibilites. You could also use Windows-based authentication as @chakrit suggests, but be aware that once you've authenticated the browser will remain authenticated until it is closed -- there is no logout. One nice feature of Windows authentication is that, if the site is in your intranet or trusted sites zones, you never get prompted to enter your credentials. On the other hand, you don't want to let anyone borrow your workstation while you're logged in then either. I'd only use it for things that need to be secured, but aren't necessarily sensitive -- such as an intranet site.

tvanfosson  2010-03-24 01:45:06

related questions

How do I write Firefox add-on that automatically enters proxy passwords?
Login Integration in PHP
Strange Rails Authentication Issue
Concurrent logins in a web farm
Is there a browser equivalent to IE's ClearAuthenticationCache?
How can I authenticate using client credentials in WCF just once?
Why can't I connect to my CAS server with Perl's AuthCAS?
Best Solution For Authentication in Ruby on Rails
Authenticate on an ASP.Net Forms Authorization website from a console app
How do I use NTLM authentication with Active Directory
What have you used Windows CardSpace for, if anything
Forms Authentication across Applications
Retreiving the PC Name of a Client? (Windows Auth)
How would you implement FORM based authentication without a backing database?
What's the best way to authenticate over WCF?
Only accepting certain ajax requests from authenticated users
OpenID authentication in Ruby on Rails
OpenID Attribute Exchange - should I use it?
OpenID: which provider should I recommend to my users?
What to use for login ID?
ASP.NET authentication: user name Vs User ID
How do I add SSL to a .net application that uses httplistener - it will *not* be running on IIS
How can I get the authenticated user name under Apache using plain HTTP authentication and PHP?
Checklist for IIS 6/ASP.NET Windows Authentication?
The Definitive Guide To Website Authentication