views:

25

answers:

2

A company I work for develops winforms .net applications in which users are required to login. These applications are deployed in an online environment, e.g desktops in a LAN where the client app connects to a service on a server. The same applications can be deployed 'standalone' in an offline environment, where data is occasionally synced back to the head office whenever there is a connection available.

The head office has an LDAP (Active Directory), but the disconnected environments don't.

Currently, each application has it's own login/password table in a database.

What is a good approach to implement a unified login/password or other authentication mechanism for all custom developed winforms applications in both online and offline situations (?), without

  • distributing all logins and passwords to all disconnected installations
  • copying the contents of the LDAP to each environment

Is there a way to do this with windows authentication?

EDIT: it doesn't absolutely have to work with AD, but it does have to work offline.

A: 

I achieved that in a large global financial institution using active directory.

.NET contains everything you need. Here is a list of intersting articles to learn how to use ad with .NET:

http://www.c-sharpcorner.com/articles/articlelisting.aspx?sectionid=1&subsectionid=1

Pierre 303
AD is ok in the online deployments, but how do you authenticate the user in the offline environment? Are the users credentials cached locally?
StephaneT
You have to implement that logic yourself if you really need it. But it's a very bad security breach.
Pierre 303
+1  A: 

What you are looking for is a single-sign-on solution. Active Directory fits the bill just fine here, you will find it difficult to implement something else on your own. I am not an expert on this one, but as far as I know Active Directory works offline too because profile information is replicated on clients.

For each of your applications, you would then write an ActiveDirectory adapter to authenticate the current AD user against your application.

For the exact details (esp. offline scenario but I'm 100% sure they are supported) you should consult an AD expert. Consider moving this question to Serverfault.

Johannes Rudolph
Does this also work if the user hasn't logged on to the pc in a long while? Say I want to use a colleague's pc, I've logged on to it before, but that was a couple of months ago.
StephaneT
+1 on the serverfault suggestion, I'll certainly try that if this doesn't pan out
StephaneT