tags:

views:

323

answers:

2
Q: 

Is Windows Authentication for WCF Enough?

I am developing an application where the security requirements for data transferred and access are fairly high. As I understand, Windows authentication is the preferred method for TCP over an intranet.

How do you deal with situations where Domains are not used and only simple workgroups are available? (Some customers will not be using domains to manage the networks).

Is using the interactive clients details (currently logged in user) enough, or should I get them to separately re-enter their username and/or password, as otherwise aren't I leaving security up to the network administrator to make sure they have an appropriate policy (ie. the computer is locked after a period of time)? This is particularly important as I know some of the users are prone to leaving their computers logged in, so how do I ensure that the account owner is the actual user?

If so, whats the point of using Windows authentication over say username/password authentication if they are just re-entering their authentication details?

Thanks

+3  A: 

The point of using Windows authentication is to have a centralized directory for network objects management. If you have workgroups I say you better go with another technology, maybe membership provider and role provider.

This article talks about the cons of doing something like this.

Igor Zelaya  2009-01-12 04:10:02
+2  A: 

The purpose of using Windows Authentication is to take advantage of the pre-existing membership scheme. In enterprise level development this means the administrator has the centralised membership control panel they are used to using to manage the domain level security. The additional benefit for users is a single login to the computer grants access to multiple applications without having to re-enter their details.

If you don't have domain level security already established and there are no plans to migrate in that direction the membership provider option would be the better option in aspnet. Obviously you will then need to plan how the enterprise would handle the maintenance of multiple login and authentication providers.

[Edit] Ah...Igor got there first.

nullnvoid  2009-01-12 04:20:25

related questions

Displaying Flash content in a C# WinForms application
How to get the value of built, encoded ViewState?
Unhandled Exception Handler in .NET 1.1
How do I connect to a database and loop over a recordset in C#?
How do I most elegantly express left join with aggregate SQL as LINQ query
Get a new object instance from a Type in C#
.NET Testing Framework Advice
Automatically update version number
What is the difference between an int and an Integer in Java/C#?
How to write to Web.Config in Medium Trust ?
WinForms ComboBox data binding gotcha
How do you sort a C# dictionary by value?
Adding Scripting functionality to .NET applications
Floating Point Number parsing: Is there a Catch All algorithm?
How do I print an HTML document from a web service?
Decoding T-SQL CAST in C#/VB.net
Anatomy of a "Memory Leak"
How do I get a distinct, ordered list of names from a DataTable using Linq
Reliable Timer in a Console Application
How do I fill a DataSet or a DataTable from a LINQ query resultset ?
What's the difference between Math.Floor() and Math.Truncate() in .NET?
How do I calculate relative time?
How do I calculate someone's age in C#?
Are there any conversion tools for porting Visual J# code to C#?
When setting a form's opacity should I use a decimal or double?