Information Security Asked on December 28, 2021
We have a web solution (running in IIS) where AD users and non-AD users need to log into. We sell this to companies and will run this on-prem only.
non-AD-FS and only AD question (so no federation)
I asked on stackoverflow if it is valid to pass the username and password to the web application and have the application logon in their behalf versus using Windows authentication enabled sites. Where of course the credentials are never stored or logged etc. here: https://stackoverflow.com/questions/63047112/is-it-wrong-to-send-active-directory-credentials-of-a-user-to-a-backend-system/63055942#63055942
At first this seemed a very bad idea which was my initial reaction. But it seems it is an acceptable pattern.
Will security officers (CSO) in companies, in general, accept this or not for a 3rd party solution installed on prem? Because the risk is that it is implemented in this way and CSO or static security code analyses will later on whistle.
Will security officers (CSO) in companies in general accept this or not for a 3rd party solution installed on prem?
Nobody CSO can tell you how another CSO will answer that question. Personally, as an Active Directory admin I successfully advised against implementing dozens of applications already, that provide LDAP or local authentication already.
At first this seemed a very bad idea which was my initial reaction. But it seems it is an acceptable pattern.
Yes, it's common that applications provide only LDAP authentication. That does not negate the drawbacks.
Your application is asking your company's employees for their credentials to your company's internal Active Directory. There is trust there. (From the Stackoverflow answer)
Trust has nothing to do with security. Hundreds of thousands of companies trust in Cisco, yet they implemented backdoors in some of their switches. Trust can be betrayed.
As an Active Directory sysadmin I generally advise against implementing any software that asks my users for their password for several reasons:
If the application asks for credentials, an attacker (which may even be the developer itself) is able to collect users Active Directory credentials. Regardless of whether they're never logged or stored in the app. With the credentials, the attacker is able to access everything outside the app the user has access to.
Many companies provide passwordless authentication mechanisms like Kerberos/AD, SAML/ADFS/AzureAD, oAuth/ADFS/AzureAD. And for good reason. They work passwordless and if any attacker targets the third-party system, they will not be able to gain access with credentials outside the application they compromised.
Answered by Daniel on December 28, 2021
0 Asked on December 30, 2020 by uncaught
1 Asked on December 29, 2020 by gsnail
1 Asked on December 29, 2020 by user242761
1 Asked on December 28, 2020 by appdeveloper
0 Asked on December 27, 2020 by waterbyte
2 Asked on December 26, 2020
4 Asked on December 26, 2020 by userk
1 Asked on December 26, 2020 by citylight
3 Asked on December 25, 2020 by thanatos
1 Asked on December 25, 2020
6 Asked on December 24, 2020 by acsor
1 Asked on December 22, 2020 by canine
cryptography hash john the ripper password cracking passwords
1 Asked on December 20, 2020 by badddy
1 Asked on December 19, 2020 by user851
2 Asked on December 15, 2020 by turnip
2 Asked on December 12, 2020 by gethopr
2 Asked on December 8, 2020 by nutle
2 Asked on December 7, 2020 by mojo
Get help from others!
Recent Questions
Recent Answers
© 2023 AnswerBun.com. All rights reserved. Sites we Love: PCI Database, UKBizDB, Menu Kuliner, Sharing RPP