 |
 | Home | Contact Us | FAQ | Search & Site Map | Link to Us |
 | Sign In | Join | Other 45 Sites in Network |
.NET Forum / .NET Framework / Security / January 2006System.Security.Principal.IdentityReference
Would someone from Microsoft please explain what scenario required the IdentityReference class in .NET 2.0 to be declared with an internal constructor. I have serveral use cases that would benefit extensively from a custom identity reference. However, that's not currently possible as the Identity reference class can not be inherited. Kindest Regards, Michael Primeaux I think it is only supposed to be used with the SecurityIdentifier or NTAccount derived classes, but I'm not from MS, so I can't say for sure. Can you say more about your scenario? Joe K. > Would someone from Microsoft please explain what scenario required the > IdentityReference class in .NET 2.0 to be declared with an internal [quoted text clipped - 4 lines] > Kindest Regards, > Michael Primeaux We are writing a distributed application framework. As with most applications, we separate into two distinct categories: extranet and intranet. Regardless of which camp an application resides, we offer two options with respect to authentication: (1) native authentication and (2) custom authentication. Regardless of the chosen scenario, we augment the principal with security profile information (business "stuff"). To keep the link between our principal, identity, and security profile we use identity references. Therefore, there are four scenarios: 1. Intranet application, native authentication. For this [widely used] case, we use the native WindowsIdentity "wrapped" with a custom principal. 2. Intranet application, custom authentication. For this case, we use a custom identity "wrapped" with a custom principal. 3. Extranet application, native authentication. For this case, we use the native WindowsIdentity "wrapped" with a custom principal. We use protocol transition and obtain the Kerberos credentials without knowning the user's password; nice feature. 4. Extranet application, custom authentication. For this case, we use a custom identity "wrapped" with a custom principal. For native authentication, we map the identity to a security profile using one of three options: (1) use the NTAccount class or the (2) SecurityIdentifier class, or (3) the objectId associated to the user within AD. However, for custom authentication we do not have an option and wanted to define out own CustomIdentityReference so we can keep our security profile security API consistent: For example... ISecurityProfile Get(IdentityReference identityReference); I'm over-simplifying the issue as we have other APIs that would certainly benefit from a custom identity reference. However, since the IdentityReference class defines an internal ctor we are forced to break apart our API into something less elegant. Why allow for custom IIdentity implementations but without allowing for custom identity references? Let me know if you need more clarification. Kindest Regards, Michael >I think it is only supposed to be used with the SecurityIdentifier or >NTAccount derived classes, but I'm not from MS, so I can't say for sure. [quoted text clipped - 11 lines] >> Kindest Regards, >> Michael Primeaux I think I kind of get it, although I would obviously need more details to understand it deeply. It seems like you might have a legitimate enhancement request for the next version of the framework. You could try the product feedback center (if it is still there) to post it. The other thing I was wondering was whether you might consider creating a custom SID to use for this. If you use an identifier authority other than 1 or 5, Windows shouldn't get confused by it. ADAM uses something like this for its SID and it fits into the whole SID concept pretty well. You obviously wouldn't be able to translate to NTAccount and such, but perhaps it would suit your needs? I know AzMan supports custom SIDs as well. Best of luck with whatever you end up with. Joe K. > We are writing a distributed application framework. As with most > applications, we separate into two distinct categories: extranet and [quoted text clipped - 56 lines] >>> Kindest Regards, >>> Michael Primeaux I went the custom SID route (it's unfortunate it's needed for AzMan). However, a SID is not used by all security systems. Hence my issue. I wanted to define a custom identity reference. Thanks for taking the time to read my initial email. I'll see what avenues I have within Microsoft. - m >I think I kind of get it, although I would obviously need more details to >understand it deeply. It seems like you might have a legitimate [quoted text clipped - 73 lines] >>>> Kindest Regards, >>>> Michael Primeaux Free MagazinesGet these publications absolutely FREE for up to 12 months. There are no hidden fees and no obligation. Simply choose a title, complete the application form and submit it. Read more ...
|
Reply to this Message
|
 Sign In
 Join
 My Latest Posts My Monitored Threads My Blog My Photo Gallery My Profile My Homepage Start New Thread Enable EMail Alerts Rate this Thread
|
©2008 Advenet LLC Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.