Last post Dec 25, 2019 03:27 AM by Yongqing Yu
Dec 18, 2019 02:24 AM|gtzpower2|LINK
Hi everyone. I am learning ASP.net development and I have just made my site authenticate users by using the ActiveDirectoryMembershipProvider with an LDAP:// connection string. This connection string is not using SSL. I was curious if this authentication
process is fairly secure between IIS and the AD server, or if I should be concerned about plain text user credentials being sent over the network the AD server? I tried using Wireshark to sniff the traffic and I did not find any credentials in plain text,
but I am not a very experienced sniffer here. Any idea what this is doing under the hood?
Dec 19, 2019 09:33 AM|Yongqing Yu|LINK
According to your description, which authentication does your web.config use? form authentication or windows authentication?
If you are using Windows authentication, you do not need to worry about sending plain text user credentials over the network through the AD server.
Because if you use windows authentication, the browser encrypts the credentials you enter and then transfers them.
Dec 20, 2019 07:01 PM|gtzpower2|LINK
Thanks for the reply. This is using forms authentication to support MacOS and Mobile users
Dec 25, 2019 03:27 AM|Yongqing Yu|LINK
I was curious if this authentication process is fairly secure between IIS and the AD server
This is safe.
or if I should be concerned about plain text user credentials being sent over the network the AD server?
This does not exist.
Because you are using form authentication, it is not secure that the browser passes to iis if it is not https, and iis passes to aad is secure.