Hi Matthew, > I'm looking at introducing a Generic Authentication scheme > rather than using Windows Authentication for code access security. > > The application will be a mix of ASP.net and remotely > deployed Winforms front ends. > > I am confused about what this will mean. > > 1) Will the Generic Prinicipal and Identity be carried from > Client PC to Business Object tier automatically or will some > manual work need to be done?
no. You will have to do this manually, although I remember more than one list member who's already implemented such a channel sink for .NET Remoting. If you want to use the windows standard security mechanisms, you can however host the components in IIS which provides these features. > 2) Does Normal Windows security Authentication get tossed > asside? Ie. If the Winforms Client PC makes a call to the > Business Object server (via Remoting), won't it still need to > make sure that the NT user is valid with the domain and check > to make sure that the NT user has permissions to call that object? Yes, it should normally do these checks. If you host the server-side remoted objects in IIS (via .NET Remoting) and switch to windows integrated security and use the useDefaultCredentials="true" parameter when creating the channel on the client side, the logon-information will be transferred in a somewhat secure challenge/response protocol. > 3) Are there any other limitations to what you can do? Impersonation. The principal is only valid in the current process but you aren't really "impersonating" it - that is, when accessing other components (file system or SQL servers or such) you will still run as the aspnet account. You might however want to have a look at Peter Bromberg's article at http://www.eggheadcafe.com/articles/20020418.asp where he shows some impersonation techniques for use outside of COM+. -Ingo Author of "Advanced .NET Remoting" http://www.dotnetremoting.cc You can read messages from the DOTNET archive, unsubscribe from DOTNET, or subscribe to other DevelopMentor lists at http://discuss.develop.com.