> > At server side I use
> > the usercode to query a password database to retreive the password
> > and I compute the same hash code.
>
> > use LogonUser API from advapi32.dll.
>
> > I don't have a password database.
>
> These statements seem contradictory to me, if you can compute the hash
> from the database, you must be storing it clear (or so it can be decoded)
> which you can use for the API?

I explained the current situation and the future situation.
Of course, the main goal of using Active Directory is to remove from each
application the burden of usercode/password management and move toward a
Single Sign On system. The updated application will no more have a
usercode/password database.


> If you are worried about storing clear passwords in a database, assuming
> this is a single server, you could use the Local Security Authority (LSA)
> protected subsystem of Windows, saved in the registry under the protected
> key: HKEY_LOCAL_MACHINE\SECURITY\Policy\Secrets\.  This is where Windows
> stores email, RAS and network passwords, I have some code that supports
> this as part of my RAS component.

This is for sure interesting in general. But here for the considered
application, it is of no use. What I haven't said is that the application
will be used by more than 500 concurrent users. Those users are using many
other applications some are web apps some are Win32 apps. When they change
their Windows session password, all applications has to follow
automatically, hence the Active Directory use.

One more element: The application may run in a windows session of another
user. The same Windows session is used on a workstation for many users.
Actually it is in an hospital and all nurses of a ward use the same
workstation and nevertheless at the application level they use their own
usercode/password. User switching is done at the application level and not
the OS level.

Thanks,
--
francois.pie...@overbyte.be
Author of ICS (Internet Component Suite, freeware)
Author of MidWare (Multi-tier framework, freeware)
http://www.overbyte.be

-- 
To unsubscribe or change your settings for TWSocket mailing list
please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket
Visit our website at http://www.overbyte.be

Reply via email to