0

So I'm working on a mobile web app using jQuery Mobile, and I need to request some data from a remote server from the app. I get the data either from a C# SOAP web service, or from an IHttpHandler that returns JSON. I need to somehow authenticate with the web service/handler before any data is returned. I was hoping to use ActiveDirectory, and somehow pass a user name and a hashed password to the server via an AJAX request. The problem is, examples of authenticating in C# with ActiveDirectory involve passing a plain-text user name and password to PrincipalContext.ValidateCredentials. Is there any way to securely pass credentials to the C# service and have it authenticate with AD, without it knowing the plain-text password?

Edit: thought maybe I could hash the password client-side, pass it to the server, let the server get the AD password for the requested user and hash it the same way, then compare, but getting the AD password isn't possible.

Edit: Looking at aSSL.

Community
  • 1
  • 1
Sarah Vessels
  • 30,930
  • 33
  • 155
  • 222
  • This is an internet facing site? – asawyer Jun 08 '12 at 15:24
  • Not really, no--it will exist on mobile devices. It should just be users within the company, those who would have an AD account. – Sarah Vessels Jun 08 '12 at 15:25
  • Hm, actually the app may end up on a public-facing server at some point. Seems like when I do that, though, I could secure it through IIS. But the main goal is to have the app live on someone's device, so the app will know nothing about `PrincipalContext` or the like. – Sarah Vessels Jun 08 '12 at 15:28
  • Have you considered linking some type of unique phone set identifier to a validated user in the backend database, and authenticating with it? – asawyer Jun 08 '12 at 15:33

1 Answers1

1

If you are developing a mobile web with jquery ui, it wont live on the device, it will live on your web server (iis, if its a web application). Your application can authenticate using windows authenticatin against the service it needs to query, however it depends on the user used to run the application / impersonation being used on ur side.
The question is how your application and this service communicate between themsleves and the internet. If the service is not accessible to the internet, i dont know how much you should worry about the transport being secure.
You also can check out ad fs / ad fs 2 based security solutions and wcf integration options, such as explained here, for example.
These solutions implement the concept you are talking about, with the AD FS being the service that authenticates/ validates the credentials passed, and returns a token to the applicatin / service. Usuaully the communication with AD FS uses ssl to secure the transport layer, and the messages are signed, to make sure no one messes with them in the middle.
You can, of course, implement such a mechanism by urself. You dont need to get the password from the active directory, you only need to see if the passed credentials (username / password) can be validated, by using the code sample provided here

Community
  • 1
  • 1
YavgenyP
  • 2,113
  • 14
  • 11
  • It's possible the app will live on a server somewhere and users only access it through their browsers, but I've also built a native Android version using PhoneGap, and will possibly build an iOS version in the future. I would prefer it not to have to live on a server, but rather be installed on the mobile device. – Sarah Vessels Jun 08 '12 at 16:04
  • and in this scenario the app installed on the device will have to communicate with the service? – YavgenyP Jun 08 '12 at 16:05
  • Yes. Wherever the app lives, it needs to get its data from the service. – Sarah Vessels Jun 08 '12 at 16:07
  • 1
    Well, from the service point of view, my solution will still work (using classes provided with .net to validate the credentials). From the device point of view, you still can use SSL to communicate with youur service, or implement any encryption/signing protocol of your own. The point is, you dont need to read the password in any case from the ad, but to use the code i provided in my answer to validate what WAS passed is correct. – YavgenyP Jun 08 '12 at 16:11
  • So you suggest passing a plain-text password over HTTPS to the service, and using basic `PrincipalContext.ValidateCredentials` to verify the user name/password are correct with AD? – Sarah Vessels Jun 08 '12 at 16:13
  • If you must use active directory it sounds like simplest solution. You can also ecnrtypy the message itself (using ur own encryption / hashing),but i believe HTTPS should be enough – YavgenyP Jun 08 '12 at 16:17