ASP.NET / IIS 7 - Authenticate against an Active Directory using a Principal

Question

My current application uses the PrincipalContext class to authenticate a default user (filled in in the Web.config dedicated section) against a LDAP (and more precisely an Active Directory):

ldapContext = new PrincipalContext(AdContextType, AdHost, AdContainer, 
                                   ContextOptions.SimpleBind,
                                   AdDefaultUser, AdDefaultPassword)

This authentication then allows to search for any other user (via UserPrincipal.FindByIdentity(ldapContext, username)). BUT I have to change this, since having a user in clear in the Web.config is not acceptable for my client. OK, I can understand that :-))

So I have several solutions:

• manage to encrypt the corresponding part of the Web.config (the membership part, with providers etc)

• use the account from the application pool of the IIS 7 on which the application is deployed. This implies to retrieve a Principal from IIS (I guess this point should not be so hard), then use it for authentication against the AD; but I cound not find any method for that, neither via the PrincipalContext class not via the ActiveDirectoryMembershipProvider one.

Do you know how to manage any of these 2 solutions, or do you think of any other ?

Thanks a lot !!

Answer 1

I think not the username is your problem, more the password? As far as I can tell the second solution want work. There is no way that I know to do this.

For the first solution you can encrypt the username and the password and store the encrypted values in a string. After loading you will need to decrypt the strings. But your solution will not be safe against disassemble.

You should also think about if you need a high security implementation then you may store the encryption key in a secure store. Then you will be saver against disassemble.