We currently store users of our web application in our database, along with hashes/salts of their passwords. The hashes are calculated when the user is created and sets their password and stored in a User table in a database.
我们目前将我们的Web应用程序的用户存储在我们的数据库中,以及密码的哈希/ salt。哈希是在创建用户时计算的,并设置其密码并存储在数据库的User表中。
Some time after the creation of the user account, we may want to create a windows account in our domain, and want to be able to set the domain user's password so that it's the same as the one the user uses to log into the web app. Since we don't save the plain text version of the password, we don't have a way to send it to AD when we created it.
在创建用户帐户后的某个时间,我们可能希望在我们的域中创建一个Windows帐户,并希望能够设置域用户的密码,使其与用户登录Web应用程序时使用的密码相同。由于我们不保存密码的纯文本版本,因此我们无法在创建密码时将其发送到AD。
One way I was thinking about getting around this issue, would be to calculate all the different password hashes that AD uses when the user first sets their password, and then somehow set the records in AD later when we create the user.
我考虑绕过这个问题的一种方法是计算AD在用户第一次设置密码时使用的所有不同密码哈希,然后以某种方式在我们创建用户时在AD中设置记录。
- How would you create the hashes (I think they are MD4, MD5, and DES), using .Net?
- Can you bypass the password creation on UserPrincpal.SetPassword, and make some other call in order to directly set the hashes stored by AD?
你会如何使用.Net创建哈希(我认为它们是MD4,MD5和DES)?
您是否可以绕过UserPrincpal.SetPassword上的密码创建,并进行其他调用以直接设置AD存储的哈希值?
It seems like there should be a way to do this, since MS has tools for sync'ing passwords from AD to Azure users.
似乎应该有办法实现这一点,因为MS具有从AD到Azure用户同步密码的工具。
2 个解决方案
#1
5
Trying to keep an AD password synchronized with a DB password is a bad idea for two reasons:
尝试保持AD密码与数据库密码同步是一个坏主意,原因有两个:
- It's a security weakness (comments have already pointed this out by mentioning salt)
- It's a maintenance problem. A password change initiated by the windows PC would leave the DB password unchanged.
这是一个安全漏洞(评论已经通过提及盐来指出这一点)
这是一个维护问题。由Windows PC启动的密码更改将使DB密码保持不变。
Instead of creating a windows account with the same password, alter your web application's authentication to use both AD authentication and Windows Forms authentication. That way, their AD credentials (if they have them) will superseded the username/password prompt.
不要使用相同的密码创建Windows帐户,而是更改Web应用程序的身份验证以使用AD身份验证和Windows窗体身份验证。这样,他们的AD凭据(如果有的话)将取代用户名/密码提示。
#2
0
Avoiding holding a) an encrypted password you can get cleartext back for, b) a weak hash, are both bad ideas in case the DB is compromised by an internal/external attacker.
避免持有a)加密密码你可以得到明文,b)弱哈希,如果数据库被内部/外部攻击者破坏,这两个都是坏主意。
You could consider a different approach: * create the AD account for the user with a long, random, unknown password. Put an 'ADPasswordLastSet=null' timestamp on the account. * next time that user signs into your web app, after authenticating them, you have the password in the clear so set the AD user's password to the same. Don't forget to update the ADPasswordLastSet flag.
您可以考虑采用不同的方法:*使用长而随机的未知密码为用户创建AD帐户。在帐户上放置“ADPasswordLastSet = null”时间戳。 *下次用户登录您的网络应用程序时,在对其进行身份验证后,您将获得明确的密码,因此请将AD用户的密码设置为相同。不要忘记更新ADPasswordLastSet标志。
You therefore don't have to write the password anywhere if you can set it synchronously.
因此,如果可以同步设置密码,则无需在任何地方写入密码。
One thing to remember: password complexity policies - you want to make sure that the policy present in the UI that the user interacts with has the more stringent policy.
需要记住的一件事是:密码复杂性策略 - 您希望确保用户与之交互的UI中存在的策略具有更严格的策略。
#1
5
Trying to keep an AD password synchronized with a DB password is a bad idea for two reasons:
尝试保持AD密码与数据库密码同步是一个坏主意,原因有两个:
- It's a security weakness (comments have already pointed this out by mentioning salt)
- It's a maintenance problem. A password change initiated by the windows PC would leave the DB password unchanged.
这是一个安全漏洞(评论已经通过提及盐来指出这一点)
这是一个维护问题。由Windows PC启动的密码更改将使DB密码保持不变。
Instead of creating a windows account with the same password, alter your web application's authentication to use both AD authentication and Windows Forms authentication. That way, their AD credentials (if they have them) will superseded the username/password prompt.
不要使用相同的密码创建Windows帐户,而是更改Web应用程序的身份验证以使用AD身份验证和Windows窗体身份验证。这样,他们的AD凭据(如果有的话)将取代用户名/密码提示。
#2
0
Avoiding holding a) an encrypted password you can get cleartext back for, b) a weak hash, are both bad ideas in case the DB is compromised by an internal/external attacker.
避免持有a)加密密码你可以得到明文,b)弱哈希,如果数据库被内部/外部攻击者破坏,这两个都是坏主意。
You could consider a different approach: * create the AD account for the user with a long, random, unknown password. Put an 'ADPasswordLastSet=null' timestamp on the account. * next time that user signs into your web app, after authenticating them, you have the password in the clear so set the AD user's password to the same. Don't forget to update the ADPasswordLastSet flag.
您可以考虑采用不同的方法:*使用长而随机的未知密码为用户创建AD帐户。在帐户上放置“ADPasswordLastSet = null”时间戳。 *下次用户登录您的网络应用程序时,在对其进行身份验证后,您将获得明确的密码,因此请将AD用户的密码设置为相同。不要忘记更新ADPasswordLastSet标志。
You therefore don't have to write the password anywhere if you can set it synchronously.
因此,如果可以同步设置密码,则无需在任何地方写入密码。
One thing to remember: password complexity policies - you want to make sure that the policy present in the UI that the user interacts with has the more stringent policy.
需要记住的一件事是:密码复杂性策略 - 您希望确保用户与之交互的UI中存在的策略具有更严格的策略。