I am developing an application where the security requirements for data transferred and access are fairly high. As I understand, Windows authentication is the preferred method for TCP over an intranet.
How do you deal with situations where Domains are not used and only simple workgroups are available? (Some customers will not be using domains to manage the networks).
Is using the interactive clients details (currently logged in user) enough, or should I get them to separately re-enter their username and/or password, as otherwise aren’t I leaving security up to the network administrator to make sure they have an appropriate policy (ie. the computer is locked after a period of time)? This is particularly important as I know some of the users are prone to leaving their computers logged in, so how do I ensure that the account owner is the actual user?
If so, whats the point of using Windows authentication over say username/password authentication if they are just re-entering their authentication details?
Thanks
The point of using Windows authentication is to have a centralized directory for network objects management. If you have workgroups I say you better go with another technology, maybe membership provider and role provider.
This article talks about the cons of doing something like this.