I am working with the IT programmers on a .NET/SQL Server 2005 (I think - could be 2000)/Win2000 Server and the suggestion on a web app is to use Windows Authentication rather than some homegrown ad hoc login/password. The response to this was a concern that using the windows network id/login would be a security risk as the IT guys here could access one's network login.
the current system they have devised uses an initial password that the user must immediately replace with some other password, so I guess what they're doing is storing the actual password locally on the server in readable form, which doesn't strike me as a good idea...
My understanding of windows authentication is that the network login ID and password are authenticated over the network and this means the only thing potentially stored locally would be the network login, not the password. Is this true? IOW, does Windows Authentication mean the network login is verified 'on the fly' and does not need to be stored? If so, I would think this is a better bet overall vis a vis the current password strategy being deployed.
FWIW, the reason a login is required for our local portal is to enable security across the board in terms of screens available, info viewable etc. so there's a good buy-in to setting up password stuff. If the current strategy is used, this will mean a bit of work on our end to create login accounts etc. & I'm trying to find a solution that takes advantage of the fact that there is already a login system via the Windows network.
I don't know much about this really except I've run a few projects (IIS/ASP Classic to limit access to a webpage and Access with VBA to sniff a network login to limit access to parts of the Access app) that did what I wanted and in no case required storing the network login locally. So, if you you've got some good info on the subject, please let me know.