ASP.net & Win32 API (LogonUser) question...

Discussion in 'ASP .Net Security' started by Rich, Nov 2, 2004.

  1. Rich

    Rich Guest

    I am running IIS6 on a Win2k3 server.

    I have an ASP.Net app (C#) that a user logs into and then I use
    LogonUser to validate them and log them onto the server. I have
    Windows Authentication ONLY checked on the site in IIS.

    My problem is that eventhough I am using LogonUser to log on to the
    server as the user, I am still getting the Windows Authentication
    Challenge (login window).

    There are groups/users setup on the server for this app, so I don't
    want to turn windows auth off because I am afraid my LogonUser usage
    is only seeing if they have access to the server not to that
    particular file.

    Am I missing something? I was hoping LogonUser would act as if the
    user had entered their own info into the windows challenge login
    window.

    I plan use forms auth to keep track of session later on, so right now
    I have my web.config setup as:
    <authentication mode="Forms">
    <forms name="frmLogin" loginUrl="login.aspx"></forms>
    </authentication>
    <identity impersonate="True"/>

    Here is most of my C# code:
    [DllImport("advapi32.dll", CharSet=CharSet.Auto)]
    public static extern int LogonUser(String lpszUserName,
    String lpszDomain,
    String lpszPassword,
    int dwLogonType,
    int dwLogonProvider,
    ref IntPtr phToken);

    [DllImport("ADVAPI32.DLL")]
    public static extern int RevertToSelf();

    [DllImport("ADVAPI32.DLL")]
    public static extern int ImpersonateLoggedOnUser(IntPtr phToken);
    IntPtr tok = IntPtr.Zero;

    private void btnLogin_Click(object sender, System.EventArgs e)
    {
    if(impersonateValidUser (txtUser.Text
    , "cgi.securenet01.com",
    txtPassword.Text))
    { Response.Redirect("reportLogin.aspx");
    undoImpersonation();
    }
    else { lblError.Text="Login Failed"; }
    }
    public void undoImpersonation()
    { RevertToSelf(); }
    public Boolean impersonateValidUser(String name
    , String domain, String
    passwd)
    {
    const int LOGON32_LOGON_INTERACTIVE = 2;
    const int LOGON32_PROVIDER_DEFAULT = 0;
    int result = LogonUser(name, domain, passwd,
    LOGON32_LOGON_INTERACTIVE,
    LOGON32_PROVIDER_DEFAULT,
    ref tok);
    if(result!= 0)
    { int result1 = ImpersonateLoggedOnUser(tok);
    if(result1 != 0) { return true; }
    else { return false; }
    }
    else { return false; }
    }

    Any help is appreciated....
    Rich, Nov 2, 2004
    #1
    1. Advertising

  2. Rich

    Scott Allen Guest

    Hi Rich:

    I'm a little confused. You want to use Windows authentication but you
    have the web.config setup for Forms authentication? Forms auth will
    always force the browser to prompt the user to login. This setting in
    web.config will trump the IIS setting.

    I think you want to change the web.config to Windows authentication
    only and deny anonymous access. Once you do this there is no need to
    use LogonUser, you can have the impersonate="True" in the web config
    and the request will access local resources using the client's
    identity. If the client is not in a group allowed to see a particular
    file the server will deny authorization.

    Tracking the user's session is a different issue and independent of
    how the app authenticates and authorizes the user. You can still have
    session state without forms authentication.

    Making sense?

    --
    Scott
    http://www.OdeToCode.com/blogs/scott/

    On 1 Nov 2004 17:06:19 -0800, (Rich) wrote:

    >I am running IIS6 on a Win2k3 server.
    >
    >I have an ASP.Net app (C#) that a user logs into and then I use
    >LogonUser to validate them and log them onto the server. I have
    >Windows Authentication ONLY checked on the site in IIS.
    >
    >My problem is that eventhough I am using LogonUser to log on to the
    >server as the user, I am still getting the Windows Authentication
    >Challenge (login window).
    >
    >There are groups/users setup on the server for this app, so I don't
    >want to turn windows auth off because I am afraid my LogonUser usage
    >is only seeing if they have access to the server not to that
    >particular file.
    >
    >Am I missing something? I was hoping LogonUser would act as if the
    >user had entered their own info into the windows challenge login
    >window.
    >
    >I plan use forms auth to keep track of session later on, so right now
    >I have my web.config setup as:
    ><authentication mode="Forms">
    > <forms name="frmLogin" loginUrl="login.aspx"></forms>
    ></authentication>
    ><identity impersonate="True"/>
    >
    >Here is most of my C# code:
    > [DllImport("advapi32.dll", CharSet=CharSet.Auto)]
    > public static extern int LogonUser(String lpszUserName,
    > String lpszDomain,
    > String lpszPassword,
    > int dwLogonType,
    > int dwLogonProvider,
    > ref IntPtr phToken);
    >
    > [DllImport("ADVAPI32.DLL")]
    > public static extern int RevertToSelf();
    >
    > [DllImport("ADVAPI32.DLL")]
    > public static extern int ImpersonateLoggedOnUser(IntPtr phToken);
    > IntPtr tok = IntPtr.Zero;
    >
    > private void btnLogin_Click(object sender, System.EventArgs e)
    > {
    > if(impersonateValidUser (txtUser.Text
    > , "cgi.securenet01.com",
    >txtPassword.Text))
    > { Response.Redirect("reportLogin.aspx");
    > undoImpersonation();
    > }
    > else { lblError.Text="Login Failed"; }
    > }
    > public void undoImpersonation()
    > { RevertToSelf(); }
    > public Boolean impersonateValidUser(String name
    > , String domain, String
    >passwd)
    > {
    > const int LOGON32_LOGON_INTERACTIVE = 2;
    > const int LOGON32_PROVIDER_DEFAULT = 0;
    > int result = LogonUser(name, domain, passwd,
    > LOGON32_LOGON_INTERACTIVE,
    > LOGON32_PROVIDER_DEFAULT,
    > ref tok);
    > if(result!= 0)
    > { int result1 = ImpersonateLoggedOnUser(tok);
    > if(result1 != 0) { return true; }
    > else { return false; }
    > }
    > else { return false; }
    > }
    >
    >Any help is appreciated....
    Scott Allen, Nov 2, 2004
    #2
    1. Advertising

  3. Rich

    Rich Guest

    Hi Scott,

    Thanks for the response. I have tried this as well:
    <authentication mode="Windows"></authentication>
    <identity impersonate="True"/>

    I still only have Windows Auth checked in IIS and I still get
    Challenged eventhough I am using LogonUser to login the user to the
    server.

    Any other ideas?

    When I mentioned using both Windows Auth (IIS) & Forms Auth (Asp.net)
    I was trying to follow this example.
    http://www.dotnetbips.com/displayarticle.aspx?id=201

    However, really my main goal is to login the user without getting the
    windows challenge, but to log them in manually so that they don't have
    to close the browser in order to sign in as a different user. Also I
    still want to retain the Windows Auth to check each file that is
    requested is being used by a valid user/group on the server.

    Thanks again...


    Scott Allen <bitmask@[nospam].fred.net> wrote in message news:<>...
    > Hi Rich:
    >
    > I'm a little confused. You want to use Windows authentication but you
    > have the web.config setup for Forms authentication? Forms auth will
    > always force the browser to prompt the user to login. This setting in
    > web.config will trump the IIS setting.
    >
    > I think you want to change the web.config to Windows authentication
    > only and deny anonymous access. Once you do this there is no need to
    > use LogonUser, you can have the impersonate="True" in the web config
    > and the request will access local resources using the client's
    > identity. If the client is not in a group allowed to see a particular
    > file the server will deny authorization.
    >
    > Tracking the user's session is a different issue and independent of
    > how the app authenticates and authorizes the user. You can still have
    > session state without forms authentication.
    >
    > Making sense?
    >
    > --
    > Scott
    > http://www.OdeToCode.com/blogs/scott/
    >
    Rich, Nov 2, 2004
    #3
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Rich
    Replies:
    1
    Views:
    8,051
    Scott Allen
    Nov 2, 2004
  2. =?Utf-8?B?VmlrcmFt?=

    Alternate to Logonuser API

    =?Utf-8?B?VmlrcmFt?=, Sep 26, 2007, in forum: ASP .Net
    Replies:
    1
    Views:
    428
    Michael Nemtsev, MVP
    Sep 26, 2007
  3. Gabriel

    LogonUser API Help

    Gabriel, Dec 30, 2003, in forum: ASP .Net Security
    Replies:
    2
    Views:
    290
    Gabriel
    Jan 2, 2004
  4. nilapenn
    Replies:
    3
    Views:
    604
    Joe Kaplan \(MVP - ADSI\)
    Feb 14, 2005
  5. Ken Varn

    Security permissions for Win32 LogonUser call.

    Ken Varn, Mar 28, 2005, in forum: ASP .Net Security
    Replies:
    4
    Views:
    254
    Dominick Baier [DevelopMentor]
    Mar 31, 2005
Loading...

Share This Page