ASP.NET windows authetication

[Andy]

Traditionally, I've used windows authentication with a web server on an
Active directory domain. IIS authenticated users on AD. However to do this,
a window popped up and users entered information in that.

However, I'd like to instead make an asp.net form that authenticated via
windows authentication.

The reason why is I need to allow windows authentication as well as
authentication where the username is actually an e-mail address, but i don't
want to have two seperate forms to do this.

Is this possible?

If so, anyone know some good examples on the web? VB or C#, doesn't matter
which.

 

[Paul Clement]

¤ Traditionally, I've used windows authentication with a web server on an
¤ Active directory domain. IIS authenticated users on AD. However to do this,
¤ a window popped up and users entered information in that.
¤
¤ However, I'd like to instead make an asp.net form that authenticated via
¤ windows authentication.
¤
¤ The reason why is I need to allow windows authentication as well as
¤ authentication where the username is actually an e-mail address, but i don't
¤ want to have two seperate forms to do this.
¤
¤ Is this possible?
¤
¤ If so, anyone know some good examples on the web? VB or C#, doesn't matter
¤ which.

I think you're going to have to make a choice as to whether to use Windows authentication or Forms
based authentication. If using the email address as the account ID is a requirement then you're
likely to exceed the maximum characters allowed for an AD account.

With Forms based authentication you can use a database (such as SQL Server) instead for maintaining
authentication credentials.

http://support.microsoft.com/default.aspx?scid=kb;en-us;308157


Paul ~~~ (e-mail address removed)
Microsoft MVP (Visual Basic)

 

[Andy]

Using only forms authentication with e-mail addresses won't be possible. I
have to authenticate users in AD with AD.

I'm going to have a process that checks if the username is in email format
before it checks AD authentication. Then I'll do a simple query to see if
their username is in AD.

Assuming I use the forms authentication, can I still authenticate against AD?

 

[Hernan de Lahitte]

There are many sources from where to look for this topic. One classic is
this:

How To: Use Forms Authentication with Active Directory
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/html/secnetlpMSDN.asp

Hernan de Lahitte
http://weblogs.asp.net/hernandl

 

[Paul Clement]

¤ Using only forms authentication with e-mail addresses won't be possible. I
¤ have to authenticate users in AD with AD.
¤
¤ I'm going to have a process that checks if the username is in email format
¤ before it checks AD authentication. Then I'll do a simple query to see if
¤ their username is in AD.
¤
¤ Assuming I use the forms authentication, can I still authenticate against AD?

I don't believe that you can authenticate with Active Directory using an email address - certainly
not if the email addresses have domain names that are different than the domain you are attempting
to authenticate against.


Paul ~~~ (e-mail address removed)
Microsoft MVP (Visual Basic)

 

[Andy]

Not quite.
Users who don't enter an e-mail address would authenticate with aciive
directory.
User who do enter an e-mail address would authenticate with an access
database (I already know about hasing passwords)

 

[Paul Clement]

¤ Not quite.
¤ Users who don't enter an e-mail address would authenticate with aciive
¤ directory.
¤ User who do enter an e-mail address would authenticate with an access
¤ database (I already know about hasing passwords)
¤

You will have to use Forms Authentication for both and then choose windows or database
authentication based upon the account ID they enter.

Authenticating against the database is relatively easy. Authenticating against AD might require a
bit more effort. What you will probably need to do is call the LogonUser API function call. There is
an example in the article below. You don't need to implement the impersonation code, just call
LogonUser with the supplied credentials.

How to implement impersonation in an ASP.NET application
http://support.microsoft.com/kb/306158/EN-US/

There is another method that uses DirectoryServices, however I'm somewhat dubious about the solution
since Microsoft has indicated in the past that ADSI and DirectoryServices were not designed for
authentication.

HOW TO: Authenticate against the Active Directory by Using Forms Authentication and Visual Basic
..NET
http://support.microsoft.com/?id=326340


Paul ~~~ (e-mail address removed)
Microsoft MVP (Visual Basic)