authenticating username/password against Active Directory

Discussion in 'ASP .Net Security' started by Boesman, Jan 8, 2007.

  1. Boesman

    Boesman Guest

    Hi,
    I'm working on an intranet asp.net app and at some point a user - other
    than the currently authenticated user - needs to authorise an action,
    like creating a purchase order.
    All usernames/passwords must be authenticated against Active Directory.
    This already works fine for the overall application security as
    specified in IIS (no anonymous access, use Windows integrated security,
    etc).

    My solution is to prompt via a modal browser window for the
    authenticating user's username & password, and then to attempt to
    verify that usn/pwd pair against AD. How on earth do I pass a usn/pwd
    pair to AD and have it verified as valid? I don't need to do anything
    else with this info, i.e. I'm not trying to log this user in or change
    the current security context for the running web application.

    Any advice appreciated.

    Tian
     
    Boesman, Jan 8, 2007
    #1
    1. Advertising

  2. Boesman

    Joe Kaplan Guest

    There are a could of different ways you might do this. The preferred method
    from Microsoft is to use SSPI to verify the credentials. This should be
    doable using the NegotiateStream class in .NET 2.0, but is still a little
    convoluted in my opinion. I believe Dominick has a sample on his blog
    somewhere (www.leastprivilege.org) and probably covers it in his book (I
    just got it over the holidays but haven't actually read it yet :)).

    Another way to do this is with the Win32 LogonUser API. It actually uses
    SSPI under the hood and gives you a real logon token back that you can then
    use for impersonation as well if need. The user may need rights to log on
    locally, depending on how the function is called, and you will be limited to
    operating systems of XP or higher unless your app runs with SYSTEM
    privileges (not a good idea).

    The other way to do this is with LDAP using an LDAP bind to AD. In .NET you
    can do LDAP with System.DirectoryServices or
    System.DirectoryServices.Protocols if you use .NET 2.0 or higher. If you
    are doing pure authentication, I'd suggest using S.DS.Protocols, as it has
    the potential to scale better and makes the actual bind call more explicit.

    Ch 12 of my book covers LDAP auth (an the other approaches for that matter)
    and has some sample code. You can grab the sample code from the website at
    the link below in VB.NET or C#.

    HTH,

    Joe K.

    --
    Joe Kaplan-MS MVP Directory Services Programming
    Co-author of "The .NET Developer's Guide to Directory Services Programming"
    http://www.directoryprogramming.net
    --
    "Boesman" <> wrote in message
    news:...
    > Hi,
    > I'm working on an intranet asp.net app and at some point a user - other
    > than the currently authenticated user - needs to authorise an action,
    > like creating a purchase order.
    > All usernames/passwords must be authenticated against Active Directory.
    > This already works fine for the overall application security as
    > specified in IIS (no anonymous access, use Windows integrated security,
    > etc).
    >
    > My solution is to prompt via a modal browser window for the
    > authenticating user's username & password, and then to attempt to
    > verify that usn/pwd pair against AD. How on earth do I pass a usn/pwd
    > pair to AD and have it verified as valid? I don't need to do anything
    > else with this info, i.e. I'm not trying to log this user in or change
    > the current security context for the running web application.
    >
    > Any advice appreciated.
    >
    > Tian
    >
     
    Joe Kaplan, Jan 8, 2007
    #2
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Alan Lambert
    Replies:
    3
    Views:
    430
    Alan Lambert
    Feb 11, 2009
  2. Paul East
    Replies:
    3
    Views:
    311
    Beginner
    Mar 2, 2004
  3. Alan Lambert
    Replies:
    2
    Views:
    733
    Alan Lambert
    Feb 11, 2009
  4. Ruggiero, Vince
    Replies:
    0
    Views:
    762
    Ruggiero, Vince
    Dec 14, 2009
  5. Ruggiero, Vince
    Replies:
    0
    Views:
    905
    Ruggiero, Vince
    Dec 14, 2009
Loading...

Share This Page