Basic Authentication/Custom Login page

Discussion in 'ASP .Net Security' started by mike, Sep 14, 2005.

  1. mike

    mike Guest

    Hello.

    I'm creating a site that has basic authentication. Is it possible to have a
    custom login page display instead of the Windows login page?

    Thanks in advance,

    Mike
     
    mike, Sep 14, 2005
    #1
    1. Advertising

  2. mike

    WJ Guest

    Form Authentication will serve your purpose ad this requires Anonymous
    instead of Basic. Keep in mind that Basic Auth. does not protect your
    system.

    John

    "mike" <> wrote in message
    news:...
    > Hello.
    >
    > I'm creating a site that has basic authentication. Is it possible to have
    > a custom login page display instead of the Windows login page?
    >
    > Thanks in advance,
    >
    > Mike
    >
     
    WJ, Sep 14, 2005
    #2
    1. Advertising

  3. Hello WJ,

    what do you mean by "does not protect you system"?? can you elaborate?

    it is all a matter of where you store your user accounts, if you store them
    in some windows backed store (LSA, Domain) then you have to resort to some
    IIS authentication. And basic is the one with the broadest compatibility.
    Of course, keep in mind that basic auth transmits the password in clear text,
    so you HAVE to layer SSL of basic auth.

    One gotcha is, that you have to live with the window login dialog - i can
    give you code to do that, if you really want to go this route. But this would
    mean that you have to do auth yourself.

    Another option is to use Forms Authentication, typically with user accounts
    stored in a database. This allows out of the box to provide your own login
    UI - again you have to do auth yourself.

    maybe this clear it up a little bit. feel free to ask.

    ---------------------------------------
    Dominick Baier - DevelopMentor
    http://www.leastprivilege.com

    > Form Authentication will serve your purpose ad this requires Anonymous
    > instead of Basic. Keep in mind that Basic Auth. does not protect your
    > system.
    >
    > John
    >
    > "mike" <> wrote in message
    > news:...
    >
    >> Hello.
    >>
    >> I'm creating a site that has basic authentication. Is it possible to
    >> have a custom login page display instead of the Windows login page?
    >>
    >> Thanks in advance,
    >>
    >> Mike
    >>
     
    Dominick Baier [DevelopMentor], Sep 14, 2005
    #3
  4. mike

    mike Guest

    Hi, Dominick.

    The application is intended for our salesmen, and they are domain users, and
    therefore I would like to use the WindowsPrincipal object instead of
    GenericPrinciple, for purposes of delegation.

    Although Basic Auth would only "natively" give me a one-hop delegate, I
    would still like to have IIS authenticate against Active Directory.

    Of course, if one of the "higher-ups" insists on a friendly-looking sign-in
    page, then Forms Authentication will be the way.

    Mike

    "Dominick Baier [DevelopMentor]" <>
    wrote in message news:...
    > Hello WJ,
    >
    > what do you mean by "does not protect you system"?? can you elaborate?
    >
    > it is all a matter of where you store your user accounts, if you store
    > them in some windows backed store (LSA, Domain) then you have to resort to
    > some IIS authentication. And basic is the one with the broadest
    > compatibility. Of course, keep in mind that basic auth transmits the
    > password in clear text, so you HAVE to layer SSL of basic auth.
    >
    > One gotcha is, that you have to live with the window login dialog - i can
    > give you code to do that, if you really want to go this route. But this
    > would mean that you have to do auth yourself.
    >
    > Another option is to use Forms Authentication, typically with user
    > accounts stored in a database. This allows out of the box to provide your
    > own login UI - again you have to do auth yourself.
    >
    > maybe this clear it up a little bit. feel free to ask.
    >
    > ---------------------------------------
    > Dominick Baier - DevelopMentor
    > http://www.leastprivilege.com
    >
    >> Form Authentication will serve your purpose ad this requires Anonymous
    >> instead of Basic. Keep in mind that Basic Auth. does not protect your
    >> system.
    >>
    >> John
    >>
    >> "mike" <> wrote in message
    >> news:...
    >>
    >>> Hello.
    >>>
    >>> I'm creating a site that has basic authentication. Is it possible to
    >>> have a custom login page display instead of the Windows login page?
    >>>
    >>> Thanks in advance,
    >>>
    >>> Mike
    >>>

    >
    >
     
    mike, Sep 15, 2005
    #4
  5. mike

    mike Guest

    So I guess the answer is "No"?

    "WJ" <> wrote in message
    news:...
    > Form Authentication will serve your purpose ad this requires Anonymous
    > instead of Basic. Keep in mind that Basic Auth. does not protect your
    > system.
    >
    > John
    >
    > "mike" <> wrote in message
    > news:...
    >> Hello.
    >>
    >> I'm creating a site that has basic authentication. Is it possible to have
    >> a custom login page display instead of the Windows login page?
    >>
    >> Thanks in advance,
    >>
    >> Mike
    >>

    >
    >
     
    mike, Sep 15, 2005
    #5
  6. Hello Mike,

    a) you can get rid of the windows dialog, even with basic - but that means
    calling LogonUser to authenticate against AD, which would also give you a
    token to construct a WindowsPrincipal for "delegation"

    b) in theory you can also use integrated and configure IE to send credentials
    automatically (theory=users must be logged onto the domain - keep alives
    have to be enabled between web server and client)



    ---------------------------------------
    Dominick Baier - DevelopMentor
    http://www.leastprivilege.com

    > Hi, Dominick.
    >
    > The application is intended for our salesmen, and they are domain
    > users, and therefore I would like to use the WindowsPrincipal object
    > instead of GenericPrinciple, for purposes of delegation.
    >
    > Although Basic Auth would only "natively" give me a one-hop delegate,
    > I would still like to have IIS authenticate against Active Directory.
    >
    > Of course, if one of the "higher-ups" insists on a friendly-looking
    > sign-in page, then Forms Authentication will be the way.
    >
    > Mike
    >
    > "Dominick Baier [DevelopMentor]"
    > <> wrote in message
    > news:...
    >
    >> Hello WJ,
    >>
    >> what do you mean by "does not protect you system"?? can you
    >> elaborate?
    >>
    >> it is all a matter of where you store your user accounts, if you
    >> store them in some windows backed store (LSA, Domain) then you have
    >> to resort to some IIS authentication. And basic is the one with the
    >> broadest compatibility. Of course, keep in mind that basic auth
    >> transmits the password in clear text, so you HAVE to layer SSL of
    >> basic auth.
    >>
    >> One gotcha is, that you have to live with the window login dialog - i
    >> can give you code to do that, if you really want to go this route.
    >> But this would mean that you have to do auth yourself.
    >>
    >> Another option is to use Forms Authentication, typically with user
    >> accounts stored in a database. This allows out of the box to provide
    >> your own login UI - again you have to do auth yourself.
    >>
    >> maybe this clear it up a little bit. feel free to ask.
    >>
    >> ---------------------------------------
    >> Dominick Baier - DevelopMentor
    >> http://www.leastprivilege.com
    >>> Form Authentication will serve your purpose ad this requires
    >>> Anonymous instead of Basic. Keep in mind that Basic Auth. does not
    >>> protect your system.
    >>>
    >>> John
    >>>
    >>> "mike" <> wrote in message
    >>> news:...
    >>>> Hello.
    >>>>
    >>>> I'm creating a site that has basic authentication. Is it possible
    >>>> to have a custom login page display instead of the Windows login
    >>>> page?
    >>>>
    >>>> Thanks in advance,
    >>>>
    >>>> Mike
    >>>>
     
    Dominick Baier [DevelopMentor], Sep 15, 2005
    #6
  7. mike

    mike Guest

    HI, Dominick. Thanks for responding.

    You said that I "can get rid of the windows dialog, even with basic", my
    question is "How"?

    Thanks again,

    Mike

    "Dominick Baier [DevelopMentor]" <>
    wrote in message news:...
    > Hello Mike,
    >
    > a) you can get rid of the windows dialog, even with basic - but that means
    > calling LogonUser to authenticate against AD, which would also give you a
    > token to construct a WindowsPrincipal for "delegation"
    >
    > b) in theory you can also use integrated and configure IE to send
    > credentials automatically (theory=users must be logged onto the domain -
    > keep alives have to be enabled between web server and client)
    >
    >
    >
    > ---------------------------------------
    > Dominick Baier - DevelopMentor
    > http://www.leastprivilege.com
    >
    >> Hi, Dominick.
    >>
    >> The application is intended for our salesmen, and they are domain
    >> users, and therefore I would like to use the WindowsPrincipal object
    >> instead of GenericPrinciple, for purposes of delegation.
    >>
    >> Although Basic Auth would only "natively" give me a one-hop delegate,
    >> I would still like to have IIS authenticate against Active Directory.
    >>
    >> Of course, if one of the "higher-ups" insists on a friendly-looking
    >> sign-in page, then Forms Authentication will be the way.
    >>
    >> Mike
    >>
    >> "Dominick Baier [DevelopMentor]"
    >> <> wrote in message
    >> news:...
    >>
    >>> Hello WJ,
    >>>
    >>> what do you mean by "does not protect you system"?? can you
    >>> elaborate?
    >>>
    >>> it is all a matter of where you store your user accounts, if you
    >>> store them in some windows backed store (LSA, Domain) then you have
    >>> to resort to some IIS authentication. And basic is the one with the
    >>> broadest compatibility. Of course, keep in mind that basic auth
    >>> transmits the password in clear text, so you HAVE to layer SSL of
    >>> basic auth.
    >>>
    >>> One gotcha is, that you have to live with the window login dialog - i
    >>> can give you code to do that, if you really want to go this route.
    >>> But this would mean that you have to do auth yourself.
    >>>
    >>> Another option is to use Forms Authentication, typically with user
    >>> accounts stored in a database. This allows out of the box to provide
    >>> your own login UI - again you have to do auth yourself.
    >>>
    >>> maybe this clear it up a little bit. feel free to ask.
    >>>
    >>> ---------------------------------------
    >>> Dominick Baier - DevelopMentor
    >>> http://www.leastprivilege.com
    >>>> Form Authentication will serve your purpose ad this requires
    >>>> Anonymous instead of Basic. Keep in mind that Basic Auth. does not
    >>>> protect your system.
    >>>>
    >>>> John
    >>>>
    >>>> "mike" <> wrote in message
    >>>> news:...
    >>>>> Hello.
    >>>>>
    >>>>> I'm creating a site that has basic authentication. Is it possible
    >>>>> to have a custom login page display instead of the Windows login
    >>>>> page?
    >>>>>
    >>>>> Thanks in advance,
    >>>>>
    >>>>> Mike
    >>>>>

    >
    >
     
    mike, Sep 15, 2005
    #7
  8. Hello Mike,

    well - there are some steps necessary

    a) enable anonymous again
    b) enable forms auth
    c) validate the user against AD (e.g. using LogonUser) in your logon page
    d) issue the auth cookie yourself - remember the user password somehow
    d) Handle Authenticate_Request or FormsAuthentication_Authenticate (not sure
    which one is better) - call LogonUser to get a token, wrap the token in a
    WindowsIdentity, wrap WindowsIdentity with WindowsPrincipal, replace Context.User

    that should work.

    ---------------------------------------
    Dominick Baier - DevelopMentor
    http://www.leastprivilege.com

    > HI, Dominick. Thanks for responding.
    >
    > You said that I "can get rid of the windows dialog, even with basic",
    > my question is "How"?
    >
    > Thanks again,
    >
    > Mike
    >
    > "Dominick Baier [DevelopMentor]"
    > <> wrote in message
    > news:...
    >
    >> Hello Mike,
    >>
    >> a) you can get rid of the windows dialog, even with basic - but that
    >> means calling LogonUser to authenticate against AD, which would also
    >> give you a token to construct a WindowsPrincipal for "delegation"
    >>
    >> b) in theory you can also use integrated and configure IE to send
    >> credentials automatically (theory=users must be logged onto the
    >> domain - keep alives have to be enabled between web server and
    >> client)
    >>
    >> ---------------------------------------
    >> Dominick Baier - DevelopMentor
    >> http://www.leastprivilege.com
    >>> Hi, Dominick.
    >>>
    >>> The application is intended for our salesmen, and they are domain
    >>> users, and therefore I would like to use the WindowsPrincipal object
    >>> instead of GenericPrinciple, for purposes of delegation.
    >>>
    >>> Although Basic Auth would only "natively" give me a one-hop
    >>> delegate, I would still like to have IIS authenticate against Active
    >>> Directory.
    >>>
    >>> Of course, if one of the "higher-ups" insists on a friendly-looking
    >>> sign-in page, then Forms Authentication will be the way.
    >>>
    >>> Mike
    >>>
    >>> "Dominick Baier [DevelopMentor]"
    >>> <> wrote in message
    >>> news:...
    >>>
    >>>> Hello WJ,
    >>>>
    >>>> what do you mean by "does not protect you system"?? can you
    >>>> elaborate?
    >>>>
    >>>> it is all a matter of where you store your user accounts, if you
    >>>> store them in some windows backed store (LSA, Domain) then you have
    >>>> to resort to some IIS authentication. And basic is the one with the
    >>>> broadest compatibility. Of course, keep in mind that basic auth
    >>>> transmits the password in clear text, so you HAVE to layer SSL of
    >>>> basic auth.
    >>>>
    >>>> One gotcha is, that you have to live with the window login dialog -
    >>>> i can give you code to do that, if you really want to go this
    >>>> route. But this would mean that you have to do auth yourself.
    >>>>
    >>>> Another option is to use Forms Authentication, typically with user
    >>>> accounts stored in a database. This allows out of the box to
    >>>> provide your own login UI - again you have to do auth yourself.
    >>>>
    >>>> maybe this clear it up a little bit. feel free to ask.
    >>>>
    >>>> ---------------------------------------
    >>>> Dominick Baier - DevelopMentor
    >>>> http://www.leastprivilege.com
    >>>>> Form Authentication will serve your purpose ad this requires
    >>>>> Anonymous instead of Basic. Keep in mind that Basic Auth. does not
    >>>>> protect your system.
    >>>>>
    >>>>> John
    >>>>>
    >>>>> "mike" <> wrote in message
    >>>>> news:...
    >>>>>> Hello.
    >>>>>>
    >>>>>> I'm creating a site that has basic authentication. Is it possible
    >>>>>> to have a custom login page display instead of the Windows login
    >>>>>> page?
    >>>>>>
    >>>>>> Thanks in advance,
    >>>>>>
    >>>>>> Mike
    >>>>>>
     
    Dominick Baier [DevelopMentor], Sep 15, 2005
    #8
  9. mike

    mike Guest

    Hi, Dominick.

    Ok, I thought you were saying that I can enable Basic in IIS and override
    the window that the browser displays.

    I was trying to avoid the steps that you listed, but thanks for listing
    them. I'll probably wind up needing that info.

    Thanks again,

    Mile

    "Dominick Baier [DevelopMentor]" <>
    wrote in message news:...
    > Hello Mike,
    >
    > well - there are some steps necessary
    >
    > a) enable anonymous again
    > b) enable forms auth
    > c) validate the user against AD (e.g. using LogonUser) in your logon page
    > d) issue the auth cookie yourself - remember the user password somehow
    > d) Handle Authenticate_Request or FormsAuthentication_Authenticate (not
    > sure which one is better) - call LogonUser to get a token, wrap the token
    > in a WindowsIdentity, wrap WindowsIdentity with WindowsPrincipal, replace
    > Context.User
    >
    > that should work.
    >
    > ---------------------------------------
    > Dominick Baier - DevelopMentor
    > http://www.leastprivilege.com
    >
    >> HI, Dominick. Thanks for responding.
    >>
    >> You said that I "can get rid of the windows dialog, even with basic",
    >> my question is "How"?
    >>
    >> Thanks again,
    >>
    >> Mike
    >>
    >> "Dominick Baier [DevelopMentor]"
    >> <> wrote in message
    >> news:...
    >>
    >>> Hello Mike,
    >>>
    >>> a) you can get rid of the windows dialog, even with basic - but that
    >>> means calling LogonUser to authenticate against AD, which would also
    >>> give you a token to construct a WindowsPrincipal for "delegation"
    >>>
    >>> b) in theory you can also use integrated and configure IE to send
    >>> credentials automatically (theory=users must be logged onto the
    >>> domain - keep alives have to be enabled between web server and
    >>> client)
    >>>
    >>> ---------------------------------------
    >>> Dominick Baier - DevelopMentor
    >>> http://www.leastprivilege.com
    >>>> Hi, Dominick.
    >>>>
    >>>> The application is intended for our salesmen, and they are domain
    >>>> users, and therefore I would like to use the WindowsPrincipal object
    >>>> instead of GenericPrinciple, for purposes of delegation.
    >>>>
    >>>> Although Basic Auth would only "natively" give me a one-hop
    >>>> delegate, I would still like to have IIS authenticate against Active
    >>>> Directory.
    >>>>
    >>>> Of course, if one of the "higher-ups" insists on a friendly-looking
    >>>> sign-in page, then Forms Authentication will be the way.
    >>>>
    >>>> Mike
    >>>>
    >>>> "Dominick Baier [DevelopMentor]"
    >>>> <> wrote in message
    >>>> news:...
    >>>>
    >>>>> Hello WJ,
    >>>>>
    >>>>> what do you mean by "does not protect you system"?? can you
    >>>>> elaborate?
    >>>>>
    >>>>> it is all a matter of where you store your user accounts, if you
    >>>>> store them in some windows backed store (LSA, Domain) then you have
    >>>>> to resort to some IIS authentication. And basic is the one with the
    >>>>> broadest compatibility. Of course, keep in mind that basic auth
    >>>>> transmits the password in clear text, so you HAVE to layer SSL of
    >>>>> basic auth.
    >>>>>
    >>>>> One gotcha is, that you have to live with the window login dialog -
    >>>>> i can give you code to do that, if you really want to go this
    >>>>> route. But this would mean that you have to do auth yourself.
    >>>>>
    >>>>> Another option is to use Forms Authentication, typically with user
    >>>>> accounts stored in a database. This allows out of the box to
    >>>>> provide your own login UI - again you have to do auth yourself.
    >>>>>
    >>>>> maybe this clear it up a little bit. feel free to ask.
    >>>>>
    >>>>> ---------------------------------------
    >>>>> Dominick Baier - DevelopMentor
    >>>>> http://www.leastprivilege.com
    >>>>>> Form Authentication will serve your purpose ad this requires
    >>>>>> Anonymous instead of Basic. Keep in mind that Basic Auth. does not
    >>>>>> protect your system.
    >>>>>>
    >>>>>> John
    >>>>>>
    >>>>>> "mike" <> wrote in message
    >>>>>> news:...
    >>>>>>> Hello.
    >>>>>>>
    >>>>>>> I'm creating a site that has basic authentication. Is it possible
    >>>>>>> to have a custom login page display instead of the Windows login
    >>>>>>> page?
    >>>>>>>
    >>>>>>> Thanks in advance,
    >>>>>>>
    >>>>>>> Mike
    >>>>>>>

    >
    >
     
    mike, Sep 15, 2005
    #9
  10. Hello WJ,

    so FormsAuth needs SSL too - does that mean it does not protect my system
    ?? :)

    btw - Basic Auth is probably supported on every browser on this planet

    ---------------------------------------
    Dominick Baier - DevelopMentor
    http://www.leastprivilege.com

    > "mike" <> wrote in message
    > news:%...
    >
    >> So I guess the answer is "No"?
    >>

    > Right. As these are Windows only. You do not want to implement Basic
    > because it is vulnerable unless it is SSL enabled.
    >
    > FormAuth is the appropriate way. It also can run on multiple platforms
    > and or Browsers.
    >
    > John
    >
     
    Dominick Baier [DevelopMentor], Sep 15, 2005
    #10
  11. mike

    WJ Guest

    "mike" <> wrote in message
    news:%...
    > So I guess the answer is "No"?
    >


    Right. As these are Windows only. You do not want to implement Basic because
    it is vulnerable unless it is SSL enabled.

    FormAuth is the appropriate way. It also can run on multiple platforms and
    or Browsers.

    John
     
    WJ, Sep 15, 2005
    #11
  12. mike

    WJ Guest

    "Dominick Baier [DevelopMentor]" <>
    wrote in message news:...
    > Hello WJ,
    >
    > what do you mean by "does not protect you system"?? can you elaborate?
    >


    You already said it. Because Basic Auth. method does not encrypt your
    credential, therefore it is not suitable over the internet unless it is
    protected by SSL.

    John
     
    WJ, Sep 15, 2005
    #12
  13. mike

    Paul Clement Guest

    On Thu, 15 Sep 2005 08:15:19 -0400, "mike" <> wrote:

    ¤ So I guess the answer is "No"?
    ¤

    Correct. In order to use your own custom login form you need to *start* w/Anonymous authentication.


    Paul
    ~~~~
    Microsoft MVP (Visual Basic)
     
    Paul Clement, Sep 15, 2005
    #13
  14. mike

    WJ Guest

    "Dominick Baier [DevelopMentor]" <>
    wrote in message news:...
    > Hello WJ,
    >
    > so FormsAuth needs SSL too - does that mean it does not protect my system
    > ?? :)
    > btw - Basic Auth is probably supported on every browser on this planet
    >


    It depends on the following factors:

    1. If your web site accepts sensitive data such as Credit Card, then SSL is
    a must regardless of methods of authentication you implement on your server.

    2. Use application role. If your users just need to come to your sites and
    do a few things and get out, then it makes sense not to grant them Windows
    Access. What I mean is once the user exits your application(s), that
    application credential would be useless.

    In short, I do not feel very comfortable in authenticating users to my
    Operating system Domain over the internet. It is a high-risk. For intranet,
    it is OK. So, Form. Auth. is a neutral ground for internet applications.

    John
     
    WJ, Sep 15, 2005
    #14
  15. Hello WJ,

    FormsAuth ALWAYS needs SSL -

    a) i want server authentication before i type in my credentials somehwere
    b) the login form POST is clear text
    c) auth cookie can only be protected by SSL from forging, sniffing, hijacking.

    Basic Auth always needs SSL -

    i share the same gut feeling with you - but technically it only depends if
    your users are stored in some kind of windows store - or not.
    ---------------------------------------
    Dominick Baier - DevelopMentor
    http://www.leastprivilege.com

    > "Dominick Baier [DevelopMentor]"
    > <> wrote in message
    > news:...
    >
    >> Hello WJ,
    >>
    >> so FormsAuth needs SSL too - does that mean it does not protect my
    >> system
    >> ?? :)
    >> btw - Basic Auth is probably supported on every browser on this
    >> planet

    > It depends on the following factors:
    >
    > 1. If your web site accepts sensitive data such as Credit Card, then
    > SSL is a must regardless of methods of authentication you implement on
    > your server.
    >
    > 2. Use application role. If your users just need to come to your sites
    > and do a few things and get out, then it makes sense not to grant them
    > Windows Access. What I mean is once the user exits your
    > application(s), that application credential would be useless.
    >
    > In short, I do not feel very comfortable in authenticating users to my
    > Operating system Domain over the internet. It is a high-risk. For
    > intranet, it is OK. So, Form. Auth. is a neutral ground for internet
    > applications.
    >
    > John
    >
     
    Dominick Baier [DevelopMentor], Sep 15, 2005
    #15
  16. mike

    mike Guest

    Hi again, Dominick.

    Maybe you can help. After calling LogonUser I try to retrieve the roles of
    the user and GetLastError issues error #5: Access Denied. I'm also getting
    error code 0 and the message (from the exception) : "An operations error
    occurred".

    After LogonUser is called I can see from the Security log that the user is
    logged on.

    Here's the code:


    Public Function GetGroups() As String

    Dim lasterror As Integer

    Dim search As DirectorySearcher = New DirectorySearcher(_path)

    search.Filter = "(cn=" + _filterAttribute + ")"

    search.PropertiesToLoad.Add("memberOf")

    Dim groupNames As StringBuilder = New StringBuilder

    Try

    Dim result As SearchResult = search.FindOne

    Dim propertyCount As Int16

    propertyCount = result.Properties("memberOf").Count

    Dim dn As String

    Dim equalsIndex As Int16

    Dim commaIndex As Int16

    Dim propertyCounter As Int16

    For propertyCounter = 0 To propertyCount - 1

    dn = CStr(result.Properties("memberOf")(propertyCounter))

    equalsIndex = dn.IndexOf("=", 1)

    commaIndex = dn.IndexOf(",", 1)

    If equalsIndex = -1 Then

    Return vbNull

    End If

    groupNames.Append(dn.Substring((equalsIndex + 1), commaIndex -
    equalsIndex - 1))

    groupNames.Append("|")

    Next

    Catch ex As Exception

    lasterror = GetLastError()

    Throw New Exception("Error obtaining group names. " + ex.Message +
    ", last error code was: " + lasterror.ToString)

    End Try

    Return groupNames.ToString

    End Function

    Any ideas?

    Thanks - Mike



    "Dominick Baier [DevelopMentor]" <>
    wrote in message news:...

    > Hello Mike,
    >
    > well - there are some steps necessary
    >
    > a) enable anonymous again
    > b) enable forms auth
    > c) validate the user against AD (e.g. using LogonUser) in your logon page
    > d) issue the auth cookie yourself - remember the user password somehow
    > d) Handle Authenticate_Request or FormsAuthentication_Authenticate (not
    > sure which one is better) - call LogonUser to get a token, wrap the token
    > in a WindowsIdentity, wrap WindowsIdentity with WindowsPrincipal, replace
    > Context.User
    >
    > that should work.
    >
    > ---------------------------------------
    > Dominick Baier - DevelopMentor
    > http://www.leastprivilege.com
    >
    >> HI, Dominick. Thanks for responding.
    >>
    >> You said that I "can get rid of the windows dialog, even with basic",
    >> my question is "How"?
    >>
    >> Thanks again,
    >>
    >> Mike
    >>
    >> "Dominick Baier [DevelopMentor]"
    >> <> wrote in message
    >> news:...
    >>
    >>> Hello Mike,
    >>>
    >>> a) you can get rid of the windows dialog, even with basic - but that
    >>> means calling LogonUser to authenticate against AD, which would also
    >>> give you a token to construct a WindowsPrincipal for "delegation"
    >>>
    >>> b) in theory you can also use integrated and configure IE to send
    >>> credentials automatically (theory=users must be logged onto the
    >>> domain - keep alives have to be enabled between web server and
    >>> client)
    >>>
    >>> ---------------------------------------
    >>> Dominick Baier - DevelopMentor
    >>> http://www.leastprivilege.com
    >>>> Hi, Dominick.
    >>>>
    >>>> The application is intended for our salesmen, and they are domain
    >>>> users, and therefore I would like to use the WindowsPrincipal object
    >>>> instead of GenericPrinciple, for purposes of delegation.
    >>>>
    >>>> Although Basic Auth would only "natively" give me a one-hop
    >>>> delegate, I would still like to have IIS authenticate against Active
    >>>> Directory.
    >>>>
    >>>> Of course, if one of the "higher-ups" insists on a friendly-looking
    >>>> sign-in page, then Forms Authentication will be the way.
    >>>>
    >>>> Mike
    >>>>
    >>>> "Dominick Baier [DevelopMentor]"
    >>>> <> wrote in message
    >>>> news:...
    >>>>
    >>>>> Hello WJ,
    >>>>>
    >>>>> what do you mean by "does not protect you system"?? can you
    >>>>> elaborate?
    >>>>>
    >>>>> it is all a matter of where you store your user accounts, if you
    >>>>> store them in some windows backed store (LSA, Domain) then you have
    >>>>> to resort to some IIS authentication. And basic is the one with the
    >>>>> broadest compatibility. Of course, keep in mind that basic auth
    >>>>> transmits the password in clear text, so you HAVE to layer SSL of
    >>>>> basic auth.
    >>>>>
    >>>>> One gotcha is, that you have to live with the window login dialog -
    >>>>> i can give you code to do that, if you really want to go this
    >>>>> route. But this would mean that you have to do auth yourself.
    >>>>>
    >>>>> Another option is to use Forms Authentication, typically with user
    >>>>> accounts stored in a database. This allows out of the box to
    >>>>> provide your own login UI - again you have to do auth yourself.
    >>>>>
    >>>>> maybe this clear it up a little bit. feel free to ask.
    >>>>>
    >>>>> ---------------------------------------
    >>>>> Dominick Baier - DevelopMentor
    >>>>> http://www.leastprivilege.com
    >>>>>> Form Authentication will serve your purpose ad this requires
    >>>>>> Anonymous instead of Basic. Keep in mind that Basic Auth. does not
    >>>>>> protect your system.
    >>>>>>
    >>>>>> John
    >>>>>>
    >>>>>> "mike" <> wrote in message
    >>>>>> news:...
    >>>>>>> Hello.
    >>>>>>>
    >>>>>>> I'm creating a site that has basic authentication. Is it possible
    >>>>>>> to have a custom login page display instead of the Windows login
    >>>>>>> page?
    >>>>>>>
    >>>>>>> Thanks in advance,
    >>>>>>>
    >>>>>>> Mike
    >>>>>>>

    >
    >
     
    mike, Sep 16, 2005
    #16
  17. mike

    mike Guest

    I forgot to mention that it bombs on the FindOne method.


    "Dominick Baier [DevelopMentor]" <>
    wrote in message news:...
    > Hello Mike,
    >
    > well - there are some steps necessary
    >
    > a) enable anonymous again
    > b) enable forms auth
    > c) validate the user against AD (e.g. using LogonUser) in your logon page
    > d) issue the auth cookie yourself - remember the user password somehow
    > d) Handle Authenticate_Request or FormsAuthentication_Authenticate (not
    > sure which one is better) - call LogonUser to get a token, wrap the token
    > in a WindowsIdentity, wrap WindowsIdentity with WindowsPrincipal, replace
    > Context.User
    >
    > that should work.
    >
    > ---------------------------------------
    > Dominick Baier - DevelopMentor
    > http://www.leastprivilege.com
    >
    >> HI, Dominick. Thanks for responding.
    >>
    >> You said that I "can get rid of the windows dialog, even with basic",
    >> my question is "How"?
    >>
    >> Thanks again,
    >>
    >> Mike
    >>
    >> "Dominick Baier [DevelopMentor]"
    >> <> wrote in message
    >> news:...
    >>
    >>> Hello Mike,
    >>>
    >>> a) you can get rid of the windows dialog, even with basic - but that
    >>> means calling LogonUser to authenticate against AD, which would also
    >>> give you a token to construct a WindowsPrincipal for "delegation"
    >>>
    >>> b) in theory you can also use integrated and configure IE to send
    >>> credentials automatically (theory=users must be logged onto the
    >>> domain - keep alives have to be enabled between web server and
    >>> client)
    >>>
    >>> ---------------------------------------
    >>> Dominick Baier - DevelopMentor
    >>> http://www.leastprivilege.com
    >>>> Hi, Dominick.
    >>>>
    >>>> The application is intended for our salesmen, and they are domain
    >>>> users, and therefore I would like to use the WindowsPrincipal object
    >>>> instead of GenericPrinciple, for purposes of delegation.
    >>>>
    >>>> Although Basic Auth would only "natively" give me a one-hop
    >>>> delegate, I would still like to have IIS authenticate against Active
    >>>> Directory.
    >>>>
    >>>> Of course, if one of the "higher-ups" insists on a friendly-looking
    >>>> sign-in page, then Forms Authentication will be the way.
    >>>>
    >>>> Mike
    >>>>
    >>>> "Dominick Baier [DevelopMentor]"
    >>>> <> wrote in message
    >>>> news:...
    >>>>
    >>>>> Hello WJ,
    >>>>>
    >>>>> what do you mean by "does not protect you system"?? can you
    >>>>> elaborate?
    >>>>>
    >>>>> it is all a matter of where you store your user accounts, if you
    >>>>> store them in some windows backed store (LSA, Domain) then you have
    >>>>> to resort to some IIS authentication. And basic is the one with the
    >>>>> broadest compatibility. Of course, keep in mind that basic auth
    >>>>> transmits the password in clear text, so you HAVE to layer SSL of
    >>>>> basic auth.
    >>>>>
    >>>>> One gotcha is, that you have to live with the window login dialog -
    >>>>> i can give you code to do that, if you really want to go this
    >>>>> route. But this would mean that you have to do auth yourself.
    >>>>>
    >>>>> Another option is to use Forms Authentication, typically with user
    >>>>> accounts stored in a database. This allows out of the box to
    >>>>> provide your own login UI - again you have to do auth yourself.
    >>>>>
    >>>>> maybe this clear it up a little bit. feel free to ask.
    >>>>>
    >>>>> ---------------------------------------
    >>>>> Dominick Baier - DevelopMentor
    >>>>> http://www.leastprivilege.com
    >>>>>> Form Authentication will serve your purpose ad this requires
    >>>>>> Anonymous instead of Basic. Keep in mind that Basic Auth. does not
    >>>>>> protect your system.
    >>>>>>
    >>>>>> John
    >>>>>>
    >>>>>> "mike" <> wrote in message
    >>>>>> news:...
    >>>>>>> Hello.
    >>>>>>>
    >>>>>>> I'm creating a site that has basic authentication. Is it possible
    >>>>>>> to have a custom login page display instead of the Windows login
    >>>>>>> page?
    >>>>>>>
    >>>>>>> Thanks in advance,
    >>>>>>>
    >>>>>>> Mike
    >>>>>>>

    >
    >
     
    mike, Sep 16, 2005
    #17
  18. Hello Mike,

    i can't see how the code below is related to LogonUser, but

    LogonUser results in a token,you don't need to go to AD to get the groups.
    This heavy lifting has already been done for you.

    wrap the token in a WindowsIdentity

    WindowsIdentity id = new WindowsIdentity(token);

    and wrap the windows id with a WindowsPrincipal.

    ---------------------------------------
    Dominick Baier - DevelopMentor
    http://www.leastprivilege.com

    > Hi again, Dominick.
    >
    > Maybe you can help. After calling LogonUser I try to retrieve the
    > roles of the user and GetLastError issues error #5: Access Denied. I'm
    > also getting error code 0 and the message (from the exception) : "An
    > operations error occurred".
    >
    > After LogonUser is called I can see from the Security log that the
    > user is logged on.
    >
    > Here's the code:
    >
    > Public Function GetGroups() As String
    >
    > Dim lasterror As Integer
    >
    > Dim search As DirectorySearcher = New DirectorySearcher(_path)
    >
    > search.Filter = "(cn=" + _filterAttribute + ")"
    >
    > search.PropertiesToLoad.Add("memberOf")
    >
    > Dim groupNames As StringBuilder = New StringBuilder
    >
    > Try
    >
    > Dim result As SearchResult = search.FindOne
    >
    > Dim propertyCount As Int16
    >
    > propertyCount = result.Properties("memberOf").Count
    >
    > Dim dn As String
    >
    > Dim equalsIndex As Int16
    >
    > Dim commaIndex As Int16
    >
    > Dim propertyCounter As Int16
    >
    > For propertyCounter = 0 To propertyCount - 1
    >
    > dn = CStr(result.Properties("memberOf")(propertyCounter))
    >
    > equalsIndex = dn.IndexOf("=", 1)
    >
    > commaIndex = dn.IndexOf(",", 1)
    >
    > If equalsIndex = -1 Then
    >
    > Return vbNull
    >
    > End If
    >
    > groupNames.Append(dn.Substring((equalsIndex + 1), commaIndex -
    > equalsIndex - 1))
    >
    > groupNames.Append("|")
    >
    > Next
    >
    > Catch ex As Exception
    >
    > lasterror = GetLastError()
    >
    > Throw New Exception("Error obtaining group names. " +
    > ex.Message + ", last error code was: " + lasterror.ToString)
    >
    > End Try
    >
    > Return groupNames.ToString
    >
    > End Function
    >
    > Any ideas?
    >
    > Thanks - Mike
    >
    > "Dominick Baier [DevelopMentor]"
    > <> wrote in message
    > news:...
    >
    >> Hello Mike,
    >>
    >> well - there are some steps necessary
    >>
    >> a) enable anonymous again
    >> b) enable forms auth
    >> c) validate the user against AD (e.g. using LogonUser) in your logon
    >> page
    >> d) issue the auth cookie yourself - remember the user password
    >> somehow
    >> d) Handle Authenticate_Request or FormsAuthentication_Authenticate
    >> (not
    >> sure which one is better) - call LogonUser to get a token, wrap the
    >> token
    >> in a WindowsIdentity, wrap WindowsIdentity with WindowsPrincipal,
    >> replace
    >> Context.User
    >> that should work.
    >>
    >> ---------------------------------------
    >> Dominick Baier - DevelopMentor
    >> http://www.leastprivilege.com
    >>> HI, Dominick. Thanks for responding.
    >>>
    >>> You said that I "can get rid of the windows dialog, even with
    >>> basic", my question is "How"?
    >>>
    >>> Thanks again,
    >>>
    >>> Mike
    >>>
    >>> "Dominick Baier [DevelopMentor]"
    >>> <> wrote in message
    >>> news:...
    >>>
    >>>> Hello Mike,
    >>>>
    >>>> a) you can get rid of the windows dialog, even with basic - but
    >>>> that means calling LogonUser to authenticate against AD, which
    >>>> would also give you a token to construct a WindowsPrincipal for
    >>>> "delegation"
    >>>>
    >>>> b) in theory you can also use integrated and configure IE to send
    >>>> credentials automatically (theory=users must be logged onto the
    >>>> domain - keep alives have to be enabled between web server and
    >>>> client)
    >>>>
    >>>> ---------------------------------------
    >>>> Dominick Baier - DevelopMentor
    >>>> http://www.leastprivilege.com
    >>>>> Hi, Dominick.
    >>>>>
    >>>>> The application is intended for our salesmen, and they are domain
    >>>>> users, and therefore I would like to use the WindowsPrincipal
    >>>>> object instead of GenericPrinciple, for purposes of delegation.
    >>>>>
    >>>>> Although Basic Auth would only "natively" give me a one-hop
    >>>>> delegate, I would still like to have IIS authenticate against
    >>>>> Active Directory.
    >>>>>
    >>>>> Of course, if one of the "higher-ups" insists on a
    >>>>> friendly-looking sign-in page, then Forms Authentication will be
    >>>>> the way.
    >>>>>
    >>>>> Mike
    >>>>>
    >>>>> "Dominick Baier [DevelopMentor]"
    >>>>> <> wrote in message
    >>>>> news:...
    >>>>>
    >>>>>> Hello WJ,
    >>>>>>
    >>>>>> what do you mean by "does not protect you system"?? can you
    >>>>>> elaborate?
    >>>>>>
    >>>>>> it is all a matter of where you store your user accounts, if you
    >>>>>> store them in some windows backed store (LSA, Domain) then you
    >>>>>> have to resort to some IIS authentication. And basic is the one
    >>>>>> with the broadest compatibility. Of course, keep in mind that
    >>>>>> basic auth transmits the password in clear text, so you HAVE to
    >>>>>> layer SSL of basic auth.
    >>>>>>
    >>>>>> One gotcha is, that you have to live with the window login dialog
    >>>>>> - i can give you code to do that, if you really want to go this
    >>>>>> route. But this would mean that you have to do auth yourself.
    >>>>>>
    >>>>>> Another option is to use Forms Authentication, typically with
    >>>>>> user accounts stored in a database. This allows out of the box to
    >>>>>> provide your own login UI - again you have to do auth yourself.
    >>>>>>
    >>>>>> maybe this clear it up a little bit. feel free to ask.
    >>>>>>
    >>>>>> ---------------------------------------
    >>>>>> Dominick Baier - DevelopMentor
    >>>>>> http://www.leastprivilege.com
    >>>>>>> Form Authentication will serve your purpose ad this requires
    >>>>>>> Anonymous instead of Basic. Keep in mind that Basic Auth. does
    >>>>>>> not protect your system.
    >>>>>>>
    >>>>>>> John
    >>>>>>>
    >>>>>>> "mike" <> wrote in message
    >>>>>>> news:...
    >>>>>>>> Hello.
    >>>>>>>>
    >>>>>>>> I'm creating a site that has basic authentication. Is it
    >>>>>>>> possible to have a custom login page display instead of the
    >>>>>>>> Windows login page?
    >>>>>>>>
    >>>>>>>> Thanks in advance,
    >>>>>>>>
    >>>>>>>> Mike
    >>>>>>>>
     
    Dominick Baier [DevelopMentor], Sep 16, 2005
    #18
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Sasquatch
    Replies:
    2
    Views:
    508
    Sasquatch
    Oct 4, 2006
  2. Pascal Blanchard
    Replies:
    0
    Views:
    281
    Pascal Blanchard
    Aug 17, 2004
  3. Pascal Blanchard
    Replies:
    1
    Views:
    313
    Pascal Blanchard
    Aug 18, 2004
  4. Diego Embon \(personal mail\)

    Basic authentication without browser login window

    Diego Embon \(personal mail\), Oct 5, 2004, in forum: ASP .Net Security
    Replies:
    1
    Views:
    196
    Paul Clement
    Oct 6, 2004
  5. Steven K0

    Login page with Basic authentication (newbie)

    Steven K0, Apr 9, 2005, in forum: ASP .Net Security
    Replies:
    1
    Views:
    206
    Hernan de Lahitte
    Apr 10, 2005
Loading...

Share This Page