Basic Authentication/Custom Login page

[mike]

Hello.

I'm creating a site that has basic authentication. Is it possible to have a
custom login page display instead of the Windows login page?

Thanks in advance,

Mike

 

[WJ]

Form Authentication will serve your purpose ad this requires Anonymous
instead of Basic. Keep in mind that Basic Auth. does not protect your
system.

John

 

[Dominick Baier [DevelopMentor]]

Hello WJ,

what do you mean by "does not protect you system"?? can you elaborate?

it is all a matter of where you store your user accounts, if you store them
in some windows backed store (LSA, Domain) then you have to resort to some
IIS authentication. And basic is the one with the broadest compatibility.
Of course, keep in mind that basic auth transmits the password in clear text,
so you HAVE to layer SSL of basic auth.

One gotcha is, that you have to live with the window login dialog - i can
give you code to do that, if you really want to go this route. But this would
mean that you have to do auth yourself.

Another option is to use Forms Authentication, typically with user accounts
stored in a database. This allows out of the box to provide your own login
UI - again you have to do auth yourself.

maybe this clear it up a little bit. feel free to ask.

 

[mike]

Hi, Dominick.

The application is intended for our salesmen, and they are domain users, and
therefore I would like to use the WindowsPrincipal object instead of
GenericPrinciple, for purposes of delegation.

Although Basic Auth would only "natively" give me a one-hop delegate, I
would still like to have IIS authenticate against Active Directory.

Of course, if one of the "higher-ups" insists on a friendly-looking sign-in
page, then Forms Authentication will be the way.

Mike

 

[mike]

So I guess the answer is "No"?

Form Authentication will serve your purpose ad this requires Anonymous
instead of Basic. Keep in mind that Basic Auth. does not protect your
system.

John

 

[Dominick Baier [DevelopMentor]]

Hello Mike,

a) you can get rid of the windows dialog, even with basic - but that means
calling LogonUser to authenticate against AD, which would also give you a
token to construct a WindowsPrincipal for "delegation"

b) in theory you can also use integrated and configure IE to send credentials
automatically (theory=users must be logged onto the domain - keep alives
have to be enabled between web server and client)

 

[mike]

HI, Dominick. Thanks for responding.

You said that I "can get rid of the windows dialog, even with basic", my
question is "How"?

Thanks again,

Mike

 

[Dominick Baier [DevelopMentor]]

Hello Mike,

well - there are some steps necessary

a) enable anonymous again
b) enable forms auth
c) validate the user against AD (e.g. using LogonUser) in your logon page
d) issue the auth cookie yourself - remember the user password somehow
d) Handle Authenticate_Request or FormsAuthentication_Authenticate (not sure
which one is better) - call LogonUser to get a token, wrap the token in a
WindowsIdentity, wrap WindowsIdentity with WindowsPrincipal, replace Context.User

that should work.

---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com

HI, Dominick. Thanks for responding.

You said that I "can get rid of the windows dialog, even with basic",
my question is "How"?

Thanks again,

Mike

Hello Mike,

a) you can get rid of the windows dialog, even with basic - but that
means calling LogonUser to authenticate against AD, which would also
give you a token to construct a WindowsPrincipal for "delegation"

b) in theory you can also use integrated and configure IE to send
credentials automatically (theory=users must be logged onto the
domain - keep alives have to be enabled between web server and
client)

---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com

Hi, Dominick.

The application is intended for our salesmen, and they are domain
users, and therefore I would like to use the WindowsPrincipal object
instead of GenericPrinciple, for purposes of delegation.

Although Basic Auth would only "natively" give me a one-hop
delegate, I would still like to have IIS authenticate against Active
Directory.

Of course, if one of the "higher-ups" insists on a friendly-looking
sign-in page, then Forms Authentication will be the way.

Mike

"Dominick Baier [DevelopMentor]"

Hello WJ,

what do you mean by "does not protect you system"?? can you
elaborate?

it is all a matter of where you store your user accounts, if you
store them in some windows backed store (LSA, Domain) then you have
to resort to some IIS authentication. And basic is the one with the
broadest compatibility. Of course, keep in mind that basic auth
transmits the password in clear text, so you HAVE to layer SSL of
basic auth.

One gotcha is, that you have to live with the window login dialog -
i can give you code to do that, if you really want to go this
route. But this would mean that you have to do auth yourself.

Another option is to use Forms Authentication, typically with user
accounts stored in a database. This allows out of the box to
provide your own login UI - again you have to do auth yourself.

maybe this clear it up a little bit. feel free to ask.

---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com
Form Authentication will serve your purpose ad this requires
Anonymous instead of Basic. Keep in mind that Basic Auth. does not
protect your system.

John

Hello.

I'm creating a site that has basic authentication. Is it possible
to have a custom login page display instead of the Windows login
page?

Thanks in advance,

Mike

 

[mike]

Hi, Dominick.

Ok, I thought you were saying that I can enable Basic in IIS and override
the window that the browser displays.

I was trying to avoid the steps that you listed, but thanks for listing
them. I'll probably wind up needing that info.

Thanks again,

Mile

Hello Mike,

well - there are some steps necessary

a) enable anonymous again
b) enable forms auth
c) validate the user against AD (e.g. using LogonUser) in your logon page
d) issue the auth cookie yourself - remember the user password somehow
d) Handle Authenticate_Request or FormsAuthentication_Authenticate (not
sure which one is better) - call LogonUser to get a token, wrap the token
in a WindowsIdentity, wrap WindowsIdentity with WindowsPrincipal, replace
Context.User

that should work.

---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com

HI, Dominick. Thanks for responding.

You said that I "can get rid of the windows dialog, even with basic",
my question is "How"?

Thanks again,

Mike

Hello Mike,

a) you can get rid of the windows dialog, even with basic - but that
means calling LogonUser to authenticate against AD, which would also
give you a token to construct a WindowsPrincipal for "delegation"

b) in theory you can also use integrated and configure IE to send
credentials automatically (theory=users must be logged onto the
domain - keep alives have to be enabled between web server and
client)

---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com
Hi, Dominick.

The application is intended for our salesmen, and they are domain
users, and therefore I would like to use the WindowsPrincipal object
instead of GenericPrinciple, for purposes of delegation.

Although Basic Auth would only "natively" give me a one-hop
delegate, I would still like to have IIS authenticate against Active
Directory.

Of course, if one of the "higher-ups" insists on a friendly-looking
sign-in page, then Forms Authentication will be the way.

Mike

"Dominick Baier [DevelopMentor]"

Hello WJ,

what do you mean by "does not protect you system"?? can you
elaborate?

it is all a matter of where you store your user accounts, if you
store them in some windows backed store (LSA, Domain) then you have
to resort to some IIS authentication. And basic is the one with the
broadest compatibility. Of course, keep in mind that basic auth
transmits the password in clear text, so you HAVE to layer SSL of
basic auth.

One gotcha is, that you have to live with the window login dialog -
i can give you code to do that, if you really want to go this
route. But this would mean that you have to do auth yourself.

Another option is to use Forms Authentication, typically with user
accounts stored in a database. This allows out of the box to
provide your own login UI - again you have to do auth yourself.

maybe this clear it up a little bit. feel free to ask.

---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com
Form Authentication will serve your purpose ad this requires
Anonymous instead of Basic. Keep in mind that Basic Auth. does not
protect your system.

John

Hello.

I'm creating a site that has basic authentication. Is it possible
to have a custom login page display instead of the Windows login
page?

Thanks in advance,

Mike

 

[Dominick Baier [DevelopMentor]]

Hello WJ,

so FormsAuth needs SSL too - does that mean it does not protect my system
??

btw - Basic Auth is probably supported on every browser on this planet

 

[WJ]

So I guess the answer is "No"?

Right. As these are Windows only. You do not want to implement Basic because
it is vulnerable unless it is SSL enabled.

FormAuth is the appropriate way. It also can run on multiple platforms and
or Browsers.

John

 

[WJ]

Hello WJ,

what do you mean by "does not protect you system"?? can you elaborate?

You already said it. Because Basic Auth. method does not encrypt your
credential, therefore it is not suitable over the internet unless it is
protected by SSL.

John

 

[Paul Clement]

¤ So I guess the answer is "No"?
¤

Correct. In order to use your own custom login form you need to *start* w/Anonymous authentication.


Paul
~~~~
Microsoft MVP (Visual Basic)

 

[WJ]

Hello WJ,

so FormsAuth needs SSL too - does that mean it does not protect my system
??
btw - Basic Auth is probably supported on every browser on this planet

It depends on the following factors:

1. If your web site accepts sensitive data such as Credit Card, then SSL is
a must regardless of methods of authentication you implement on your server.

2. Use application role. If your users just need to come to your sites and
do a few things and get out, then it makes sense not to grant them Windows
Access. What I mean is once the user exits your application(s), that
application credential would be useless.

In short, I do not feel very comfortable in authenticating users to my
Operating system Domain over the internet. It is a high-risk. For intranet,
it is OK. So, Form. Auth. is a neutral ground for internet applications.

John

 

[Dominick Baier [DevelopMentor]]

Hello WJ,

FormsAuth ALWAYS needs SSL -

a) i want server authentication before i type in my credentials somehwere
b) the login form POST is clear text
c) auth cookie can only be protected by SSL from forging, sniffing, hijacking.

Basic Auth always needs SSL -

i share the same gut feeling with you - but technically it only depends if
your users are stored in some kind of windows store - or not.

 

[mike]

Hi again, Dominick.

Maybe you can help. After calling LogonUser I try to retrieve the roles of
the user and GetLastError issues error #5: Access Denied. I'm also getting
error code 0 and the message (from the exception) : "An operations error
occurred".

After LogonUser is called I can see from the Security log that the user is
logged on.

Here's the code:


Public Function GetGroups() As String

Dim lasterror As Integer

Dim search As DirectorySearcher = New DirectorySearcher(_path)

search.Filter = "(cn=" + _filterAttribute + ")"

search.PropertiesToLoad.Add("memberOf")

Dim groupNames As StringBuilder = New StringBuilder

Try

Dim result As SearchResult = search.FindOne

Dim propertyCount As Int16

propertyCount = result.Properties("memberOf").Count

Dim dn As String

Dim equalsIndex As Int16

Dim commaIndex As Int16

Dim propertyCounter As Int16

For propertyCounter = 0 To propertyCount - 1

dn = CStr(result.Properties("memberOf")(propertyCounter))

equalsIndex = dn.IndexOf("=", 1)

commaIndex = dn.IndexOf(",", 1)

If equalsIndex = -1 Then

Return vbNull

End If

groupNames.Append(dn.Substring((equalsIndex + 1), commaIndex -
equalsIndex - 1))

groupNames.Append("|")

Next

Catch ex As Exception

lasterror = GetLastError()

Throw New Exception("Error obtaining group names. " + ex.Message +
", last error code was: " + lasterror.ToString)

End Try

Return groupNames.ToString

End Function

Any ideas?

Thanks - Mike

Hello Mike,

well - there are some steps necessary

a) enable anonymous again
b) enable forms auth
c) validate the user against AD (e.g. using LogonUser) in your logon page
d) issue the auth cookie yourself - remember the user password somehow
d) Handle Authenticate_Request or FormsAuthentication_Authenticate (not
sure which one is better) - call LogonUser to get a token, wrap the token
in a WindowsIdentity, wrap WindowsIdentity with WindowsPrincipal, replace
Context.User

that should work.

---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com

HI, Dominick. Thanks for responding.

You said that I "can get rid of the windows dialog, even with basic",
my question is "How"?

Thanks again,

Mike

Hello Mike,

a) you can get rid of the windows dialog, even with basic - but that
means calling LogonUser to authenticate against AD, which would also
give you a token to construct a WindowsPrincipal for "delegation"

b) in theory you can also use integrated and configure IE to send
credentials automatically (theory=users must be logged onto the
domain - keep alives have to be enabled between web server and
client)

---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com
Hi, Dominick.

The application is intended for our salesmen, and they are domain
users, and therefore I would like to use the WindowsPrincipal object
instead of GenericPrinciple, for purposes of delegation.

Although Basic Auth would only "natively" give me a one-hop
delegate, I would still like to have IIS authenticate against Active
Directory.

Of course, if one of the "higher-ups" insists on a friendly-looking
sign-in page, then Forms Authentication will be the way.

Mike

"Dominick Baier [DevelopMentor]"

Hello WJ,

what do you mean by "does not protect you system"?? can you
elaborate?

it is all a matter of where you store your user accounts, if you
store them in some windows backed store (LSA, Domain) then you have
to resort to some IIS authentication. And basic is the one with the
broadest compatibility. Of course, keep in mind that basic auth
transmits the password in clear text, so you HAVE to layer SSL of
basic auth.

One gotcha is, that you have to live with the window login dialog -
i can give you code to do that, if you really want to go this
route. But this would mean that you have to do auth yourself.

Another option is to use Forms Authentication, typically with user
accounts stored in a database. This allows out of the box to
provide your own login UI - again you have to do auth yourself.

maybe this clear it up a little bit. feel free to ask.

---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com
Form Authentication will serve your purpose ad this requires
Anonymous instead of Basic. Keep in mind that Basic Auth. does not
protect your system.

John

Hello.

I'm creating a site that has basic authentication. Is it possible
to have a custom login page display instead of the Windows login
page?

Thanks in advance,

Mike

 

[mike]

I forgot to mention that it bombs on the FindOne method.

Hello Mike,

well - there are some steps necessary

a) enable anonymous again
b) enable forms auth
c) validate the user against AD (e.g. using LogonUser) in your logon page
d) issue the auth cookie yourself - remember the user password somehow
d) Handle Authenticate_Request or FormsAuthentication_Authenticate (not
sure which one is better) - call LogonUser to get a token, wrap the token
in a WindowsIdentity, wrap WindowsIdentity with WindowsPrincipal, replace
Context.User

that should work.

---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com

HI, Dominick. Thanks for responding.

You said that I "can get rid of the windows dialog, even with basic",
my question is "How"?

Thanks again,

Mike

Hello Mike,

a) you can get rid of the windows dialog, even with basic - but that
means calling LogonUser to authenticate against AD, which would also
give you a token to construct a WindowsPrincipal for "delegation"

b) in theory you can also use integrated and configure IE to send
credentials automatically (theory=users must be logged onto the
domain - keep alives have to be enabled between web server and
client)

---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com
Hi, Dominick.

The application is intended for our salesmen, and they are domain
users, and therefore I would like to use the WindowsPrincipal object
instead of GenericPrinciple, for purposes of delegation.

Although Basic Auth would only "natively" give me a one-hop
delegate, I would still like to have IIS authenticate against Active
Directory.

Of course, if one of the "higher-ups" insists on a friendly-looking
sign-in page, then Forms Authentication will be the way.

Mike

"Dominick Baier [DevelopMentor]"

Hello WJ,

what do you mean by "does not protect you system"?? can you
elaborate?

it is all a matter of where you store your user accounts, if you
store them in some windows backed store (LSA, Domain) then you have
to resort to some IIS authentication. And basic is the one with the
broadest compatibility. Of course, keep in mind that basic auth
transmits the password in clear text, so you HAVE to layer SSL of
basic auth.

One gotcha is, that you have to live with the window login dialog -
i can give you code to do that, if you really want to go this
route. But this would mean that you have to do auth yourself.

Another option is to use Forms Authentication, typically with user
accounts stored in a database. This allows out of the box to
provide your own login UI - again you have to do auth yourself.

maybe this clear it up a little bit. feel free to ask.

---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com
Form Authentication will serve your purpose ad this requires
Anonymous instead of Basic. Keep in mind that Basic Auth. does not
protect your system.

John

Hello.

I'm creating a site that has basic authentication. Is it possible
to have a custom login page display instead of the Windows login
page?

Thanks in advance,

Mike

 

[Dominick Baier [DevelopMentor]]

Hello Mike,

i can't see how the code below is related to LogonUser, but

LogonUser results in a token,you don't need to go to AD to get the groups.
This heavy lifting has already been done for you.

wrap the token in a WindowsIdentity

WindowsIdentity id = new WindowsIdentity(token);

and wrap the windows id with a WindowsPrincipal.

---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com

Hi again, Dominick.

Maybe you can help. After calling LogonUser I try to retrieve the
roles of the user and GetLastError issues error #5: Access Denied. I'm
also getting error code 0 and the message (from the exception) : "An
operations error occurred".

After LogonUser is called I can see from the Security log that the
user is logged on.

Here's the code:

Public Function GetGroups() As String

Dim lasterror As Integer

Dim search As DirectorySearcher = New DirectorySearcher(_path)

search.Filter = "(cn=" + _filterAttribute + ")"

search.PropertiesToLoad.Add("memberOf")

Dim groupNames As StringBuilder = New StringBuilder

Try

Dim result As SearchResult = search.FindOne

Dim propertyCount As Int16

propertyCount = result.Properties("memberOf").Count

Dim dn As String

Dim equalsIndex As Int16

Dim commaIndex As Int16

Dim propertyCounter As Int16

For propertyCounter = 0 To propertyCount - 1

dn = CStr(result.Properties("memberOf")(propertyCounter))

equalsIndex = dn.IndexOf("=", 1)

commaIndex = dn.IndexOf(",", 1)

If equalsIndex = -1 Then

Return vbNull

End If

groupNames.Append(dn.Substring((equalsIndex + 1), commaIndex -
equalsIndex - 1))

groupNames.Append("|")

Next

Catch ex As Exception

lasterror = GetLastError()

Throw New Exception("Error obtaining group names. " +
ex.Message + ", last error code was: " + lasterror.ToString)

End Try

Return groupNames.ToString

End Function

Any ideas?

Thanks - Mike

Hello Mike,

well - there are some steps necessary

a) enable anonymous again
b) enable forms auth
c) validate the user against AD (e.g. using LogonUser) in your logon
page
d) issue the auth cookie yourself - remember the user password
somehow
d) Handle Authenticate_Request or FormsAuthentication_Authenticate
(not
sure which one is better) - call LogonUser to get a token, wrap the
token
in a WindowsIdentity, wrap WindowsIdentity with WindowsPrincipal,
replace
Context.User
that should work.

---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com

HI, Dominick. Thanks for responding.

You said that I "can get rid of the windows dialog, even with
basic", my question is "How"?

Thanks again,

Mike

"Dominick Baier [DevelopMentor]"

Hello Mike,

a) you can get rid of the windows dialog, even with basic - but
that means calling LogonUser to authenticate against AD, which
would also give you a token to construct a WindowsPrincipal for
"delegation"

b) in theory you can also use integrated and configure IE to send
credentials automatically (theory=users must be logged onto the
domain - keep alives have to be enabled between web server and
client)

---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com
Hi, Dominick.

The application is intended for our salesmen, and they are domain
users, and therefore I would like to use the WindowsPrincipal
object instead of GenericPrinciple, for purposes of delegation.

Although Basic Auth would only "natively" give me a one-hop
delegate, I would still like to have IIS authenticate against
Active Directory.

Of course, if one of the "higher-ups" insists on a
friendly-looking sign-in page, then Forms Authentication will be
the way.

Mike

"Dominick Baier [DevelopMentor]"

Hello WJ,

what do you mean by "does not protect you system"?? can you
elaborate?

it is all a matter of where you store your user accounts, if you
store them in some windows backed store (LSA, Domain) then you
have to resort to some IIS authentication. And basic is the one
with the broadest compatibility. Of course, keep in mind that
basic auth transmits the password in clear text, so you HAVE to
layer SSL of basic auth.

One gotcha is, that you have to live with the window login dialog
- i can give you code to do that, if you really want to go this
route. But this would mean that you have to do auth yourself.

Another option is to use Forms Authentication, typically with
user accounts stored in a database. This allows out of the box to
provide your own login UI - again you have to do auth yourself.

maybe this clear it up a little bit. feel free to ask.

---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com
Form Authentication will serve your purpose ad this requires
Anonymous instead of Basic. Keep in mind that Basic Auth. does
not protect your system.

John

Hello.

I'm creating a site that has basic authentication. Is it
possible to have a custom login page display instead of the
Windows login page?

Thanks in advance,

Mike