Can I force a Windows Authentication / Login?

[Guest]

I'm looking for a way to force the user to re-authenticate with their Windows
username/password/domain after clicking the submit button on an ASP.NET page.
This is for an internal application.

Does anyone know if/how this can be done?

 

[Patirck Ige]

You mean you want to let the user authenticate using Windows Auth.
You can set that in IIS by checking integrated Windows and uncheck Anonymous
login
Patrick

 

[Ken Cox [Microsoft MVP]]

Hi Keith,

One technique is to redirect them to a page that denies access to anonymous
users. This throws up the login dialogue box.

In your Web.config, add a <location> before <system.web>

<configuration>
<location path="auth.aspx">
<system.web>
<authorization>
<deny users="?"/>
</authorization>
</system.web>
</location>
<system.web>
....

Then create a page called auth.aspx.

In your button click code redirect like this:

Private Sub Button1_Click _
(ByVal sender As System.Object, _
ByVal e As System.EventArgs) Handles Button1.Click
Response.Redirect("auth.aspx")
End Sub

Let us know if this helps?

Ken
Microsoft MVP [ASP.NET]

 

[Steven Cheng[MSFT]]

Hi Keith,

For forcing the clientuser pass the windows authentication logon, as
Patrick has mentioned, we can use the IIS server's windows integrated
windows authentication( disable anonymous access) which will force the
client provide a valid windows identity. Also, if you're manually collect
the username/password through web page UI and programmatically authenticat
the user, you'll need to manually call some windows security API like
logonUser .... , but I don't think this is a good means from security and
performance perspective.

Thanks,

Steven Cheng
Microsoft Online Support

Get Secure! www.microsoft.com/security



--------------------
| From: "Patirck Ige" <[email protected]>
| References: <[email protected]>
| Subject: Re: Can I force a Windows Authentication / Login?
| Date: Fri, 7 Oct 2005 09:35:40 +1000
| Lines: 16
| X-Priority: 3
| X-MSMail-Priority: Normal
| X-Newsreader: Microsoft Outlook Express 6.00.2800.1437
| X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1441
| Message-ID: <[email protected]>
| Newsgroups: microsoft.public.dotnet.framework.aspnet
| NNTP-Posting-Host: 203.36.211.134
| Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP09.phx.gbl
| Xref: TK2MSFTNGXA01.phx.gbl
microsoft.public.dotnet.framework.aspnet:129634
| X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet
|
| You mean you want to let the user authenticate using Windows Auth.
| You can set that in IIS by checking integrated Windows and uncheck
Anonymous
| login
| Patrick
|
| | > I'm looking for a way to force the user to re-authenticate with their
| Windows
| > username/password/domain after clicking the submit button on an ASP.NET
| page.
| > This is for an internal application.
| >
| > Does anyone know if/how this can be done?
|
|
|

 

[Brock Allen]

All you need to do is send back a 302 response from your page (Response.StatusCode).
As long as you're using Windows authentication and IIS then this will trigger
IIS to challenge the browser such that the user must reauthenticate.

 

[Guest]

Thanks Brock -- I tried this, and it did prompt me to authenticate again
(with response.statuscode = 401, not 302), but the behavior is a little
wacky. Sometimes I authenticate once and it accepts it but then doesn't
continue to do the rest of the code in the button_click event; other times it
repeats the authentication prompt three times and then DOES continue to do
the rest of the code.

What I really want is to write a function that forces the user to
authenticate again, returns true if the user authenticates successfully,
returns false otherwise; then I can do other code or send the user to an
error page based on the return value of the function.

It's just the part about forcing the authentication prompt and verifying
whether it was successful that I don't know how to do.

 

[Guest]

Thanks Ken,

But I don't want to do forms authentication. What I want to do is, ideally,
write a function that will prompt the user to re-authenticate against their
Windows domain account, return true if successful and false if not.

Then I would put the function in the button click event; if returns true I
continue to do more code, if returns false I give the user an error message
in a label on the page.

I already understand about turning off anonymous access in IIS admin, etc.
But that doesn't actually force the user to re-authenticate, it just provides
the Windows identity info in the context, like the LOGON_USER, etc. And I
don't want them to enter their username and password until they click the
button on the page.

I've tried poking through some of the security classes in the .NET
documentation, but I haven't seen any sample code that points me in the right
direction...

Hi Keith,

One technique is to redirect them to a page that denies access to anonymous
users. This throws up the login dialogue box.

In your Web.config, add a <location> before <system.web>

<configuration>
<location path="auth.aspx">
<system.web>
<authorization>
<deny users="?"/>
</authorization>
</system.web>
</location>
<system.web>
....

Then create a page called auth.aspx.

In your button click code redirect like this:

Private Sub Button1_Click _
(ByVal sender As System.Object, _
ByVal e As System.EventArgs) Handles Button1.Click
Response.Redirect("auth.aspx")
End Sub

Let us know if this helps?

Ken
Microsoft MVP [ASP.NET]

I'm looking for a way to force the user to re-authenticate with their
Windows
username/password/domain after clicking the submit button on an ASP.NET
page.
This is for an internal application.

Does anyone know if/how this can be done?

 

[Patrick.O.Ige]

What you can do is to trap statuscode = 401 if access is denied or not
(But remember you wuld have to trap "statuscode = 401" in your
global.asax )
And maybe redirect the user to some where and from there....do what ever you
want with them
Hope that helps
Patrick

 

[Steven Cheng[MSFT]]

Hi Keith,

From your further description, I think your current problem is how to
manually collect the username/password from the enduser and do a windows
logon auhtenticate, yes? The Integrated windows authentication in IIS is
done automatically before each webrequest and we can not manually redo the
authentication. Currently the only available approach may be manually call
the WINDOWS LogonUser API to validate the user acccount, we need to provide
the cleartext username/password when calling this API, do you think this is
possible? If so the following kb article has mentioned use LogonUser API
through .net PInvoke in asp.net application.

#How to implement impersonation in an ASP.NET application
http://support.microsoft.com/default.aspx?scid=kb;en-us;306158

Hope helps. Thanks,

Steven Cheng
Microsoft Online Support

Get Secure! www.microsoft.com/security

--------------------
| Thread-Topic: Can I force a Windows Authentication / Login?
| thread-index: AcXLZJySqJqzylOGQpucW7kNlnrfJQ==
| X-WBNR-Posting-Host: 204.250.153.2
| From: "=?Utf-8?B?S2VpdGggSA==?=" <[email protected]>
| References: <[email protected]>
<[email protected]>
| Subject: Re: Can I force a Windows Authentication / Login?
| Date: Fri, 7 Oct 2005 10:29:03 -0700
| Lines: 71
| Message-ID: <[email protected]>
| MIME-Version: 1.0
| Content-Type: text/plain;
| charset="Utf-8"
| Content-Transfer-Encoding: 7bit
| X-Newsreader: Microsoft CDO for Windows 2000
| Content-Class: urn:content-classes:message
| Importance: normal
| Priority: normal
| X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0
| Newsgroups: microsoft.public.dotnet.framework.aspnet
| NNTP-Posting-Host: TK2MSFTNGXA03.phx.gbl 10.40.2.250
| Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGXA03.phx.gbl
| Xref: TK2MSFTNGXA01.phx.gbl
microsoft.public.dotnet.framework.aspnet:129860
| X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet
|
| Thanks Ken,
|
| But I don't want to do forms authentication. What I want to do is,
ideally,
| write a function that will prompt the user to re-authenticate against
their
| Windows domain account, return true if successful and false if not.
|
| Then I would put the function in the button click event; if returns true
I
| continue to do more code, if returns false I give the user an error
message
| in a label on the page.
|
| I already understand about turning off anonymous access in IIS admin,
etc.
| But that doesn't actually force the user to re-authenticate, it just
provides
| the Windows identity info in the context, like the LOGON_USER, etc. And I
| don't want them to enter their username and password until they click the
| button on the page.
|
| I've tried poking through some of the security classes in the .NET
| documentation, but I haven't seen any sample code that points me in the
right
| direction...
|
|
| "Ken Cox [Microsoft MVP]" wrote:
|
| > Hi Keith,
| >
| > One technique is to redirect them to a page that denies access to
anonymous
| > users. This throws up the login dialogue box.
| >
| > In your Web.config, add a <location> before <system.web>
| >
| > <configuration>
| > <location path="auth.aspx">
| > <system.web>
| > <authorization>
| > <deny users="?"/>
| > </authorization>
| > </system.web>
| > </location>
| > <system.web>
| > ....
| >
| > Then create a page called auth.aspx.
| >
| > In your button click code redirect like this:
| >
| > Private Sub Button1_Click _
| > (ByVal sender As System.Object, _
| > ByVal e As System.EventArgs) Handles Button1.Click
| > Response.Redirect("auth.aspx")
| > End Sub
| >
| > Let us know if this helps?
| >
| > Ken
| > Microsoft MVP [ASP.NET]
| >
| >
| >
| >
| > | > > I'm looking for a way to force the user to re-authenticate with their
| > > Windows
| > > username/password/domain after clicking the submit button on an
ASP.NET
| > > page.
| > > This is for an internal application.
| > >
| > > Does anyone know if/how this can be done?
| >
| >
| >
|