determine trusted domain with windows authentication

Discussion in 'ASP .Net Security' started by Jerry N, Jul 8, 2006.

  1. Jerry N

    Jerry N Guest

    I am planning on using Windows authentication for a web page. I've added
    these lines to my web.config file:

    <identity impersonate="true"/>
    <authentication mode="Windows" />

    And I can view the name with:

    void Page_Load(object sender, EventArgs e) {
    if(User.Identity.IsAuthenticated ) {
    lblIdentity.Text = "The current user is " + User.Identity.Name;
    } else {
    lblIdentity.Text = "The current user is not authenticated.";
    }
    }

    So my question is, how can I authenticate the "Domain" from the
    User.Identity.Name property? I was going to split the "Domain\Username"
    value to get the domain name but I don't want a remote Windows client to
    spoof the domain name. I also hoping to avoid hardcoding the valid domain
    names and use Active Directory to validate them.

    Any ideas?

    Thanks,
    Jerry N
    Jerry N, Jul 8, 2006
    #1
    1. Advertising

  2. The domain name in the user name is formed by Windows authentication based
    on how Windows translates the user's SID into an NT-format name, not by
    input data, so you don't need to worry about it being spoofed by the user.

    Joe K.

    --
    Joe Kaplan-MS MVP Directory Services Programming
    Co-author of "The .NET Developer's Guide to Directory Services Programming"
    http://www.directoryprogramming.net
    --
    "Jerry N" <> wrote in message
    news:...
    >I am planning on using Windows authentication for a web page. I've added
    > these lines to my web.config file:
    >
    > <identity impersonate="true"/>
    > <authentication mode="Windows" />
    >
    > And I can view the name with:
    >
    > void Page_Load(object sender, EventArgs e) {
    > if(User.Identity.IsAuthenticated ) {
    > lblIdentity.Text = "The current user is " + User.Identity.Name;
    > } else {
    > lblIdentity.Text = "The current user is not authenticated.";
    > }
    > }
    >
    > So my question is, how can I authenticate the "Domain" from the
    > User.Identity.Name property? I was going to split the "Domain\Username"
    > value to get the domain name but I don't want a remote Windows client to
    > spoof the domain name. I also hoping to avoid hardcoding the valid domain
    > names and use Active Directory to validate them.
    >
    > Any ideas?
    >
    > Thanks,
    > Jerry N
    >
    >
    Joe Kaplan \(MVP - ADSI\), Jul 8, 2006
    #2
    1. Advertising

  3. Jerry N

    Jerry N Guest

    Thanks, I thought it was created using tokens but the domain name is still
    determined by a [system admin] user. Can I get determine if the security
    token came from a trusted domain? How many 'WORKGROUP' or 'MSHOME'
    workgroups/domains are there?

    Jerry

    "Joe Kaplan (MVP - ADSI)" <> wrote
    in message news:...
    The domain name in the user name is formed by Windows authentication based
    on how Windows translates the user's SID into an NT-format name, not by
    input data, so you don't need to worry about it being spoofed by the user.

    Joe K.

    --
    Joe Kaplan-MS MVP Directory Services Programming
    Co-author of "The .NET Developer's Guide to Directory Services Programming"
    http://www.directoryprogramming.net
    --
    "Jerry N" <> wrote in message
    news:...
    >I am planning on using Windows authentication for a web page. I've added
    > these lines to my web.config file:
    >
    > <identity impersonate="true"/>
    > <authentication mode="Windows" />
    >
    > And I can view the name with:
    >
    > void Page_Load(object sender, EventArgs e) {
    > if(User.Identity.IsAuthenticated ) {
    > lblIdentity.Text = "The current user is " + User.Identity.Name;
    > } else {
    > lblIdentity.Text = "The current user is not authenticated.";
    > }
    > }
    >
    > So my question is, how can I authenticate the "Domain" from the
    > User.Identity.Name property? I was going to split the "Domain\Username"
    > value to get the domain name but I don't want a remote Windows client to
    > spoof the domain name. I also hoping to avoid hardcoding the valid domain
    > names and use Active Directory to validate them.
    >
    > Any ideas?
    >
    > Thanks,
    > Jerry N
    >
    >
    Jerry N, Jul 9, 2006
    #3
  4. Windows authentication will only authenticate users it trusts. That would
    mean that only local machine users, users in the machine's domain and users
    in trusted domains will be authenticated.

    Joe K.

    --
    Joe Kaplan-MS MVP Directory Services Programming
    Co-author of "The .NET Developer's Guide to Directory Services Programming"
    http://www.directoryprogramming.net
    --
    "Jerry N" <> wrote in message
    news:...
    > Thanks, I thought it was created using tokens but the domain name is still
    > determined by a [system admin] user. Can I get determine if the security
    > token came from a trusted domain? How many 'WORKGROUP' or 'MSHOME'
    > workgroups/domains are there?
    >
    > Jerry
    >
    > "Joe Kaplan (MVP - ADSI)" <> wrote
    > in message news:...
    > The domain name in the user name is formed by Windows authentication based
    > on how Windows translates the user's SID into an NT-format name, not by
    > input data, so you don't need to worry about it being spoofed by the user.
    >
    > Joe K.
    >
    > --
    > Joe Kaplan-MS MVP Directory Services Programming
    > Co-author of "The .NET Developer's Guide to Directory Services
    > Programming"
    > http://www.directoryprogramming.net
    > --
    > "Jerry N" <> wrote in message
    > news:...
    >>I am planning on using Windows authentication for a web page. I've added
    >> these lines to my web.config file:
    >>
    >> <identity impersonate="true"/>
    >> <authentication mode="Windows" />
    >>
    >> And I can view the name with:
    >>
    >> void Page_Load(object sender, EventArgs e) {
    >> if(User.Identity.IsAuthenticated ) {
    >> lblIdentity.Text = "The current user is " + User.Identity.Name;
    >> } else {
    >> lblIdentity.Text = "The current user is not authenticated.";
    >> }
    >> }
    >>
    >> So my question is, how can I authenticate the "Domain" from the
    >> User.Identity.Name property? I was going to split the "Domain\Username"
    >> value to get the domain name but I don't want a remote Windows client to
    >> spoof the domain name. I also hoping to avoid hardcoding the valid
    >> domain
    >> names and use Active Directory to validate them.
    >>
    >> Any ideas?
    >>
    >> Thanks,
    >> Jerry N
    >>
    >>

    >
    >
    >
    >
    Joe Kaplan \(MVP - ADSI\), Jul 9, 2006
    #4
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. matro
    Replies:
    1
    Views:
    293
    John Soulis [MSFT]
    Oct 23, 2003
  2. =?Utf-8?B?Q2hyaXMgRGF2b2xp?=

    Domain account trusted connection?

    =?Utf-8?B?Q2hyaXMgRGF2b2xp?=, Aug 11, 2006, in forum: ASP .Net
    Replies:
    0
    Views:
    398
    =?Utf-8?B?Q2hyaXMgRGF2b2xp?=
    Aug 11, 2006
  3. idiot
    Replies:
    0
    Views:
    297
    idiot
    Aug 30, 2006
  4. DB
    Replies:
    0
    Views:
    392
  5. Paul  Wolpe
    Replies:
    1
    Views:
    154
    Joe Kaplan \(MVP - ADSI\)
    Sep 16, 2004
Loading...

Share This Page