get WindowsIdentity with forms authentication

Discussion in 'ASP .Net Security' started by Niclas Lindblom, Oct 10, 2003.

  1. Hi,

    I am trying to figure out a way to authenticate against Active Directory and
    retrieve system.security.principal.WindowsIdentity object, without having to
    see the awful grey Basic Authentication logon box. I have found
    documentation that you can send a authtentication request programatically by
    using the system.net.authenticationmanager.authenticate method, but i can
    not get this to work and have not found any samples.

    Does anyone know a way to Authenticate against AD and have your browser
    session retrieve a identity using forms ?

    regards

    Niclas
     
    Niclas Lindblom, Oct 10, 2003
    #1
    1. Advertising

  2. If you want an actual WindowsIdentity object, you must have a logon token
    for the user, which means that you will need to call LogonUser with the
    user's credentials.

    If you would be okay with a GenericIdentity/GenericPrincipal, then you can
    create one by authenticating to AD and building those objects yourself.
    There is a sample on how to do this with System.DirectoryServices and Forms
    authentication in the MS KB:

    http://support.microsoft.com/default.aspx?scid=kb;en-us;326340

    That article has some flaws in it, but it is an okay starting point. Note
    that the recommended way of doing authentication is by using SSPI instead of
    System.DirectoryServices with an LDAP bind, but I don't have a good managed
    code wrapper example of SSPI. Maybe someone else does?

    The disadvantage with the GenericIdentity is that you can't impersonate with
    it, but it can be used to drive the security model in your application using
    the standard IPrincipal interface.

    HTH,

    Joe K.

    "Niclas Lindblom" <> wrote in message
    news:%...
    > Hi,
    >
    > I am trying to figure out a way to authenticate against Active Directory

    and
    > retrieve system.security.principal.WindowsIdentity object, without having

    to
    > see the awful grey Basic Authentication logon box. I have found
    > documentation that you can send a authtentication request programatically

    by
    > using the system.net.authenticationmanager.authenticate method, but i can
    > not get this to work and have not found any samples.
    >
    > Does anyone know a way to Authenticate against AD and have your browser
    > session retrieve a identity using forms ?
    >
    > regards
    >
    > Niclas
    >
    >
     
    Joe Kaplan \(MVP - ADSI\), Oct 10, 2003
    #2
    1. Advertising

  3. Is there no way i can do this and get the same functionality as using Basic
    authentication with the grey box (not sure how this works) since this seem
    to create a session identity automatically.

    Thanks for your help

    Niclas
    "Joe Kaplan (MVP - ADSI)" <> wrote
    in message news:...
    > If you want an actual WindowsIdentity object, you must have a logon token
    > for the user, which means that you will need to call LogonUser with the
    > user's credentials.
    >
    > If you would be okay with a GenericIdentity/GenericPrincipal, then you can
    > create one by authenticating to AD and building those objects yourself.
    > There is a sample on how to do this with System.DirectoryServices and

    Forms
    > authentication in the MS KB:
    >
    > http://support.microsoft.com/default.aspx?scid=kb;en-us;326340
    >
    > That article has some flaws in it, but it is an okay starting point. Note
    > that the recommended way of doing authentication is by using SSPI instead

    of
    > System.DirectoryServices with an LDAP bind, but I don't have a good

    managed
    > code wrapper example of SSPI. Maybe someone else does?
    >
    > The disadvantage with the GenericIdentity is that you can't impersonate

    with
    > it, but it can be used to drive the security model in your application

    using
    > the standard IPrincipal interface.
    >
    > HTH,
    >
    > Joe K.
    >
    > "Niclas Lindblom" <> wrote in message
    > news:%...
    > > Hi,
    > >
    > > I am trying to figure out a way to authenticate against Active Directory

    > and
    > > retrieve system.security.principal.WindowsIdentity object, without

    having
    > to
    > > see the awful grey Basic Authentication logon box. I have found
    > > documentation that you can send a authtentication request

    programatically
    > by
    > > using the system.net.authenticationmanager.authenticate method, but i

    can
    > > not get this to work and have not found any samples.
    > >
    > > Does anyone know a way to Authenticate against AD and have your browser
    > > session retrieve a identity using forms ?
    > >
    > > regards
    > >
    > > Niclas
    > >
    > >

    >
     
    MS Newsgroups, Oct 11, 2003
    #3
  4. It sounds like you want a WindowsIdentity/logon token for the user, so you
    will need to use an API that calls LogonUser. The easy way to do this would
    be to build a Forms Auth. system that uses the new constructor on
    WindowsIdentity in Framework 1.1 that takes a username and password. Note
    that the documentation says that you must be running Win2K3 for this call to
    work.

    http://msdn.microsoft.com/library/d...WindowsIdentityClassctorTopic5.asp?frame=true

    The other option is to P/Invoke LogonUser directly. You need very high
    privileges to call this function under Windows 2000 though, so the viability
    of this solution may depend on your platform and security needs.

    http://msdn.microsoft.com/library/d...ImpersonationContextClassTopic.asp?frame=true

    Either of these (which do essentially the same thing under the hood) will
    give you the same functionality as Basic authentication (a primary logon
    token).

    HTH,

    Joe K.


    "MS Newsgroups" <> wrote in message
    news:%...
    > Is there no way i can do this and get the same functionality as using

    Basic
    > authentication with the grey box (not sure how this works) since this seem
    > to create a session identity automatically.
    >
    > Thanks for your help
    >
    > Niclas
    > "Joe Kaplan (MVP - ADSI)" <> wrote
    > in message news:...
    > > If you want an actual WindowsIdentity object, you must have a logon

    token
    > > for the user, which means that you will need to call LogonUser with the
    > > user's credentials.
    > >
    > > If you would be okay with a GenericIdentity/GenericPrincipal, then you

    can
    > > create one by authenticating to AD and building those objects yourself.
    > > There is a sample on how to do this with System.DirectoryServices and

    > Forms
    > > authentication in the MS KB:
    > >
    > > http://support.microsoft.com/default.aspx?scid=kb;en-us;326340
    > >
    > > That article has some flaws in it, but it is an okay starting point.

    Note
    > > that the recommended way of doing authentication is by using SSPI

    instead
    > of
    > > System.DirectoryServices with an LDAP bind, but I don't have a good

    > managed
    > > code wrapper example of SSPI. Maybe someone else does?
    > >
    > > The disadvantage with the GenericIdentity is that you can't impersonate

    > with
    > > it, but it can be used to drive the security model in your application

    > using
    > > the standard IPrincipal interface.
    > >
    > > HTH,
    > >
    > > Joe K.
    > >
    > > "Niclas Lindblom" <> wrote in message
    > > news:%...
    > > > Hi,
    > > >
    > > > I am trying to figure out a way to authenticate against Active

    Directory
    > > and
    > > > retrieve system.security.principal.WindowsIdentity object, without

    > having
    > > to
    > > > see the awful grey Basic Authentication logon box. I have found
    > > > documentation that you can send a authtentication request

    > programatically
    > > by
    > > > using the system.net.authenticationmanager.authenticate method, but i

    > can
    > > > not get this to work and have not found any samples.
    > > >
    > > > Does anyone know a way to Authenticate against AD and have your

    browser
    > > > session retrieve a identity using forms ?
    > > >
    > > > regards
    > > >
    > > > Niclas
    > > >
    > > >

    > >

    >
    >
     
    Joe Kaplan \(MVP - ADSI\), Oct 12, 2003
    #4
  5. Thanks Joe, I have actually looked at this option. What i haven't figured
    out yet is how to associate the current users session with the new
    WindowsIdentity object i have created. I have a feeling that i need to use
    impersonation, but haven't had time to test this yet.

    Am I one the right track, or do you know how to get this working ?

    Thanks for helping out

    Niclas
    "Joe Kaplan (MVP - ADSI)" <> wrote
    in message news:...
    > It sounds like you want a WindowsIdentity/logon token for the user, so you
    > will need to use an API that calls LogonUser. The easy way to do this

    would
    > be to build a Forms Auth. system that uses the new constructor on
    > WindowsIdentity in Framework 1.1 that takes a username and password. Note
    > that the documentation says that you must be running Win2K3 for this call

    to
    > work.
    >
    >

    http://msdn.microsoft.com/library/d...WindowsIdentityClassctorTopic5.asp?frame=true
    >
    > The other option is to P/Invoke LogonUser directly. You need very high
    > privileges to call this function under Windows 2000 though, so the

    viability
    > of this solution may depend on your platform and security needs.
    >
    >

    http://msdn.microsoft.com/library/d...ImpersonationContextClassTopic.asp?frame=true
    >
    > Either of these (which do essentially the same thing under the hood) will
    > give you the same functionality as Basic authentication (a primary logon
    > token).
    >
    > HTH,
    >
    > Joe K.
    >
    >
    > "MS Newsgroups" <> wrote in message
    > news:%...
    > > Is there no way i can do this and get the same functionality as using

    > Basic
    > > authentication with the grey box (not sure how this works) since this

    seem
    > > to create a session identity automatically.
    > >
    > > Thanks for your help
    > >
    > > Niclas
    > > "Joe Kaplan (MVP - ADSI)" <>

    wrote
    > > in message news:...
    > > > If you want an actual WindowsIdentity object, you must have a logon

    > token
    > > > for the user, which means that you will need to call LogonUser with

    the
    > > > user's credentials.
    > > >
    > > > If you would be okay with a GenericIdentity/GenericPrincipal, then you

    > can
    > > > create one by authenticating to AD and building those objects

    yourself.
    > > > There is a sample on how to do this with System.DirectoryServices and

    > > Forms
    > > > authentication in the MS KB:
    > > >
    > > > http://support.microsoft.com/default.aspx?scid=kb;en-us;326340
    > > >
    > > > That article has some flaws in it, but it is an okay starting point.

    > Note
    > > > that the recommended way of doing authentication is by using SSPI

    > instead
    > > of
    > > > System.DirectoryServices with an LDAP bind, but I don't have a good

    > > managed
    > > > code wrapper example of SSPI. Maybe someone else does?
    > > >
    > > > The disadvantage with the GenericIdentity is that you can't

    impersonate
    > > with
    > > > it, but it can be used to drive the security model in your application

    > > using
    > > > the standard IPrincipal interface.
    > > >
    > > > HTH,
    > > >
    > > > Joe K.
    > > >
    > > > "Niclas Lindblom" <> wrote in message
    > > > news:%...
    > > > > Hi,
    > > > >
    > > > > I am trying to figure out a way to authenticate against Active

    > Directory
    > > > and
    > > > > retrieve system.security.principal.WindowsIdentity object, without

    > > having
    > > > to
    > > > > see the awful grey Basic Authentication logon box. I have found
    > > > > documentation that you can send a authtentication request

    > > programatically
    > > > by
    > > > > using the system.net.authenticationmanager.authenticate method, but

    i
    > > can
    > > > > not get this to work and have not found any samples.
    > > > >
    > > > > Does anyone know a way to Authenticate against AD and have your

    > browser
    > > > > session retrieve a identity using forms ?
    > > > >
    > > > > regards
    > > > >
    > > > > Niclas
    > > > >
    > > > >
    > > >

    > >
    > >

    >
     
    Niclas Lindblom, Oct 12, 2003
    #5
  6. The normal thing to do would be to create the WindowIdentity, then to create
    a new WindowsPrincipal from that and set the User property on the
    HttpContext equal to that. Then the WindowsPrincipal for the current user
    will be associated with that request and all of the normal ASP.NET
    role-based security will flow from there.

    Someone else may need to provide you with more details if that isn't enough
    info as I am not a super expert in Forms authentication.

    Joe K.

    "Niclas Lindblom" <> wrote in message
    news:...
    > Thanks Joe, I have actually looked at this option. What i haven't figured
    > out yet is how to associate the current users session with the new
    > WindowsIdentity object i have created. I have a feeling that i need to use
    > impersonation, but haven't had time to test this yet.
    >
    > Am I one the right track, or do you know how to get this working ?
    >
    > Thanks for helping out
    >
    > Niclas
    > "Joe Kaplan (MVP - ADSI)" <> wrote
    > in message news:...
    > > It sounds like you want a WindowsIdentity/logon token for the user, so

    you
    > > will need to use an API that calls LogonUser. The easy way to do this

    > would
    > > be to build a Forms Auth. system that uses the new constructor on
    > > WindowsIdentity in Framework 1.1 that takes a username and password.

    Note
    > > that the documentation says that you must be running Win2K3 for this

    call
    > to
    > > work.
    > >
    > >

    >

    http://msdn.microsoft.com/library/d...WindowsIdentityClassctorTopic5.asp?frame=true
    > >
    > > The other option is to P/Invoke LogonUser directly. You need very high
    > > privileges to call this function under Windows 2000 though, so the

    > viability
    > > of this solution may depend on your platform and security needs.
    > >
    > >

    >

    http://msdn.microsoft.com/library/d...dowsImpersonationContextClassTopic.asp?frame=
    true
    > >
    > > Either of these (which do essentially the same thing under the hood)

    will
    > > give you the same functionality as Basic authentication (a primary logon
    > > token).
    > >
    > > HTH,
    > >
    > > Joe K.
    > >
    > >
    > > "MS Newsgroups" <> wrote in message
    > > news:%...
    > > > Is there no way i can do this and get the same functionality as using

    > > Basic
    > > > authentication with the grey box (not sure how this works) since this

    > seem
    > > > to create a session identity automatically.
    > > >
    > > > Thanks for your help
    > > >
    > > > Niclas
    > > > "Joe Kaplan (MVP - ADSI)" <>

    > wrote
    > > > in message news:...
    > > > > If you want an actual WindowsIdentity object, you must have a logon

    > > token
    > > > > for the user, which means that you will need to call LogonUser with

    > the
    > > > > user's credentials.
    > > > >
    > > > > If you would be okay with a GenericIdentity/GenericPrincipal, then

    you
    > > can
    > > > > create one by authenticating to AD and building those objects

    > yourself.
    > > > > There is a sample on how to do this with System.DirectoryServices

    and
    > > > Forms
    > > > > authentication in the MS KB:
    > > > >
    > > > > http://support.microsoft.com/default.aspx?scid=kb;en-us;326340
    > > > >
    > > > > That article has some flaws in it, but it is an okay starting point.

    > > Note
    > > > > that the recommended way of doing authentication is by using SSPI

    > > instead
    > > > of
    > > > > System.DirectoryServices with an LDAP bind, but I don't have a good
    > > > managed
    > > > > code wrapper example of SSPI. Maybe someone else does?
    > > > >
    > > > > The disadvantage with the GenericIdentity is that you can't

    > impersonate
    > > > with
    > > > > it, but it can be used to drive the security model in your

    application
    > > > using
    > > > > the standard IPrincipal interface.
    > > > >
    > > > > HTH,
    > > > >
    > > > > Joe K.
    > > > >
    > > > > "Niclas Lindblom" <> wrote in message
    > > > > news:%...
    > > > > > Hi,
    > > > > >
    > > > > > I am trying to figure out a way to authenticate against Active

    > > Directory
    > > > > and
    > > > > > retrieve system.security.principal.WindowsIdentity object, without
    > > > having
    > > > > to
    > > > > > see the awful grey Basic Authentication logon box. I have found
    > > > > > documentation that you can send a authtentication request
    > > > programatically
    > > > > by
    > > > > > using the system.net.authenticationmanager.authenticate method,

    but
    > i
    > > > can
    > > > > > not get this to work and have not found any samples.
    > > > > >
    > > > > > Does anyone know a way to Authenticate against AD and have your

    > > browser
    > > > > > session retrieve a identity using forms ?
    > > > > >
    > > > > > regards
    > > > > >
    > > > > > Niclas
    > > > > >
    > > > > >
    > > > >
    > > >
    > > >

    > >

    >
    >
     
    Joe Kaplan \(MVP - ADSI\), Oct 13, 2003
    #6
  7. Hi,

    I've came to the same solution on my own but when I assign WindowsPrincipal
    to the User property of HttpContext it get's assigned for the current
    request but for the next request it's gone. User.Identity.Name becomes
    "Anonymous" again and IsAuthenticated is false. What should I do for this
    assignment to persist across requests?

    Best regards,
    Alan Mendelevich.

    "Joe Kaplan (MVP - ADSI)" <> wrote
    in message news:...
    > The normal thing to do would be to create the WindowIdentity, then to

    create
    > a new WindowsPrincipal from that and set the User property on the
    > HttpContext equal to that. Then the WindowsPrincipal for the current user
    > will be associated with that request and all of the normal ASP.NET
    > role-based security will flow from there.
    >
    > Someone else may need to provide you with more details if that isn't

    enough
    > info as I am not a super expert in Forms authentication.
    >
    > Joe K.
    >
    > "Niclas Lindblom" <> wrote in message
    > news:...
    > > Thanks Joe, I have actually looked at this option. What i haven't

    figured
    > > out yet is how to associate the current users session with the new
    > > WindowsIdentity object i have created. I have a feeling that i need to

    use
    > > impersonation, but haven't had time to test this yet.
    > >
    > > Am I one the right track, or do you know how to get this working ?
    > >
    > > Thanks for helping out
    > >
    > > Niclas
    > > "Joe Kaplan (MVP - ADSI)" <>

    wrote
    > > in message news:...
    > > > It sounds like you want a WindowsIdentity/logon token for the user, so

    > you
    > > > will need to use an API that calls LogonUser. The easy way to do this

    > > would
    > > > be to build a Forms Auth. system that uses the new constructor on
    > > > WindowsIdentity in Framework 1.1 that takes a username and password.

    > Note
    > > > that the documentation says that you must be running Win2K3 for this

    > call
    > > to
    > > > work.
    > > >
    > > >

    > >

    >

    http://msdn.microsoft.com/library/default.asp?url=/library/en-us/cpref/html/
    frlrfSystemSecurityPrincipalWindowsIdentityClassctorTopic5.asp?frame=true
    > > >
    > > > The other option is to P/Invoke LogonUser directly. You need very

    high
    > > > privileges to call this function under Windows 2000 though, so the

    > > viability
    > > > of this solution may depend on your platform and security needs.
    > > >
    > > >

    > >

    >

    http://msdn.microsoft.com/library/default.asp?url=/library/en-us/cpref/html/
    frlrfSystemSecurityPrincipalWindowsImpersonationContextClassTopic.asp?frame=
    > true
    > > >
    > > > Either of these (which do essentially the same thing under the hood)

    > will
    > > > give you the same functionality as Basic authentication (a primary

    logon
    > > > token).
    > > >
    > > > HTH,
    > > >
    > > > Joe K.
    > > >
    > > >
    > > > "MS Newsgroups" <> wrote in message
    > > > news:%...
    > > > > Is there no way i can do this and get the same functionality as

    using
    > > > Basic
    > > > > authentication with the grey box (not sure how this works) since

    this
    > > seem
    > > > > to create a session identity automatically.
    > > > >
    > > > > Thanks for your help
    > > > >
    > > > > Niclas
    > > > > "Joe Kaplan (MVP - ADSI)" <>

    > > wrote
    > > > > in message news:...
    > > > > > If you want an actual WindowsIdentity object, you must have a

    logon
    > > > token
    > > > > > for the user, which means that you will need to call LogonUser

    with
    > > the
    > > > > > user's credentials.
    > > > > >
    > > > > > If you would be okay with a GenericIdentity/GenericPrincipal, then

    > you
    > > > can
    > > > > > create one by authenticating to AD and building those objects

    > > yourself.
    > > > > > There is a sample on how to do this with System.DirectoryServices

    > and
    > > > > Forms
    > > > > > authentication in the MS KB:
    > > > > >
    > > > > > http://support.microsoft.com/default.aspx?scid=kb;en-us;326340
    > > > > >
    > > > > > That article has some flaws in it, but it is an okay starting

    point.
    > > > Note
    > > > > > that the recommended way of doing authentication is by using SSPI
    > > > instead
    > > > > of
    > > > > > System.DirectoryServices with an LDAP bind, but I don't have a

    good
    > > > > managed
    > > > > > code wrapper example of SSPI. Maybe someone else does?
    > > > > >
    > > > > > The disadvantage with the GenericIdentity is that you can't

    > > impersonate
    > > > > with
    > > > > > it, but it can be used to drive the security model in your

    > application
    > > > > using
    > > > > > the standard IPrincipal interface.
    > > > > >
    > > > > > HTH,
    > > > > >
    > > > > > Joe K.
    > > > > >
    > > > > > "Niclas Lindblom" <> wrote in message
    > > > > > news:%...
    > > > > > > Hi,
    > > > > > >
    > > > > > > I am trying to figure out a way to authenticate against Active
    > > > Directory
    > > > > > and
    > > > > > > retrieve system.security.principal.WindowsIdentity object,

    without
    > > > > having
    > > > > > to
    > > > > > > see the awful grey Basic Authentication logon box. I have found
    > > > > > > documentation that you can send a authtentication request
    > > > > programatically
    > > > > > by
    > > > > > > using the system.net.authenticationmanager.authenticate method,

    > but
    > > i
    > > > > can
    > > > > > > not get this to work and have not found any samples.
    > > > > > >
    > > > > > > Does anyone know a way to Authenticate against AD and have your
    > > > browser
    > > > > > > session retrieve a identity using forms ?
    > > > > > >
    > > > > > > regards
    > > > > > >
    > > > > > > Niclas
    > > > > > >
    > > > > > >
    > > > > >
    > > > >
    > > > >
    > > >

    > >
    > >

    >
     
    Alan Mendelevich, Oct 14, 2003
    #7
  8. This is how i done it:

    Logon using API call to get a token, create a new WindowsIdentity Object and
    create a new Windows principal

    Add the principal to the session with

    session.add("AuthID", ctype(myNewPrincipal,object))

    Change userID for this call with:

    context.User = CType(Session.Item("AuthID"), WindowsPrincipal)

    Then i use global.asax to change the identity for every request

    Private Sub Global_PreRequestHandlerExecute(ByVal sender As Object, ByVal e
    As System.EventArgs) Handles MyBase.PreRequestHandlerExecute

    If Not Session.Item("AuthIdentity") Is Nothing Then
    Context.User = CType(Session.Item("AuthIdentity"),
    WindowsPrincipal)
    End If

    What i have also done, but not included here, is that i save the anonymous
    principal to the session before switching, so i can switch back if i would
    like the user to be able to perform a log off and continue as anonymous

    Any questions,

    Let me know

    Niclas Lindblom


    "Alan Mendelevich" <> wrote in message
    news:...
    > Hi,
    >
    > I've came to the same solution on my own but when I assign

    WindowsPrincipal
    > to the User property of HttpContext it get's assigned for the current
    > request but for the next request it's gone. User.Identity.Name becomes
    > "Anonymous" again and IsAuthenticated is false. What should I do for this
    > assignment to persist across requests?
    >
    > Best regards,
    > Alan Mendelevich.
    >
    > "Joe Kaplan (MVP - ADSI)" <> wrote
    > in message news:...
    > > The normal thing to do would be to create the WindowIdentity, then to

    > create
    > > a new WindowsPrincipal from that and set the User property on the
    > > HttpContext equal to that. Then the WindowsPrincipal for the current

    user
    > > will be associated with that request and all of the normal ASP.NET
    > > role-based security will flow from there.
    > >
    > > Someone else may need to provide you with more details if that isn't

    > enough
    > > info as I am not a super expert in Forms authentication.
    > >
    > > Joe K.
    > >
    > > "Niclas Lindblom" <> wrote in message
    > > news:...
    > > > Thanks Joe, I have actually looked at this option. What i haven't

    > figured
    > > > out yet is how to associate the current users session with the new
    > > > WindowsIdentity object i have created. I have a feeling that i need to

    > use
    > > > impersonation, but haven't had time to test this yet.
    > > >
    > > > Am I one the right track, or do you know how to get this working ?
    > > >
    > > > Thanks for helping out
    > > >
    > > > Niclas
    > > > "Joe Kaplan (MVP - ADSI)" <>

    > wrote
    > > > in message news:...
    > > > > It sounds like you want a WindowsIdentity/logon token for the user,

    so
    > > you
    > > > > will need to use an API that calls LogonUser. The easy way to do

    this
    > > > would
    > > > > be to build a Forms Auth. system that uses the new constructor on
    > > > > WindowsIdentity in Framework 1.1 that takes a username and password.

    > > Note
    > > > > that the documentation says that you must be running Win2K3 for this

    > > call
    > > > to
    > > > > work.
    > > > >
    > > > >
    > > >

    > >

    >

    http://msdn.microsoft.com/library/default.asp?url=/library/en-us/cpref/html/
    > frlrfSystemSecurityPrincipalWindowsIdentityClassctorTopic5.asp?frame=true
    > > > >
    > > > > The other option is to P/Invoke LogonUser directly. You need very

    > high
    > > > > privileges to call this function under Windows 2000 though, so the
    > > > viability
    > > > > of this solution may depend on your platform and security needs.
    > > > >
    > > > >
    > > >

    > >

    >

    http://msdn.microsoft.com/library/default.asp?url=/library/en-us/cpref/html/
    >

    frlrfSystemSecurityPrincipalWindowsImpersonationContextClassTopic.asp?frame=
    > > true
    > > > >
    > > > > Either of these (which do essentially the same thing under the hood)

    > > will
    > > > > give you the same functionality as Basic authentication (a primary

    > logon
    > > > > token).
    > > > >
    > > > > HTH,
    > > > >
    > > > > Joe K.
    > > > >
    > > > >
    > > > > "MS Newsgroups" <> wrote in message
    > > > > news:%...
    > > > > > Is there no way i can do this and get the same functionality as

    > using
    > > > > Basic
    > > > > > authentication with the grey box (not sure how this works) since

    > this
    > > > seem
    > > > > > to create a session identity automatically.
    > > > > >
    > > > > > Thanks for your help
    > > > > >
    > > > > > Niclas
    > > > > > "Joe Kaplan (MVP - ADSI)"

    <>
    > > > wrote
    > > > > > in message news:...
    > > > > > > If you want an actual WindowsIdentity object, you must have a

    > logon
    > > > > token
    > > > > > > for the user, which means that you will need to call LogonUser

    > with
    > > > the
    > > > > > > user's credentials.
    > > > > > >
    > > > > > > If you would be okay with a GenericIdentity/GenericPrincipal,

    then
    > > you
    > > > > can
    > > > > > > create one by authenticating to AD and building those objects
    > > > yourself.
    > > > > > > There is a sample on how to do this with

    System.DirectoryServices
    > > and
    > > > > > Forms
    > > > > > > authentication in the MS KB:
    > > > > > >
    > > > > > > http://support.microsoft.com/default.aspx?scid=kb;en-us;326340
    > > > > > >
    > > > > > > That article has some flaws in it, but it is an okay starting

    > point.
    > > > > Note
    > > > > > > that the recommended way of doing authentication is by using

    SSPI
    > > > > instead
    > > > > > of
    > > > > > > System.DirectoryServices with an LDAP bind, but I don't have a

    > good
    > > > > > managed
    > > > > > > code wrapper example of SSPI. Maybe someone else does?
    > > > > > >
    > > > > > > The disadvantage with the GenericIdentity is that you can't
    > > > impersonate
    > > > > > with
    > > > > > > it, but it can be used to drive the security model in your

    > > application
    > > > > > using
    > > > > > > the standard IPrincipal interface.
    > > > > > >
    > > > > > > HTH,
    > > > > > >
    > > > > > > Joe K.
    > > > > > >
    > > > > > > "Niclas Lindblom" <> wrote in message
    > > > > > > news:%...
    > > > > > > > Hi,
    > > > > > > >
    > > > > > > > I am trying to figure out a way to authenticate against Active
    > > > > Directory
    > > > > > > and
    > > > > > > > retrieve system.security.principal.WindowsIdentity object,

    > without
    > > > > > having
    > > > > > > to
    > > > > > > > see the awful grey Basic Authentication logon box. I have

    found
    > > > > > > > documentation that you can send a authtentication request
    > > > > > programatically
    > > > > > > by
    > > > > > > > using the system.net.authenticationmanager.authenticate

    method,
    > > but
    > > > i
    > > > > > can
    > > > > > > > not get this to work and have not found any samples.
    > > > > > > >
    > > > > > > > Does anyone know a way to Authenticate against AD and have

    your
    > > > > browser
    > > > > > > > session retrieve a identity using forms ?
    > > > > > > >
    > > > > > > > regards
    > > > > > > >
    > > > > > > > Niclas
    > > > > > > >
    > > > > > > >
    > > > > > >
    > > > > >
    > > > > >
    > > > >
    > > >
    > > >

    > >

    >
    >
     
    MS Newsgroups, Oct 14, 2003
    #8
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Kevin Burton

    WindowsPrincipal and WindowsIdentity.

    Kevin Burton, Jan 7, 2004, in forum: ASP .Net
    Replies:
    1
    Views:
    7,402
    bruce barker
    Jan 8, 2004
  2. Eric
    Replies:
    2
    Views:
    1,496
    Tommy
    Feb 13, 2004
  3. Razak
    Replies:
    8
    Views:
    899
    Razak
    Jul 27, 2004
  4. Eric
    Replies:
    2
    Views:
    557
  5. Steve Lynch

    IIS Authentication vs. WindowsIdentity

    Steve Lynch, Sep 2, 2006, in forum: ASP .Net Security
    Replies:
    1
    Views:
    796
    Joe Kaplan
    Sep 2, 2006
Loading...

Share This Page