get WindowsIdentity with forms authentication

N

Niclas Lindblom

Hi,

I am trying to figure out a way to authenticate against Active Directory and
retrieve system.security.principal.WindowsIdentity object, without having to
see the awful grey Basic Authentication logon box. I have found
documentation that you can send a authtentication request programatically by
using the system.net.authenticationmanager.authenticate method, but i can
not get this to work and have not found any samples.

Does anyone know a way to Authenticate against AD and have your browser
session retrieve a identity using forms ?

regards

Niclas
 
J

Joe Kaplan \(MVP - ADSI\)

If you want an actual WindowsIdentity object, you must have a logon token
for the user, which means that you will need to call LogonUser with the
user's credentials.

If you would be okay with a GenericIdentity/GenericPrincipal, then you can
create one by authenticating to AD and building those objects yourself.
There is a sample on how to do this with System.DirectoryServices and Forms
authentication in the MS KB:

http://support.microsoft.com/default.aspx?scid=kb;en-us;326340

That article has some flaws in it, but it is an okay starting point. Note
that the recommended way of doing authentication is by using SSPI instead of
System.DirectoryServices with an LDAP bind, but I don't have a good managed
code wrapper example of SSPI. Maybe someone else does?

The disadvantage with the GenericIdentity is that you can't impersonate with
it, but it can be used to drive the security model in your application using
the standard IPrincipal interface.

HTH,

Joe K.
 
M

MS Newsgroups

Is there no way i can do this and get the same functionality as using Basic
authentication with the grey box (not sure how this works) since this seem
to create a session identity automatically.

Thanks for your help

Niclas
 
J

Joe Kaplan \(MVP - ADSI\)

It sounds like you want a WindowsIdentity/logon token for the user, so you
will need to use an API that calls LogonUser. The easy way to do this would
be to build a Forms Auth. system that uses the new constructor on
WindowsIdentity in Framework 1.1 that takes a username and password. Note
that the documentation says that you must be running Win2K3 for this call to
work.

http://msdn.microsoft.com/library/d...WindowsIdentityClassctorTopic5.asp?frame=true

The other option is to P/Invoke LogonUser directly. You need very high
privileges to call this function under Windows 2000 though, so the viability
of this solution may depend on your platform and security needs.

http://msdn.microsoft.com/library/d...ImpersonationContextClassTopic.asp?frame=true

Either of these (which do essentially the same thing under the hood) will
give you the same functionality as Basic authentication (a primary logon
token).

HTH,

Joe K.
 
N

Niclas Lindblom

Thanks Joe, I have actually looked at this option. What i haven't figured
out yet is how to associate the current users session with the new
WindowsIdentity object i have created. I have a feeling that i need to use
impersonation, but haven't had time to test this yet.

Am I one the right track, or do you know how to get this working ?

Thanks for helping out

Niclas
 
J

Joe Kaplan \(MVP - ADSI\)

The normal thing to do would be to create the WindowIdentity, then to create
a new WindowsPrincipal from that and set the User property on the
HttpContext equal to that. Then the WindowsPrincipal for the current user
will be associated with that request and all of the normal ASP.NET
role-based security will flow from there.

Someone else may need to provide you with more details if that isn't enough
info as I am not a super expert in Forms authentication.

Joe K.
 
A

Alan Mendelevich

Hi,

I've came to the same solution on my own but when I assign WindowsPrincipal
to the User property of HttpContext it get's assigned for the current
request but for the next request it's gone. User.Identity.Name becomes
"Anonymous" again and IsAuthenticated is false. What should I do for this
assignment to persist across requests?

Best regards,
Alan Mendelevich.
 
M

MS Newsgroups

This is how i done it:

Logon using API call to get a token, create a new WindowsIdentity Object and
create a new Windows principal

Add the principal to the session with

session.add("AuthID", ctype(myNewPrincipal,object))

Change userID for this call with:

context.User = CType(Session.Item("AuthID"), WindowsPrincipal)

Then i use global.asax to change the identity for every request

Private Sub Global_PreRequestHandlerExecute(ByVal sender As Object, ByVal e
As System.EventArgs) Handles MyBase.PreRequestHandlerExecute

If Not Session.Item("AuthIdentity") Is Nothing Then
Context.User = CType(Session.Item("AuthIdentity"),
WindowsPrincipal)
End If

What i have also done, but not included here, is that i save the anonymous
principal to the session before switching, so i can switch back if i would
like the user to be able to perform a log off and continue as anonymous

Any questions,

Let me know

Niclas Lindblom
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Members online

No members online now.

Forum statistics

Threads
473,744
Messages
2,569,483
Members
44,903
Latest member
orderPeak8CBDGummies

Latest Threads

Top