Windows authentication in code

[Jerry C]

I am trying to login a user to NT on a default.aspx page when the site is
setup to anonymous. I used some code for impersonation and it works for the
default page but when I redirect to other pages I am back to the anonymous
user for IIS6. How can I get the new impersonated user to be the user for the
session just as if he was logged on by integrated windows authentication. It
may be that impersonation is not the way to go. Some code examples may help
In a post:
Subject: Unable to establish secure connection with the server 6/13/2006
6:19 AM PST

Luke Zhang wrote.
How about this: you may have a main "entry" form, user can select his
source by himself, for example, he can select if he is a user with
companion account, or a AD user which need to be authenticated with form.
If user select "companion account", you may redirect him to a windows
authentication webform. For others, redirect him to a login form.


The windows authentication webform may be the answer. Are there some
examples on how to do this in code so the token or whatever it is called is
passed around to the other pages. I am a little light on This subject.
Thanks

 

[Joe Kaplan \(MVP - ADSI\)]

Typically, when you do authentication in code like this, you do it as part
of a forms authentication implementation. Essentially, if you don't want to
do Windows auth with IIS, the browser needs an alternate mechanism like a
cookie (which is what forms auth uses) to reauthenticate on each request.

Why are you doing this though? Why not just use Windows auth?

Joe K.

 

[Luke Zhang [MSFT]]

Hello Jerry,

If you just want to get a user account name ( windows authenticated), you
may use a cookie/session to store it. Or, the solution in another thread we
discuss "Mixing Forms and Windows Securiey", use "this.User.Identity.Name"
after authenticated by "winlogin.aspx".

Regards,

Luke Zhang
Microsoft Online Community Lead

==================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
==================================================

(This posting is provided "AS IS", with no warranties, and confers no
rights.)

 

[Jerry C]

Joe and Luke,

Thank you for the reply. I am using Windows Auth for users that are using IE
and have a companion account or a domain account and that works OK. Other
users are on Macks or using IE not have Companion accounts on the server (No
domain) or using
some other browser that does not log them on. These users will get the
Windows Logon Popup. The customer does not like that popup and wants these
users to go to a different custom logon page that is set to anonymous and
enter a user and password. At this point I have a username and a password. I
do not know how to program a form auth or the cookie to reauthenticate on
each request. Some code examples would help. I don’t have any experience on
how HTTP reauthenticates on each request or programming authentication or
cookies.

 

[Joe Kaplan \(MVP - ADSI\)]

I'd really suggest you read up on some of the MSDN samples on forms
authentication. There are plenty of walk throughs available, and it is
pretty easy to get working. ASP.NET does most of the work for you.

This forum will be more effective for you if you pose specific questions
about things that aren't working.

One thing that is worth knowing is that the ASP.NET pipeline executes for
each request. There are different events on the pipeline, such as
Authenticate and Authorize, that are executed as part of the pipeline each
time. The various authentication modules such as forms and windows handle
these events and handle security accordingly. There have also been some
really useful MSDN articles in the past explaining the ASP.NET pipeline and
illustrating how it works.

Joe K.

 

[Jerry C]

Thanks for the reply. Here is the code I am trying to get to work. It may
illustrate what I am trying to do. I have hard coded username domain password
and left out the “Declare Function†for simplicity. The page is set to
anonymous user and I am trying to logon a user to the workgroup, or domain
and create an http context that will authenticate the user on all other pages
for this session just like integrated windows authentication. Integrated
windows authentication is great stuff but other browsers don’t do it and the
customer does not like the default login popup and would like to duplicate
that functionality. I am also linking to another web site (sharepoint on the
same machine) and would like the user to be recognized by that site.

Dim temp2WindowsIdentity As WindowsIdentity
Dim token As IntPtr = IntPtr.Zero

LogonUserA(“Jerryâ€, “CDâ€, “xxxxâ€, LOGON32_LOGON_INTERACTIVE,
LOGON32_PROVIDER_DEFAULT, token)

temp2WindowsIdentity = New WindowsIdentity(token, "NTLM",
WindowsAccountType.Normal, True)

HttpContext.Current.User = New WindowsPrincipal(temp2WindowsIdentity)

The question is is this the correct way to do this and are there other
considerations like how directory security is set in IIS6.0 and so on.
Just looking for some guidence on this issue.

Thank you.

 

[Joe Kaplan \(MVP - ADSI\)]

A couple of things:

I'd suggest checking out the solution MS provides for calling LogonUser in
MSDN under the WindowsImpersonationContext class documentation. That shows
how to properly duplicate the token handle and close it as well. Also, I
think I'd use the "network" or "network cleartext" logon method instead of
interactive as it will be faster.

You will probably want to make this logon routine part of a forms
authentication implementation. The problem you will have though is how to
recreate the token on subsequent page visits. You will either need to cache
the token itself or the user's plaintext credentials so you can regenerate
the token.

Also, I don't know how you'll get this to integrate with SharePoint. It
expects Windows authentication. I'm not aware of any good ways to support
forms authentication with SharePoint except for maybe with ADFS. I think
you might consider going to basic authentication with SSL to get maximum
compatibility across browsers.

Joe K.

 

[Jerry C]

Joe,

Thank you for the reply. I guess that replicating Windows authentication in
code is not possible.

 

[Joe Kaplan \(MVP - ADSI\)]

Well, it is and it isn't. With Windows auth, the browser actually
authenticates on each request. If you use a tool like IE HTTP Headers
(freeware), you'll actually see the authorization header being sent by the
browser on each request. With basic auth, the header is just the username
and password base64 encoded. With IWA, it is either an NTLM
challenge/response or a Kerberos ticket.

Forms auth does something similar in that it generates a cookie for the user
that is used to perform subsequent authentications.

If you aren't using Windows auth, the browser will not send authorization
headers, so you have to rely on a cookie.

The real problem with doing Windows auth in code on top of Forms auth is
that you need a way to generate the logon token in each round trip. I
already discussed two ways you can accomplish that, but neither is perfect.

Joe K.