windows pass through authentication\authorization....

Discussion in 'ASP .Net Security' started by Ollie, Dec 7, 2004.

  1. Ollie

    Ollie Guest

    I have a requirement for a company intranet where they want to use a single
    sign-on with their windows 2003 domain (AD) so I was thinking of using
    windows authentication in the asp.net application so that I can control
    functionality by the roles the usr is a member of.

    The question I want to know is can I force the popup windows for username,
    password, domain to appear by 'logging' off the user from the website. I
    read some where if I return a "403" in the reponse header it will show the
    dialog and the user will have to enter the information to proceed. I tried
    the following but i only get the 403 error page. So how do I force the popup
    window to appear?

    tried this but only get error page:

    Session.Abandon();
    Response.Clear();
    Response.StatusCode = 403;
    Response.End();


    Cheers in Advance

    Ollie Riches
    Ollie, Dec 7, 2004
    #1
    1. Advertising

  2. Hi Ollie,
    To force Windows POPUP ..Go to IIS under Directory Security turn off
    "Anonymous Access and click integrate Windows Auth..
    DO that to allow Windows Auth to validate against AD..
    For more Questions POST it...
    Enjoy
    PAtrick



    "Ollie" wrote:

    > I have a requirement for a company intranet where they want to use a single
    > sign-on with their windows 2003 domain (AD) so I was thinking of using
    > windows authentication in the asp.net application so that I can control
    > functionality by the roles the usr is a member of.
    >
    > The question I want to know is can I force the popup windows for username,
    > password, domain to appear by 'logging' off the user from the website. I
    > read some where if I return a "403" in the reponse header it will show the
    > dialog and the user will have to enter the information to proceed. I tried
    > the following but i only get the 403 error page. So how do I force the popup
    > window to appear?
    >
    > tried this but only get error page:
    >
    > Session.Abandon();
    > Response.Clear();
    > Response.StatusCode = 403;
    > Response.End();
    >
    >
    > Cheers in Advance
    >
    > Ollie Riches
    >
    >
    >
    Patrick.O.Ige, Dec 7, 2004
    #2
    1. Advertising

  3. Ollie

    Ollie Guest

    did you actually read the question?


    "Patrick.O.Ige" <> wrote in message
    news:...
    > Hi Ollie,
    > To force Windows POPUP ..Go to IIS under Directory Security turn

    off
    > "Anonymous Access and click integrate Windows Auth..
    > DO that to allow Windows Auth to validate against AD..
    > For more Questions POST it...
    > Enjoy
    > PAtrick
    >
    >
    >
    > "Ollie" wrote:
    >
    > > I have a requirement for a company intranet where they want to use a

    single
    > > sign-on with their windows 2003 domain (AD) so I was thinking of using
    > > windows authentication in the asp.net application so that I can control
    > > functionality by the roles the usr is a member of.
    > >
    > > The question I want to know is can I force the popup windows for

    username,
    > > password, domain to appear by 'logging' off the user from the website. I
    > > read some where if I return a "403" in the reponse header it will show

    the
    > > dialog and the user will have to enter the information to proceed. I

    tried
    > > the following but i only get the 403 error page. So how do I force the

    popup
    > > window to appear?
    > >
    > > tried this but only get error page:
    > >
    > > Session.Abandon();
    > > Response.Clear();
    > > Response.StatusCode = 403;
    > > Response.End();
    > >
    > >
    > > Cheers in Advance
    > >
    > > Ollie Riches
    > >
    > >
    > >
    Ollie, Dec 8, 2004
    #3
  4. I haven't actually tried this, but I thought I'd throw an idea at you.

    What if you try sending a 401 instead and add the proper WWW-Authenticate
    header to the response? The header value would depend on what kind of
    authentication you are using, but that might work.

    If it does, let me know as I'm curious.

    Thanks,

    Joe K.

    "Ollie" <> wrote in message
    news:...
    >I have a requirement for a company intranet where they want to use a single
    > sign-on with their windows 2003 domain (AD) so I was thinking of using
    > windows authentication in the asp.net application so that I can control
    > functionality by the roles the usr is a member of.
    >
    > The question I want to know is can I force the popup windows for username,
    > password, domain to appear by 'logging' off the user from the website. I
    > read some where if I return a "403" in the reponse header it will show the
    > dialog and the user will have to enter the information to proceed. I tried
    > the following but i only get the 403 error page. So how do I force the
    > popup
    > window to appear?
    >
    > tried this but only get error page:
    >
    > Session.Abandon();
    > Response.Clear();
    > Response.StatusCode = 403;
    > Response.End();
    >
    >
    > Cheers in Advance
    >
    > Ollie Riches
    >
    >
    Joe Kaplan \(MVP - ADSI\), Dec 8, 2004
    #4
  5. Ollie

    Ollie Guest

    Joe

    Thanks for the reply, I tried changing it to "401" and it forced the popup
    login window to appear and you can enter new credentials, but it does not
    clear out the credentials from the browser cache so you are still
    authenticated as the previous user if you hit 'Cancel', I didn't try it with
    the 'proper' WWW-Authenticate header cos i don't know what that should be -
    do you know at all ?

    nice to see you venture out of the AD newsgroups :)

    Cheers

    Ollie Riches

    "Joe Kaplan (MVP - ADSI)" <> wrote
    in message news:e2RbF$...
    >I haven't actually tried this, but I thought I'd throw an idea at you.
    >
    > What if you try sending a 401 instead and add the proper WWW-Authenticate
    > header to the response? The header value would depend on what kind of
    > authentication you are using, but that might work.
    >
    > If it does, let me know as I'm curious.
    >
    > Thanks,
    >
    > Joe K.
    >
    > "Ollie" <> wrote in message
    > news:...
    >>I have a requirement for a company intranet where they want to use a
    >>single
    >> sign-on with their windows 2003 domain (AD) so I was thinking of using
    >> windows authentication in the asp.net application so that I can control
    >> functionality by the roles the usr is a member of.
    >>
    >> The question I want to know is can I force the popup windows for
    >> username,
    >> password, domain to appear by 'logging' off the user from the website. I
    >> read some where if I return a "403" in the reponse header it will show
    >> the
    >> dialog and the user will have to enter the information to proceed. I
    >> tried
    >> the following but i only get the 403 error page. So how do I force the
    >> popup
    >> window to appear?
    >>
    >> tried this but only get error page:
    >>
    >> Session.Abandon();
    >> Response.Clear();
    >> Response.StatusCode = 403;
    >> Response.End();
    >>
    >>
    >> Cheers in Advance
    >>
    >> Ollie Riches
    >>
    >>

    >
    >
    Ollie, Dec 8, 2004
    #5
  6. The best thing to do is sniff the traffic and look at the headers that are
    sent back. You can also use an http proxy debugger like Fiddler for this.

    Generally, if you use Basic auth, it will be something like Basic
    realm=xxxx, and IWA is Negotiate, but I can't remember the exact syntax of
    either, so you should be sure.

    Half of my life is actually building big ASP.NET applications and doing
    security integration work, so as a result, I follow this group too.

    It may not be the case that you can actually clear out the cache on the
    client without running some client code though. The reprompt may be the
    best you can do.

    Let us know if you find more details.

    Joe K.

    "Ollie" <why do they need this!!!!> wrote in message
    news:%...
    > Joe
    >
    > Thanks for the reply, I tried changing it to "401" and it forced the popup
    > login window to appear and you can enter new credentials, but it does not
    > clear out the credentials from the browser cache so you are still
    > authenticated as the previous user if you hit 'Cancel', I didn't try it
    > with the 'proper' WWW-Authenticate header cos i don't know what that
    > should be - do you know at all ?
    >
    > nice to see you venture out of the AD newsgroups :)
    >
    > Cheers
    >
    > Ollie Riches
    >
    > "Joe Kaplan (MVP - ADSI)" <> wrote
    > in message news:e2RbF$...
    >>I haven't actually tried this, but I thought I'd throw an idea at you.
    >>
    >> What if you try sending a 401 instead and add the proper WWW-Authenticate
    >> header to the response? The header value would depend on what kind of
    >> authentication you are using, but that might work.
    >>
    >> If it does, let me know as I'm curious.
    >>
    >> Thanks,
    >>
    >> Joe K.
    >>
    >> "Ollie" <> wrote in message
    >> news:...
    >>>I have a requirement for a company intranet where they want to use a
    >>>single
    >>> sign-on with their windows 2003 domain (AD) so I was thinking of using
    >>> windows authentication in the asp.net application so that I can control
    >>> functionality by the roles the usr is a member of.
    >>>
    >>> The question I want to know is can I force the popup windows for
    >>> username,
    >>> password, domain to appear by 'logging' off the user from the website. I
    >>> read some where if I return a "403" in the reponse header it will show
    >>> the
    >>> dialog and the user will have to enter the information to proceed. I
    >>> tried
    >>> the following but i only get the 403 error page. So how do I force the
    >>> popup
    >>> window to appear?
    >>>
    >>> tried this but only get error page:
    >>>
    >>> Session.Abandon();
    >>> Response.Clear();
    >>> Response.StatusCode = 403;
    >>> Response.End();
    >>>
    >>>
    >>> Cheers in Advance
    >>>
    >>> Ollie Riches
    >>>
    >>>

    >>
    >>

    >
    >
    Joe Kaplan \(MVP - ADSI\), Dec 8, 2004
    #6
  7. Ollie

    Ollie Guest

    thsnks Joe will have a look later today , I had considered clearing out the
    client cache and I am aware you can do it with an AcitveX control and you
    can also do it with IE6 SP1 (my preferred solution out of the two) and
    javascript I believe.

    http://support.microsoft.com/kb/q195192/#kb1

    http://blogs.msdn.com/kclemson/archive/2003/11/17/53911.aspx

    Cheers

    Ollie Riches

    "Joe Kaplan (MVP - ADSI)" <> wrote
    in message news:%...
    > The best thing to do is sniff the traffic and look at the headers that are
    > sent back. You can also use an http proxy debugger like Fiddler for this.
    >
    > Generally, if you use Basic auth, it will be something like Basic
    > realm=xxxx, and IWA is Negotiate, but I can't remember the exact syntax of
    > either, so you should be sure.
    >
    > Half of my life is actually building big ASP.NET applications and doing
    > security integration work, so as a result, I follow this group too.
    >
    > It may not be the case that you can actually clear out the cache on the
    > client without running some client code though. The reprompt may be the
    > best you can do.
    >
    > Let us know if you find more details.
    >
    > Joe K.
    >
    > "Ollie" <why do they need this!!!!> wrote in message
    > news:%...
    > > Joe
    > >
    > > Thanks for the reply, I tried changing it to "401" and it forced the

    popup
    > > login window to appear and you can enter new credentials, but it does

    not
    > > clear out the credentials from the browser cache so you are still
    > > authenticated as the previous user if you hit 'Cancel', I didn't try it
    > > with the 'proper' WWW-Authenticate header cos i don't know what that
    > > should be - do you know at all ?
    > >
    > > nice to see you venture out of the AD newsgroups :)
    > >
    > > Cheers
    > >
    > > Ollie Riches
    > >
    > > "Joe Kaplan (MVP - ADSI)" <>

    wrote
    > > in message news:e2RbF$...
    > >>I haven't actually tried this, but I thought I'd throw an idea at you.
    > >>
    > >> What if you try sending a 401 instead and add the proper

    WWW-Authenticate
    > >> header to the response? The header value would depend on what kind of
    > >> authentication you are using, but that might work.
    > >>
    > >> If it does, let me know as I'm curious.
    > >>
    > >> Thanks,
    > >>
    > >> Joe K.
    > >>
    > >> "Ollie" <> wrote in message
    > >> news:...
    > >>>I have a requirement for a company intranet where they want to use a
    > >>>single
    > >>> sign-on with their windows 2003 domain (AD) so I was thinking of using
    > >>> windows authentication in the asp.net application so that I can

    control
    > >>> functionality by the roles the usr is a member of.
    > >>>
    > >>> The question I want to know is can I force the popup windows for
    > >>> username,
    > >>> password, domain to appear by 'logging' off the user from the website.

    I
    > >>> read some where if I return a "403" in the reponse header it will show
    > >>> the
    > >>> dialog and the user will have to enter the information to proceed. I
    > >>> tried
    > >>> the following but i only get the 403 error page. So how do I force the
    > >>> popup
    > >>> window to appear?
    > >>>
    > >>> tried this but only get error page:
    > >>>
    > >>> Session.Abandon();
    > >>> Response.Clear();
    > >>> Response.StatusCode = 403;
    > >>> Response.End();
    > >>>
    > >>>
    > >>> Cheers in Advance
    > >>>
    > >>> Ollie Riches
    > >>>
    > >>>
    > >>
    > >>

    > >
    > >

    >
    >
    Ollie, Dec 9, 2004
    #7
  8. Ah, that's a spiffy new feature. I'm going to hang on to that link.

    Thanks for digging that up.

    Cheers,

    Joe K.

    "Ollie" <> wrote in message
    news:uzeyq$...
    > thsnks Joe will have a look later today , I had considered clearing out
    > the
    > client cache and I am aware you can do it with an AcitveX control and you
    > can also do it with IE6 SP1 (my preferred solution out of the two) and
    > javascript I believe.
    >
    > http://support.microsoft.com/kb/q195192/#kb1
    >
    > http://blogs.msdn.com/kclemson/archive/2003/11/17/53911.aspx
    >
    > Cheers
    >
    > Ollie Riches
    >
    > "Joe Kaplan (MVP - ADSI)" <> wrote
    > in message news:%...
    >> The best thing to do is sniff the traffic and look at the headers that
    >> are
    >> sent back. You can also use an http proxy debugger like Fiddler for
    >> this.
    >>
    >> Generally, if you use Basic auth, it will be something like Basic
    >> realm=xxxx, and IWA is Negotiate, but I can't remember the exact syntax
    >> of
    >> either, so you should be sure.
    >>
    >> Half of my life is actually building big ASP.NET applications and doing
    >> security integration work, so as a result, I follow this group too.
    >>
    >> It may not be the case that you can actually clear out the cache on the
    >> client without running some client code though. The reprompt may be the
    >> best you can do.
    >>
    >> Let us know if you find more details.
    >>
    >> Joe K.
    >>
    >> "Ollie" <why do they need this!!!!> wrote in message
    >> news:%...
    >> > Joe
    >> >
    >> > Thanks for the reply, I tried changing it to "401" and it forced the

    > popup
    >> > login window to appear and you can enter new credentials, but it does

    > not
    >> > clear out the credentials from the browser cache so you are still
    >> > authenticated as the previous user if you hit 'Cancel', I didn't try it
    >> > with the 'proper' WWW-Authenticate header cos i don't know what that
    >> > should be - do you know at all ?
    >> >
    >> > nice to see you venture out of the AD newsgroups :)
    >> >
    >> > Cheers
    >> >
    >> > Ollie Riches
    >> >
    >> > "Joe Kaplan (MVP - ADSI)" <>

    > wrote
    >> > in message news:e2RbF$...
    >> >>I haven't actually tried this, but I thought I'd throw an idea at you.
    >> >>
    >> >> What if you try sending a 401 instead and add the proper

    > WWW-Authenticate
    >> >> header to the response? The header value would depend on what kind of
    >> >> authentication you are using, but that might work.
    >> >>
    >> >> If it does, let me know as I'm curious.
    >> >>
    >> >> Thanks,
    >> >>
    >> >> Joe K.
    >> >>
    >> >> "Ollie" <> wrote in message
    >> >> news:...
    >> >>>I have a requirement for a company intranet where they want to use a
    >> >>>single
    >> >>> sign-on with their windows 2003 domain (AD) so I was thinking of
    >> >>> using
    >> >>> windows authentication in the asp.net application so that I can

    > control
    >> >>> functionality by the roles the usr is a member of.
    >> >>>
    >> >>> The question I want to know is can I force the popup windows for
    >> >>> username,
    >> >>> password, domain to appear by 'logging' off the user from the
    >> >>> website.

    > I
    >> >>> read some where if I return a "403" in the reponse header it will
    >> >>> show
    >> >>> the
    >> >>> dialog and the user will have to enter the information to proceed. I
    >> >>> tried
    >> >>> the following but i only get the 403 error page. So how do I force
    >> >>> the
    >> >>> popup
    >> >>> window to appear?
    >> >>>
    >> >>> tried this but only get error page:
    >> >>>
    >> >>> Session.Abandon();
    >> >>> Response.Clear();
    >> >>> Response.StatusCode = 403;
    >> >>> Response.End();
    >> >>>
    >> >>>
    >> >>> Cheers in Advance
    >> >>>
    >> >>> Ollie Riches
    >> >>>
    >> >>>
    >> >>
    >> >>
    >> >
    >> >

    >>
    >>

    >
    >
    Joe Kaplan \(MVP - ADSI\), Dec 9, 2004
    #8
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Ollie
    Replies:
    8
    Views:
    5,768
    Joe Kaplan \(MVP - ADSI\)
    Dec 9, 2004
  2. Replies:
    2
    Views:
    388
    Mike Mueller
    Jun 22, 2005
  3. DK
    Replies:
    1
    Views:
    359
    Usenet User
    Sep 23, 2008
  4. Bob Osborne
    Replies:
    0
    Views:
    201
    Bob Osborne
    Nov 18, 2003
  5. SeanRW
    Replies:
    1
    Views:
    348
    Dominick Baier [DevelopMentor]
    May 25, 2006
Loading...

Share This Page