WindowsAuthentication from code

[Alan Mendelevich]

Hi,

I'm trying to build a login system where users login via web form, but then
they are logged in as they would with windows authentication only not
involving chalenge/response or basic authentication. I was able to login
user via LogonUser() function and to get WindowsIdentity and
WindowsPrincipal objects. But when I assign WindowsPrincipal object to the
HttpContext.Current.User property it get's assigned
(HttpContext.Current.User.Identity.Name becomes the name of the user and
IsAuthenticated becomes true) but lasts only for the current request. For
the next request HttpContext.Current.User.Identity.Name is Anonymous and
IsAuthenticated is false.

What should I do for this authentication to persist across requests?

Thanks in advance for your help!

Best regards,
Alan Mendelevich

 

[MS Newsgroups]

This is how i done it:

Logon using API call to get a token, create a new WindowsIdentity Object and
create a new Windows principal

Add the principal to the session with

session.add("AuthID", ctype(myNewPrincipal,object))

Change userID for this call with:

context.User = CType(Session.Item("AuthID"), WindowsPrincipal)

Then i use global.asax to change the identity for every request

Private Sub Global_PreRequestHandlerExecute(ByVal sender As Object, ByVal e
As System.EventArgs) Handles MyBase.PreRequestHandlerExecute

If Not Session.Item("AuthIdentity") Is Nothing Then
Context.User = CType(Session.Item("AuthIdentity"),
WindowsPrincipal)
End If

What i have also done, but not included here, is that i save the anonymous
principal to the session before switching, so i can switch back if i would
like the user to be able to perform a log off and continue as anonymous

Any questions,

Let me know

Niclas Lindblom

 

[Alan Mendelevich]

Hi Niclas,

Thanks for the quick reply! As far as I can tell from the code it still is a
workaround. I mean IIS doesn't know that something like windows
authentication occured. What I try to achieve in the long run is that when
users access non-asp.net content protected by IIS with windows
authentication they don't have to enter login information once more.

Best regards,
Alan.

 

[MS Newsgroups]

I agree on that, I have been trying to use impersonation to get the user to
proper WindowsIdentity as seen from IIS but i can not get this to work.

I was thinking a concept like this:

Dim myToken as intPtr

mytoken=logonuser bla bla API call

Dim myNewID as new WindowsIdentity(mytoken)

Dim myNewContext as WindowsImpersonationContext

myNewContext=myNewID.impersonate

I have tested this and also the sample for how to imperonate a specific user
in

http://support.microsoft.com/default.aspx?scid=306158

But i get an "Impersonation Failure" thrown when the contxt is about to
switch. I have given ASPNET account the "Act as part of operating system"
right add added the identity impersonate tag in web.config.

Let me know what you think, or if you have any success with this

Thanks

Niclas

 

[Alan Mendelevich]

I think impersonation is not really what is needed here. As far as I
understand impersonation makes it look like asp.net process is running under
different identity than it's actually is. After putting some thought into
whole this situation I'm leaning toward the conclusion that this kind of a
problem could not be solved. I think that in whole this windows
authentication process not only server but browser should also know that
some authentication has happened. At least in the case of basic
authentication actually browser sends credentials with every request no
matter that the logon dialog is shown only once. So if we "fake" windows
authentication on the server and browser knows nothing about it, then next
request is sent from the browser like nothing happened.

All these are just some random thoughts and I might be wrong. Maybe it's
possible to send some header back to the browser or something like that.
Please, let me know if you find any solution, and I'll let you know if I do.

Best regards,
Alan.