WindowsAuthentication from code

Discussion in 'ASP .Net Security' started by Alan Mendelevich, Oct 14, 2003.

  1. Hi,

    I'm trying to build a login system where users login via web form, but then
    they are logged in as they would with windows authentication only not
    involving chalenge/response or basic authentication. I was able to login
    user via LogonUser() function and to get WindowsIdentity and
    WindowsPrincipal objects. But when I assign WindowsPrincipal object to the
    HttpContext.Current.User property it get's assigned
    (HttpContext.Current.User.Identity.Name becomes the name of the user and
    IsAuthenticated becomes true) but lasts only for the current request. For
    the next request HttpContext.Current.User.Identity.Name is Anonymous and
    IsAuthenticated is false.

    What should I do for this authentication to persist across requests?

    Thanks in advance for your help!

    Best regards,
    Alan Mendelevich
     
    Alan Mendelevich, Oct 14, 2003
    #1
    1. Advertising

  2. This is how i done it:

    Logon using API call to get a token, create a new WindowsIdentity Object and
    create a new Windows principal

    Add the principal to the session with

    session.add("AuthID", ctype(myNewPrincipal,object))

    Change userID for this call with:

    context.User = CType(Session.Item("AuthID"), WindowsPrincipal)

    Then i use global.asax to change the identity for every request

    Private Sub Global_PreRequestHandlerExecute(ByVal sender As Object, ByVal e
    As System.EventArgs) Handles MyBase.PreRequestHandlerExecute

    If Not Session.Item("AuthIdentity") Is Nothing Then
    Context.User = CType(Session.Item("AuthIdentity"),
    WindowsPrincipal)
    End If

    What i have also done, but not included here, is that i save the anonymous
    principal to the session before switching, so i can switch back if i would
    like the user to be able to perform a log off and continue as anonymous

    Any questions,

    Let me know

    Niclas Lindblom


    "Alan Mendelevich" <> wrote in message
    news:...
    > Hi,
    >
    > I'm trying to build a login system where users login via web form, but

    then
    > they are logged in as they would with windows authentication only not
    > involving chalenge/response or basic authentication. I was able to login
    > user via LogonUser() function and to get WindowsIdentity and
    > WindowsPrincipal objects. But when I assign WindowsPrincipal object to the
    > HttpContext.Current.User property it get's assigned
    > (HttpContext.Current.User.Identity.Name becomes the name of the user and
    > IsAuthenticated becomes true) but lasts only for the current request. For
    > the next request HttpContext.Current.User.Identity.Name is Anonymous and
    > IsAuthenticated is false.
    >
    > What should I do for this authentication to persist across requests?
    >
    > Thanks in advance for your help!
    >
    > Best regards,
    > Alan Mendelevich
    >
    >
     
    MS Newsgroups, Oct 14, 2003
    #2
    1. Advertising

  3. Hi Niclas,

    Thanks for the quick reply! As far as I can tell from the code it still is a
    workaround. I mean IIS doesn't know that something like windows
    authentication occured. What I try to achieve in the long run is that when
    users access non-asp.net content protected by IIS with windows
    authentication they don't have to enter login information once more.

    Best regards,
    Alan.

    "MS Newsgroups" <> wrote in message
    news:...
    > This is how i done it:
    >
    > Logon using API call to get a token, create a new WindowsIdentity Object

    and
    > create a new Windows principal
    >
    > Add the principal to the session with
    >
    > session.add("AuthID", ctype(myNewPrincipal,object))
    >
    > Change userID for this call with:
    >
    > context.User = CType(Session.Item("AuthID"), WindowsPrincipal)
    >
    > Then i use global.asax to change the identity for every request
    >
    > Private Sub Global_PreRequestHandlerExecute(ByVal sender As Object, ByVal

    e
    > As System.EventArgs) Handles MyBase.PreRequestHandlerExecute
    >
    > If Not Session.Item("AuthIdentity") Is Nothing Then
    > Context.User = CType(Session.Item("AuthIdentity"),
    > WindowsPrincipal)
    > End If
    >
    > What i have also done, but not included here, is that i save the anonymous
    > principal to the session before switching, so i can switch back if i would
    > like the user to be able to perform a log off and continue as anonymous
    >
    > Any questions,
    >
    > Let me know
    >
    > Niclas Lindblom
    >
    >
    > "Alan Mendelevich" <> wrote in message
    > news:...
    > > Hi,
    > >
    > > I'm trying to build a login system where users login via web form, but

    > then
    > > they are logged in as they would with windows authentication only not
    > > involving chalenge/response or basic authentication. I was able to login
    > > user via LogonUser() function and to get WindowsIdentity and
    > > WindowsPrincipal objects. But when I assign WindowsPrincipal object to

    the
    > > HttpContext.Current.User property it get's assigned
    > > (HttpContext.Current.User.Identity.Name becomes the name of the user and
    > > IsAuthenticated becomes true) but lasts only for the current request.

    For
    > > the next request HttpContext.Current.User.Identity.Name is Anonymous and
    > > IsAuthenticated is false.
    > >
    > > What should I do for this authentication to persist across requests?
    > >
    > > Thanks in advance for your help!
    > >
    > > Best regards,
    > > Alan Mendelevich
    > >
    > >

    >
    >
     
    Alan Mendelevich, Oct 14, 2003
    #3
  4. I agree on that, I have been trying to use impersonation to get the user to
    proper WindowsIdentity as seen from IIS but i can not get this to work.

    I was thinking a concept like this:

    Dim myToken as intPtr

    mytoken=logonuser bla bla API call

    Dim myNewID as new WindowsIdentity(mytoken)

    Dim myNewContext as WindowsImpersonationContext

    myNewContext=myNewID.impersonate

    I have tested this and also the sample for how to imperonate a specific user
    in

    http://support.microsoft.com/default.aspx?scid=306158

    But i get an "Impersonation Failure" thrown when the contxt is about to
    switch. I have given ASPNET account the "Act as part of operating system"
    right add added the identity impersonate tag in web.config.

    Let me know what you think, or if you have any success with this

    Thanks

    Niclas


    "Alan Mendelevich" <> wrote in message
    news:...
    > Hi Niclas,
    >
    > Thanks for the quick reply! As far as I can tell from the code it still is

    a
    > workaround. I mean IIS doesn't know that something like windows
    > authentication occured. What I try to achieve in the long run is that when
    > users access non-asp.net content protected by IIS with windows
    > authentication they don't have to enter login information once more.
    >
    > Best regards,
    > Alan.
    >
    > "MS Newsgroups" <> wrote in message
    > news:...
    > > This is how i done it:
    > >
    > > Logon using API call to get a token, create a new WindowsIdentity Object

    > and
    > > create a new Windows principal
    > >
    > > Add the principal to the session with
    > >
    > > session.add("AuthID", ctype(myNewPrincipal,object))
    > >
    > > Change userID for this call with:
    > >
    > > context.User = CType(Session.Item("AuthID"), WindowsPrincipal)
    > >
    > > Then i use global.asax to change the identity for every request
    > >
    > > Private Sub Global_PreRequestHandlerExecute(ByVal sender As Object,

    ByVal
    > e
    > > As System.EventArgs) Handles MyBase.PreRequestHandlerExecute
    > >
    > > If Not Session.Item("AuthIdentity") Is Nothing Then
    > > Context.User = CType(Session.Item("AuthIdentity"),
    > > WindowsPrincipal)
    > > End If
    > >
    > > What i have also done, but not included here, is that i save the

    anonymous
    > > principal to the session before switching, so i can switch back if i

    would
    > > like the user to be able to perform a log off and continue as anonymous
    > >
    > > Any questions,
    > >
    > > Let me know
    > >
    > > Niclas Lindblom
    > >
    > >
    > > "Alan Mendelevich" <> wrote in message
    > > news:...
    > > > Hi,
    > > >
    > > > I'm trying to build a login system where users login via web form, but

    > > then
    > > > they are logged in as they would with windows authentication only not
    > > > involving chalenge/response or basic authentication. I was able to

    login
    > > > user via LogonUser() function and to get WindowsIdentity and
    > > > WindowsPrincipal objects. But when I assign WindowsPrincipal object to

    > the
    > > > HttpContext.Current.User property it get's assigned
    > > > (HttpContext.Current.User.Identity.Name becomes the name of the user

    and
    > > > IsAuthenticated becomes true) but lasts only for the current request.

    > For
    > > > the next request HttpContext.Current.User.Identity.Name is Anonymous

    and
    > > > IsAuthenticated is false.
    > > >
    > > > What should I do for this authentication to persist across requests?
    > > >
    > > > Thanks in advance for your help!
    > > >
    > > > Best regards,
    > > > Alan Mendelevich
    > > >
    > > >

    > >
    > >

    >
    >
     
    MS Newsgroups, Oct 14, 2003
    #4
  5. I think impersonation is not really what is needed here. As far as I
    understand impersonation makes it look like asp.net process is running under
    different identity than it's actually is. After putting some thought into
    whole this situation I'm leaning toward the conclusion that this kind of a
    problem could not be solved. I think that in whole this windows
    authentication process not only server but browser should also know that
    some authentication has happened. At least in the case of basic
    authentication actually browser sends credentials with every request no
    matter that the logon dialog is shown only once. So if we "fake" windows
    authentication on the server and browser knows nothing about it, then next
    request is sent from the browser like nothing happened.

    All these are just some random thoughts and I might be wrong. Maybe it's
    possible to send some header back to the browser or something like that.
    Please, let me know if you find any solution, and I'll let you know if I do.

    Best regards,
    Alan.

    "MS Newsgroups" <> wrote in message
    news:...
    > I agree on that, I have been trying to use impersonation to get the user

    to
    > proper WindowsIdentity as seen from IIS but i can not get this to work.
    >
    > I was thinking a concept like this:
    >
    > Dim myToken as intPtr
    >
    > mytoken=logonuser bla bla API call
    >
    > Dim myNewID as new WindowsIdentity(mytoken)
    >
    > Dim myNewContext as WindowsImpersonationContext
    >
    > myNewContext=myNewID.impersonate
    >
    > I have tested this and also the sample for how to imperonate a specific

    user
    > in
    >
    > http://support.microsoft.com/default.aspx?scid=306158
    >
    > But i get an "Impersonation Failure" thrown when the contxt is about to
    > switch. I have given ASPNET account the "Act as part of operating system"
    > right add added the identity impersonate tag in web.config.
    >
    > Let me know what you think, or if you have any success with this
    >
    > Thanks
    >
    > Niclas
    >
    >
    > "Alan Mendelevich" <> wrote in message
    > news:...
    > > Hi Niclas,
    > >
    > > Thanks for the quick reply! As far as I can tell from the code it still

    is
    > a
    > > workaround. I mean IIS doesn't know that something like windows
    > > authentication occured. What I try to achieve in the long run is that

    when
    > > users access non-asp.net content protected by IIS with windows
    > > authentication they don't have to enter login information once more.
    > >
    > > Best regards,
    > > Alan.
    > >
    > > "MS Newsgroups" <> wrote in message
    > > news:...
    > > > This is how i done it:
    > > >
    > > > Logon using API call to get a token, create a new WindowsIdentity

    Object
    > > and
    > > > create a new Windows principal
    > > >
    > > > Add the principal to the session with
    > > >
    > > > session.add("AuthID", ctype(myNewPrincipal,object))
    > > >
    > > > Change userID for this call with:
    > > >
    > > > context.User = CType(Session.Item("AuthID"), WindowsPrincipal)
    > > >
    > > > Then i use global.asax to change the identity for every request
    > > >
    > > > Private Sub Global_PreRequestHandlerExecute(ByVal sender As Object,

    > ByVal
    > > e
    > > > As System.EventArgs) Handles MyBase.PreRequestHandlerExecute
    > > >
    > > > If Not Session.Item("AuthIdentity") Is Nothing Then
    > > > Context.User = CType(Session.Item("AuthIdentity"),
    > > > WindowsPrincipal)
    > > > End If
    > > >
    > > > What i have also done, but not included here, is that i save the

    > anonymous
    > > > principal to the session before switching, so i can switch back if i

    > would
    > > > like the user to be able to perform a log off and continue as

    anonymous
    > > >
    > > > Any questions,
    > > >
    > > > Let me know
    > > >
    > > > Niclas Lindblom
    > > >
    > > >
    > > > "Alan Mendelevich" <> wrote in message
    > > > news:...
    > > > > Hi,
    > > > >
    > > > > I'm trying to build a login system where users login via web form,

    but
    > > > then
    > > > > they are logged in as they would with windows authentication only

    not
    > > > > involving chalenge/response or basic authentication. I was able to

    > login
    > > > > user via LogonUser() function and to get WindowsIdentity and
    > > > > WindowsPrincipal objects. But when I assign WindowsPrincipal object

    to
    > > the
    > > > > HttpContext.Current.User property it get's assigned
    > > > > (HttpContext.Current.User.Identity.Name becomes the name of the user

    > and
    > > > > IsAuthenticated becomes true) but lasts only for the current

    request.
    > > For
    > > > > the next request HttpContext.Current.User.Identity.Name is Anonymous

    > and
    > > > > IsAuthenticated is false.
    > > > >
    > > > > What should I do for this authentication to persist across requests?
    > > > >
    > > > > Thanks in advance for your help!
    > > > >
    > > > > Best regards,
    > > > > Alan Mendelevich
    > > > >
    > > > >
    > > >
    > > >

    > >
    > >

    >
    >
     
    Alan Mendelevich, Oct 14, 2003
    #5
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Ron
    Replies:
    1
    Views:
    2,709
    Showjumper
    Jun 24, 2003
  2. Ian
    Replies:
    0
    Views:
    1,391
  3. Ben Miller [msft]

    Re: Code Behind vs. no code behind: error

    Ben Miller [msft], Jun 27, 2003, in forum: ASP .Net
    Replies:
    1
    Views:
    607
    Alphonse Giambrone
    Jun 28, 2003
  4. =?Utf-8?B?Q2FybG8gTWFyY2hlc29uaQ==?=

    Fire Code behind code AND Javascript code associated to a Button Click Event

    =?Utf-8?B?Q2FybG8gTWFyY2hlc29uaQ==?=, Feb 10, 2004, in forum: ASP .Net
    Replies:
    4
    Views:
    21,255
    =?Utf-8?B?Q2FybG8gTWFyY2hlc29uaQ==?=
    Feb 11, 2004
  5. keithb
    Replies:
    1
    Views:
    931
    Bruce Barker
    Mar 29, 2006
Loading...

Share This Page