Windows authentication

[Bob Everland]

I have an application that is ISAPI and the only way to
secure it is through NT permissions. I need to have a way
to login to windows authentication so that when I get to
the ISAPI application no boxes come up. I want an ASP page
to sit between the user and the ISAPI application. The
rest of my application is using authentication that is
database driven and wouldn't want the users to know the
userid and password. Is this possible? If so how would I
accomplish it.

 

[Guest]

Could you use integrated authentication if the users are using IE?

 

[Guest]

Well I'm trying to get away from the user having to do
anything because this is our extranet so out customers
would be forced to touch the browser. I just want to make
a script that allows for seemless login. Heck I don't even
care if I have to pass something through url parameters.


Bob

 

[bOB EVERLAND]

Ok I now know that is has to do with me setting the
request headers so that my browser will cache them. Has
anyone dont anything like this before?
http://www.ietf.org/rfc/rfc2617.txt

 

[Guest]

I mean't enable integrated authentication for the web site in the web site
properties in IIS. So long as internet explorer is enabled to use
integrated authentication (tools, options, advanced) the NT username will be
sent to the web server automatically without the user doing anything. The
user name can be retrieved if needed using server variables:

USERNAME: Request.ServerVariables("AUTH_USER")

Here's some info cut from iis help:

Integrated Windows Authentication
Integrated Windows authentication (formerly called NTLM or Windows NT
Challenge/Response authentication) is a secure form of authentication
because the user name and password are not sent across the network. When you
enable integrated Windows authentication, the user's browser proves its
knowledge of the password through a cryptographic exchange with your Web
server, involving hashing.

Integrated Windows authentication can use both the Kerberos v5
authentication protocol and its own challenge/response authentication
protocol. If Directory Services is installed on the server, and the browser
is compatible with the Kerberos v5 authentication protocol, both the
Kerberos v5 protocol and the challenge/response protocol are used; otherwise
only the challenge/response protocol is used.

The Kerberos v5 authentication protocol is a feature of the Windows 2000
Distributed Services architecture. In order for Kerberos v5 authentication
to be successful, both the client and server must have a trusted connection
to a Key Distribution Center (KDC) and be Directory Services compatible. For
more information about the protocol, see the Windows documentation.

Integrated Windows authentication proceeds as follows:

1.. Unlike Basic authentication, it does not initially prompt users for a
user name and password. The current Windows user information on the client
computer is used for the integrated Windows authentication.
Note Internet Explorer, version 4.0 and later, can be configured to
initially prompt for user information if needed. For more information, see
the Internet Explorer documentation.

2.. However, if the authentication exchange initially fails to identify
the user, the browser will prompt the user for a Windows user account user
name and password, which it will process by using integrated Windows
authentication.
3.. Internet Explorer will continue to prompt the user until the user
enters a valid user name and password, or closes the prompt dialog box.
Although integrated Windows authentication is secure, it does have two
limitations.

1.. Only Microsoft Internet Explorer, version 2.0 or later, supports this
authentication method.
2.. Integrated Windows authentication does not work over HTTP Proxy
connections.
Therefore, integrated Windows authentication is best suited for an intranet
environment, where both user and Web server computers are in the same
domain, and where administrators can ensure that every user has Microsoft
Internet Explorer, version 2.0 or later.

Regards

Paul

 

[Jonathan S.]

Hi Paul,

Funny you should write about this, because I'm in the process of
implementing something similar to what you've outlined below. I do have
one question for you, though - how can you log the user out once in?

For example, if I visit my intranet site, I'm greeted by the log on box
asking for my credentials.. however, the browser won't prompt for
credentials again until the browser is closed and re-opened. I'd like to
provide a log-off button, though. Any ideas?

Thanks!

Jonathan

 

[Guest]

Hi Jonathan

I don't believe there is a log off command you can use but you could have a
button on the web page which sets all the objects related to the user to
nothing and then redirects to your logon page.

Regards

Paul

 

[Rian Real]

Great Post Paul!

Question: If the user does not get validated automatically, is there a
way to display a custom logon form instead of the popup microsoft
window?

Basically, I want to auto-log a known user using the method you
described, but if they fail, I want to authenticate them against my sql
database.

Is there an event launched when an auto-logon fails?

Thanks