Re: Authentication Nightmare

From: bruce barker (nospam_brubar@safeco.com)
Date: 09/26/02 

From: "bruce barker" <nospam_brubar@safeco.com>
Date: Thu, 26 Sep 2002 09:41:19 -0700

asp.net security only applies to asp.net pages. if the user references any
non asp.net file (say foo.htm or foo.txt) IIS security takes over. If you
want asp.net security for a whole dir, you need to set asp.net which is
implemented as an iis filter to filter all files. Under site properties look
at AppMappings.

-- bruce (sqlwork.com)

"Terry Horner" <hornertl@mentorschools.org> wrote in message
news:uGqwGwWZCHA.1560@tkmsftngp10...
> I've been going round and round with this authentication business to no
> avail. Here's what I'm trying to do:
>
> 1. I have a basic login page in which the user enters their username and
> password (http://www.mysite.com/login.aspx).
> 2. The user is authenticated against active directory which works fine
> (let's use user jdoe).
> 3. The user is then redirected to a personal directory
> (http://www.mysite.com/jdoe) which is protected by NTFS secuirty
> permissions.
>
> The place where I'm running into problems is number three. I need for the
> user to be able to have access to their home directory without having to
> login again via the NT challenge/response once they have already logged in
> via login.aspx. I've tried every combination of settings in IIS and none
> seem work. Here's the things I've tried:
>
> -------------------------------------------------------------------------- 

--
> ---------------
> 1.  Impersonation.  I have been successful in impersonating users based on
> credentials, however I continue to get the challenge/response while I'm
> impersonating the user and trying to redirect to their personal directory.
> I succesfully logon by using the advapi32.dll library during this process.
>
> Code:
> IntPtr nptrUserToken1;
>
> bool bLoggedOn = LogonUser(this.UserName,this.Domain,this.Password,3,0,out
> nptrUserToken1);
>
> int nptrUserToken3 = (int) nptrUserToken1;
> IntPtr nptrUserToken2 = new IntPtr(nptrUserToken3);
>
> WindowsIdentity widCurrentIdentity = WindowsIdentity.GetCurrent();
> WindowsIdentity widTempIdentity = new WindowsIdentity(nptrUserToken2);
> WindowsImpersonationContext wicIdentity = widTempIdentity.Impersonate();
> WindowsIdentity widNewIdentity = WindowsIdentity.GetCurrent();
> --------------------------------------------------------------------------
--
> ---------------
>
> 2.  NetworkCredentials.  I have tried using a WebResponse to scrape a
> specific page in directory and emulate the content using index.aspx.
Still
> I get a challenge/response.
>
> Code:
> NetworkCredential netcCredential = new
> NetworkCredential(this.UserName,this.Password,this.Domain);
> CredentialCache credcCache = new CredentialCache();
> Uri uriMail = new Uri("http://www.mysite.com/" + this.UserName + "/");
> credcCache.Add(uriMail,"Ntlm",netcCredential);
> WebRequest webRequest = WebRequest.Create(uriMail);
> webRequest.Credentials = credcCache;
> webRequest.PreAuthenticate = true;
>
> // Screen scrape code goes here
> --------------------------------------------------------------------------
--
> ---------------
>
> 3.  GenericPrincipal.  I've set the HttpContext.Current.User to the
> impersonated windows user after authentication and still receive the
> challenge/response.
>
> Code:
> GenericIdentity gpIdentity = new
> GenericIdentity(widNewIdentity.Name,"Ntlm");
>
> String[] userRoles = {"clientuser"};
> HttpContext.Current.User = new GenericPrincipal(gpIdentity,userRoles);
> --------------------------------------------------------------------------
--
> ---------------
>
> The code above is pretty much verbatim from various sites and newsgroups.
> What am I missing?  Can I add authentication to the response headers for
> each individual page?  Do I need to?
>
> I'll give my first born to someone that can help me find the answer!
> Thanks!
>
> Terry
>
>

Relevant Pages

  • Re: Authenticate to a webservice by WindowsIdentity
    ... Why not use WSE which has rich support for security tokens such as ... > I'd like to feed the output of this method which is of WindowsIdentity ... In your case web page as such is protected by IIS ...
    (microsoft.public.dotnet.framework.webservices)
  • Re: Mac Server Hacked In Less Than 6 Hours
    ... Windows has RAS, and for it is built in since NT 3.1 ... | A typical IIS box and this Mac are not the same thing so the comparison ... IIS has been subject to quite a few bugs and so have ... Security isn't a proprietary attribute. ...
    (sci.crypt)
  • Re: DCOM calls fails - access denied
    ... That's exactly how I understood the ASP.NET security. ... But why does one configuration work but not the other? ... should get the token from IIS. ... If you set there a domain account, ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: How to secure IIS?
    ... XP as well, because even if you don't install IIS, there are still a number ... If you think Windows 98 is secure, ... easy to attack, if there's no firewall... ... IIS security checklists] 3) install firewall and antivirus, ...
    (microsoft.public.inetserver.iis.security)
  • RE: .pdf security using ASP.NET security...
    ... I am wondering if using the aspnet_isapi.dll to handle PDF files security ... IIS has a list of Application Mappings which dictate whether a particular ... entries that tell aspnet_isapi.dll what to do with various file types. ... Files that do have app mappings require all the same steps, ...
    (microsoft.public.dotnet.framework.aspnet.security)