Re: Authentication via AD

From: VK (VK_at_discussions.microsoft.com)
Date: 05/19/05


Date: Thu, 19 May 2005 14:04:02 -0700

I understand. Well, I will wait till we AD running and then see from there.
Can I also force the user to login only when he requests ONLY page x.aspx ?

"Joe Kaplan (MVP - ADSI)" wrote:

> That's a different problem entirely. :)
>
> Once you actually have AD up and running, you would typically do this kind
> of stuff via LDAP. LDAP IS the normal query mechanism for AD.
>
> Essentially, you need to find the user in the directory given whatever name
> they used for login and query whatever attributes you need. The normal
> issues here are what account you want to use to query AD. Do you want to
> use the user's security context in a delegation scenario or do you want to
> use a fixed service account? There are many many threads on this exact
> topic in microsoft.public.adsi.general that you can google for.
>
> Joe K.
>
> "VK" <VK@discussions.microsoft.com> wrote in message
> news:5252024C-C76A-4B03-A41E-CA60ACA5D4E1@microsoft.com...
> > Well that seems to work. Many many thanks buddy! I have another additional
> > question.
> >
> > Can I now get access to the users data from the AD - like Fullname, email
> > phone etc?
> >
> > Regards
> >
> > "Joe Kaplan (MVP - ADSI)" wrote:
> >
> >> As long as the web server is a member of the domain you want to
> >> authenticate
> >> against, you should be able to use IIS to authenticate those members. It
> >> should work if the domain is NT4 or AD. The key is that the IIS box is a
> >> member server.
> >>
> >> Whether you use digest, basic or IWA is up to you. There are good and
> >> bad
> >> points about each one. I'm not really familiar with Digest, so I'm not
> >> sure
> >> how to advise you on the proper use of the realm parameter.
> >>
> >> Joe K.
> >>
> >> "VK" <VK@discussions.microsoft.com> wrote in message
> >> news:9D0A7A81-FA6E-4E13-8C59-9D05B9EF1431@microsoft.com...
> >> > Thanks for the help buddy. I am assuming that it will automatically
> >> > authenticate via the AD now. I have checked: "Digest authentication..."
> >> > and
> >> > "Integrated Windows Authentication". Furtheremore I disabled "Anonymous
> >> > access". Do I have to enter the domain in the "realm" field?
> >> >
> >> > Anyhow my administrator told me that we are not completely on AD yet,
> >> > we
> >> > are
> >> > in kind of mixed mode with NT4 and therefore I am not sure if that all
> >> > will
> >> > work or not. We are switching next week completely to AD and then I
> >> > will
> >> > have
> >> > to test this more. I will let you know next week how the test went. I
> >> > would
> >> > like to thank you for all the help.
> >> >
> >> > Regards
> >> >
> >> > "Joe Kaplan (MVP - ADSI)" wrote:
> >> >
> >> >> Ok, so you don't want to do any programmatic authentication at all.
> >> >> Just
> >> >> let Windows, IIS and the browser take care of it for you.
> >> >>
> >> >> If you configure ASP.NET for Windows authentication in web.config and
> >> >> configure IIS for Windows auth (uncheck anonymous, check basic/digest
> >> >> or
> >> >> IWA, depending on what you want), and you should be good to go.
> >> >>
> >> >> To do role-based authorization in your application, just use the
> >> >> Context.User object. This contains an IPrincipal object that will be
> >> >> a
> >> >> WindowsPrincipal. Use it's IsInRole method to check the user's group
> >> >> membership for your security decisions. You can also use the <allow/>
> >> >> and
> >> >> <deny/> tags in web.config to configure access to specific pages
> >> >> declaratively.
> >> >>
> >> >> HTH,
> >> >>
> >> >> Joe K.
> >> >>
> >> >> "VK" <VK@discussions.microsoft.com> wrote in message
> >> >> news:13AE88A4-3BFF-473A-B3F6-2BE28D1FC7B3@microsoft.com...
> >> >> > Forgot to mention. I already can see the popup which asks for the
> >> >> > user
> >> >> > and
> >> >> > pw, but the title of the window says:
> >> >> >
> >> >> > "Connect to SystemName"
> >> >> >
> >> >> > Shouldnt it say: "Connect to domainName" ?
> >> >> >
> >> >> > I am testing all this locally right now. I dont want to put
> >> >> > something
> >> >> > on
> >> >> > the
> >> >> > server that doesnt work.
> >> >> >
> >> >> > Thanks again
> >> >> >
> >> >> > "Joe Kaplan (MVP - ADSI)" wrote:
> >> >> >
> >> >> >> It really depends on what your application is. You haven't
> >> >> >> explained
> >> >> >> at
> >> >> >> all
> >> >> >> what you are building. Is it a normal web application or something
> >> >> >> else?
> >> >> >> Can it use IIS/Windows for authentication or does it need to be
> >> >> >> forms
> >> >> >> authentication?
> >> >> >>
> >> >> >> Joe K.
> >> >> >>
> >> >> >> "VK" <VK@discussions.microsoft.com> wrote in message
> >> >> >> news:34E8EFE5-9C6C-4C4F-B64F-F89EB8736827@microsoft.com...
> >> >> >> > Thanks Joe for the reply. Can you point me to some URLs which
> >> >> >> > shows
> >> >> >> > how
> >> >> >> > to
> >> >> >> > use authenticate with AD? Also what do you mean wit:
> >> >> >> >
> >> >> >> >> Another good option is to let Windows authenticate for you.
> >> >> >> >> Depending
> >> >> >> >> on
> >> >> >> >> your application architecture (you don't specify), this may or
> >> >> >> >> may
> >> >> >> >> not
> >> >> >> >> be
> >> >> >> >> possible.
> >> >> >> >
> >> >> >> > I am kind of new in authentication. Thanks for any suggestions.
> >> >> >> >
> >> >> >> > "Joe Kaplan (MVP - ADSI)" wrote:
> >> >> >> >
> >> >> >> >> The preferred method of authenticating against AD is to us the
> >> >> >> >> SSPI
> >> >> >> >> API
> >> >> >> >> with
> >> >> >> >> the negotiate protocol. This is easy to do in .NET 2.0 with the
> >> >> >> >> NegotiateStream class, but requires some significant p/invoke in
> >> >> >> >> .NET
> >> >> >> >> 1.x.
> >> >> >> >> There are samples online though.
> >> >> >> >>
> >> >> >> >> Another good option is to let Windows authenticate for you.
> >> >> >> >> Depending
> >> >> >> >> on
> >> >> >> >> your application architecture (you don't specify), this may or
> >> >> >> >> may
> >> >> >> >> not
> >> >> >> >> be
> >> >> >> >> possible.
> >> >> >> >>
> >> >> >> >> LDAP should be possible if you have AD as it supports LDAP
> >> >> >> >> natively.
> >> >> >> >> However, I'd recommend avoiding LDAP authentication unless you
> >> >> >> >> have
> >> >> >> >> to
> >> >> >> >> use
> >> >> >> >> it.
> >> >> >> >>
> >> >> >> >> Joe K.
> >> >> >> >>
> >> >> >> >> "VK" <VK@discussions.microsoft.com> wrote in message
> >> >> >> >> news:0525D57E-3385-44AC-B588-C44526AB808E@microsoft.com...
> >> >> >> >> > Hello,
> >> >> >> >> >
> >> >> >> >> > I want to authenitcate my users against the Active Directory.
> >> >> >> >> > Do
> >> >> >> >> > I
> >> >> >> >> > have
> >> >> >> >> > to
> >> >> >> >> > go through the LDAP to do that? We are not using LDAP. I have
> >> >> >> >> > googled
> >> >> >> >> > and
> >> >> >> >> > found several examples - however they all use LDAP.
> >> >> >> >> >
> >> >> >> >> > Any suggestions?
> >> >> >> >> > Thanks
> >> >> >> >>
> >> >> >> >>
> >> >> >> >>
> >> >> >>
> >> >> >>
> >> >> >>
> >> >>
> >> >>
> >> >>
> >>
> >>
> >>
>
>
>



Relevant Pages

  • RE: Web query problem when password required
    ... Madhan, ... The problem with login is solved but the problem with query is not yet ... .WebDisableDateRecognition = False ...
    (microsoft.public.excel.programming)
  • Re: Query on SQL Server 2000 Linked Table Doesnt Provide Correct Results
    ... You may be able to use Lenin a calculated query field to determine if the count of characters is not what you expect. ... I have some backend tables in a SQL Server 2000 Database linked into ... User daemon value rlogin is true ... User bin value login is true ...
    (microsoft.public.access.queries)
  • RE: constructing a http request using LWP..
    ... but i have to do this on linux. ... With this you don't have to worry about constructing the query string. ... is it possible to automate the login and log out say from yahoo mail ...
    (perl.beginners)
  • Re: OReilly interview with Date
    ... globally unique. ... > But anyway, moving forward, a query is just a list of desired columns (we ... > column {login;} ... is it (bugid, login_rep, login_own)? ...
    (comp.databases.theory)
  • Re: constructing a http request using LWP..
    ... but i have to do this on linux. ... With this you don't have to worry about constructing the query string. ... is it possible to automate the login and log out say from yahoo mail ... request alongwith few query parameters. ...
    (perl.beginners)