Re: Basic Authentication/Custom Login page

From: mike (milop_at_slomins.com)
Date: 09/16/05


Date: Fri, 16 Sep 2005 08:53:30 -0400

Hi again, Dominick.

Maybe you can help. After calling LogonUser I try to retrieve the roles of
the user and GetLastError issues error #5: Access Denied. I'm also getting
error code 0 and the message (from the exception) : "An operations error
occurred".

After LogonUser is called I can see from the Security log that the user is
logged on.

Here's the code:

Public Function GetGroups() As String

    Dim lasterror As Integer

    Dim search As DirectorySearcher = New DirectorySearcher(_path)

    search.Filter = "(cn=" + _filterAttribute + ")"

    search.PropertiesToLoad.Add("memberOf")

    Dim groupNames As StringBuilder = New StringBuilder

    Try

    Dim result As SearchResult = search.FindOne

    Dim propertyCount As Int16

    propertyCount = result.Properties("memberOf").Count

    Dim dn As String

    Dim equalsIndex As Int16

    Dim commaIndex As Int16

    Dim propertyCounter As Int16

    For propertyCounter = 0 To propertyCount - 1

        dn = CStr(result.Properties("memberOf")(propertyCounter))

        equalsIndex = dn.IndexOf("=", 1)

        commaIndex = dn.IndexOf(",", 1)

        If equalsIndex = -1 Then

            Return vbNull

        End If

        groupNames.Append(dn.Substring((equalsIndex + 1), commaIndex -
equalsIndex - 1))

        groupNames.Append("|")

    Next

    Catch ex As Exception

        lasterror = GetLastError()

        Throw New Exception("Error obtaining group names. " + ex.Message +
", last error code was: " + lasterror.ToString)

    End Try

Return groupNames.ToString

End Function

Any ideas?

Thanks - Mike

"Dominick Baier [DevelopMentor]" <dbaier@pleasepleasenospamdevelop.com>
wrote in message news:42565460e27e78c788217787d41e@news.microsoft.com...

> Hello Mike,
>
> well - there are some steps necessary
>
> a) enable anonymous again
> b) enable forms auth
> c) validate the user against AD (e.g. using LogonUser) in your logon page
> d) issue the auth cookie yourself - remember the user password somehow
> d) Handle Authenticate_Request or FormsAuthentication_Authenticate (not
> sure which one is better) - call LogonUser to get a token, wrap the token
> in a WindowsIdentity, wrap WindowsIdentity with WindowsPrincipal, replace
> Context.User
>
> that should work.
>
> ---------------------------------------
> Dominick Baier - DevelopMentor
> http://www.leastprivilege.com
>
>> HI, Dominick. Thanks for responding.
>>
>> You said that I "can get rid of the windows dialog, even with basic",
>> my question is "How"?
>>
>> Thanks again,
>>
>> Mike
>>
>> "Dominick Baier [DevelopMentor]"
>> <dbaier@pleasepleasenospamdevelop.com> wrote in message
>> news:42565460e24e98c7881a0ced000e@news.microsoft.com...
>>
>>> Hello Mike,
>>>
>>> a) you can get rid of the windows dialog, even with basic - but that
>>> means calling LogonUser to authenticate against AD, which would also
>>> give you a token to construct a WindowsPrincipal for "delegation"
>>>
>>> b) in theory you can also use integrated and configure IE to send
>>> credentials automatically (theory=users must be logged onto the
>>> domain - keep alives have to be enabled between web server and
>>> client)
>>>
>>> ---------------------------------------
>>> Dominick Baier - DevelopMentor
>>> http://www.leastprivilege.com
>>>> Hi, Dominick.
>>>>
>>>> The application is intended for our salesmen, and they are domain
>>>> users, and therefore I would like to use the WindowsPrincipal object
>>>> instead of GenericPrinciple, for purposes of delegation.
>>>>
>>>> Although Basic Auth would only "natively" give me a one-hop
>>>> delegate, I would still like to have IIS authenticate against Active
>>>> Directory.
>>>>
>>>> Of course, if one of the "higher-ups" insists on a friendly-looking
>>>> sign-in page, then Forms Authentication will be the way.
>>>>
>>>> Mike
>>>>
>>>> "Dominick Baier [DevelopMentor]"
>>>> <dbaier@pleasepleasenospamdevelop.com> wrote in message
>>>> news:42565460e13038c7879f4a33eef0@news.microsoft.com...
>>>>
>>>>> Hello WJ,
>>>>>
>>>>> what do you mean by "does not protect you system"?? can you
>>>>> elaborate?
>>>>>
>>>>> it is all a matter of where you store your user accounts, if you
>>>>> store them in some windows backed store (LSA, Domain) then you have
>>>>> to resort to some IIS authentication. And basic is the one with the
>>>>> broadest compatibility. Of course, keep in mind that basic auth
>>>>> transmits the password in clear text, so you HAVE to layer SSL of
>>>>> basic auth.
>>>>>
>>>>> One gotcha is, that you have to live with the window login dialog -
>>>>> i can give you code to do that, if you really want to go this
>>>>> route. But this would mean that you have to do auth yourself.
>>>>>
>>>>> Another option is to use Forms Authentication, typically with user
>>>>> accounts stored in a database. This allows out of the box to
>>>>> provide your own login UI - again you have to do auth yourself.
>>>>>
>>>>> maybe this clear it up a little bit. feel free to ask.
>>>>>
>>>>> ---------------------------------------
>>>>> Dominick Baier - DevelopMentor
>>>>> http://www.leastprivilege.com
>>>>>> Form Authentication will serve your purpose ad this requires
>>>>>> Anonymous instead of Basic. Keep in mind that Basic Auth. does not
>>>>>> protect your system.
>>>>>>
>>>>>> John
>>>>>>
>>>>>> "mike" <milop@slomins.com> wrote in message
>>>>>> news:O5nJ84VuFHA.4080@TK2MSFTNGP12.phx.gbl...
>>>>>>> Hello.
>>>>>>>
>>>>>>> I'm creating a site that has basic authentication. Is it possible
>>>>>>> to have a custom login page display instead of the Windows login
>>>>>>> page?
>>>>>>>
>>>>>>> Thanks in advance,
>>>>>>>
>>>>>>> Mike
>>>>>>>
>
>