Re: Basic Authentication/Custom Login page

From: Dominick Baier [DevelopMentor] (dbaier_at_pleasepleasenospamdevelop.com)
Date: 09/16/05 

Date: Fri, 16 Sep 2005 09:34:45 -0700

Hello Mike,

i can't see how the code below is related to LogonUser, but

LogonUser results in a token,you don't need to go to AD to get the groups.
This heavy lifting has already been done for you.

wrap the token in a WindowsIdentity

WindowsIdentity id = new WindowsIdentity(token);

and wrap the windows id with a WindowsPrincipal.

---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com

> Hi again, Dominick.
>
> Maybe you can help. After calling LogonUser I try to retrieve the
> roles of the user and GetLastError issues error #5: Access Denied. I'm
> also getting error code 0 and the message (from the exception) : "An
> operations error occurred".
>
> After LogonUser is called I can see from the Security log that the
> user is logged on.
>
> Here's the code:
>
> Public Function GetGroups() As String
>
> Dim lasterror As Integer
>
> Dim search As DirectorySearcher = New DirectorySearcher(_path)
>
> search.Filter = "(cn=" + _filterAttribute + ")"
>
> search.PropertiesToLoad.Add("memberOf")
>
> Dim groupNames As StringBuilder = New StringBuilder
>
> Try
>
> Dim result As SearchResult = search.FindOne
>
> Dim propertyCount As Int16
>
> propertyCount = result.Properties("memberOf").Count
>
> Dim dn As String
>
> Dim equalsIndex As Int16
>
> Dim commaIndex As Int16
>
> Dim propertyCounter As Int16
>
> For propertyCounter = 0 To propertyCount - 1
>
> dn = CStr(result.Properties("memberOf")(propertyCounter))
>
> equalsIndex = dn.IndexOf("=", 1)
>
> commaIndex = dn.IndexOf(",", 1)
>
> If equalsIndex = -1 Then
>
> Return vbNull
>
> End If
>
> groupNames.Append(dn.Substring((equalsIndex + 1), commaIndex -
> equalsIndex - 1))
>
> groupNames.Append("|")
>
> Next
>
> Catch ex As Exception
>
> lasterror = GetLastError()
>
> Throw New Exception("Error obtaining group names. " +
> ex.Message + ", last error code was: " + lasterror.ToString)
>
> End Try
>
> Return groupNames.ToString
>
> End Function
>
> Any ideas?
>
> Thanks - Mike
>
> "Dominick Baier [DevelopMentor]"
> <dbaier@pleasepleasenospamdevelop.com> wrote in message
> news:42565460e27e78c788217787d41e@news.microsoft.com...
>
>> Hello Mike,
>>
>> well - there are some steps necessary
>>
>> a) enable anonymous again
>> b) enable forms auth
>> c) validate the user against AD (e.g. using LogonUser) in your logon
>> page
>> d) issue the auth cookie yourself - remember the user password
>> somehow
>> d) Handle Authenticate_Request or FormsAuthentication_Authenticate
>> (not
>> sure which one is better) - call LogonUser to get a token, wrap the
>> token
>> in a WindowsIdentity, wrap WindowsIdentity with WindowsPrincipal,
>> replace
>> Context.User
>> that should work.
>>
>> ---------------------------------------
>> Dominick Baier - DevelopMentor
>> http://www.leastprivilege.com
>>> HI, Dominick. Thanks for responding.
>>>
>>> You said that I "can get rid of the windows dialog, even with
>>> basic", my question is "How"?
>>>
>>> Thanks again,
>>>
>>> Mike
>>>
>>> "Dominick Baier [DevelopMentor]"
>>> <dbaier@pleasepleasenospamdevelop.com> wrote in message
>>> news:42565460e24e98c7881a0ced000e@news.microsoft.com...
>>>
>>>> Hello Mike,
>>>>
>>>> a) you can get rid of the windows dialog, even with basic - but
>>>> that means calling LogonUser to authenticate against AD, which
>>>> would also give you a token to construct a WindowsPrincipal for
>>>> "delegation"
>>>>
>>>> b) in theory you can also use integrated and configure IE to send
>>>> credentials automatically (theory=users must be logged onto the
>>>> domain - keep alives have to be enabled between web server and
>>>> client)
>>>>
>>>> ---------------------------------------
>>>> Dominick Baier - DevelopMentor
>>>> http://www.leastprivilege.com
>>>>> Hi, Dominick.
>>>>>
>>>>> The application is intended for our salesmen, and they are domain
>>>>> users, and therefore I would like to use the WindowsPrincipal
>>>>> object instead of GenericPrinciple, for purposes of delegation.
>>>>>
>>>>> Although Basic Auth would only "natively" give me a one-hop
>>>>> delegate, I would still like to have IIS authenticate against
>>>>> Active Directory.
>>>>>
>>>>> Of course, if one of the "higher-ups" insists on a
>>>>> friendly-looking sign-in page, then Forms Authentication will be
>>>>> the way.
>>>>>
>>>>> Mike
>>>>>
>>>>> "Dominick Baier [DevelopMentor]"
>>>>> <dbaier@pleasepleasenospamdevelop.com> wrote in message
>>>>> news:42565460e13038c7879f4a33eef0@news.microsoft.com...
>>>>>
>>>>>> Hello WJ,
>>>>>>
>>>>>> what do you mean by "does not protect you system"?? can you
>>>>>> elaborate?
>>>>>>
>>>>>> it is all a matter of where you store your user accounts, if you
>>>>>> store them in some windows backed store (LSA, Domain) then you
>>>>>> have to resort to some IIS authentication. And basic is the one
>>>>>> with the broadest compatibility. Of course, keep in mind that
>>>>>> basic auth transmits the password in clear text, so you HAVE to
>>>>>> layer SSL of basic auth.
>>>>>>
>>>>>> One gotcha is, that you have to live with the window login dialog
>>>>>> - i can give you code to do that, if you really want to go this
>>>>>> route. But this would mean that you have to do auth yourself.
>>>>>>
>>>>>> Another option is to use Forms Authentication, typically with
>>>>>> user accounts stored in a database. This allows out of the box to
>>>>>> provide your own login UI - again you have to do auth yourself.
>>>>>>
>>>>>> maybe this clear it up a little bit. feel free to ask.
>>>>>>
>>>>>> ---------------------------------------
>>>>>> Dominick Baier - DevelopMentor
>>>>>> http://www.leastprivilege.com
>>>>>>> Form Authentication will serve your purpose ad this requires
>>>>>>> Anonymous instead of Basic. Keep in mind that Basic Auth. does
>>>>>>> not protect your system.
>>>>>>>
>>>>>>> John
>>>>>>>
>>>>>>> "mike" <milop@slomins.com> wrote in message
>>>>>>> news:O5nJ84VuFHA.4080@TK2MSFTNGP12.phx.gbl...
>>>>>>>> Hello.
>>>>>>>>
>>>>>>>> I'm creating a site that has basic authentication. Is it
>>>>>>>> possible to have a custom login page display instead of the
>>>>>>>> Windows login page?
>>>>>>>>
>>>>>>>> Thanks in advance,
>>>>>>>>
>>>>>>>> Mike
>>>>>>>>

Relevant Pages

  • how can you impersonate on a remote machine
    ... "The local computer is the computer from which LogonUser was called. ... lpszUsername As [String], ByVal lpszDomain As, ByVal lpszPassword ... Dim dupeTokenHandle As New IntPtr ... ' Free the tokens. ...
    (microsoft.public.dotnet.security)
  • Re: Impersonation headache
    ... > These both sound like double-hop delegation issues. ... > The impersonation token that WIA creates cannot hop to another machine on ... >> Dim impersonationContext As WindowsImpersonationContext ... >> Dim currentWindowsIdentity As WindowsIdentity ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: FileCopy to a shared folder
    ... Note that "password" has been replaced for seurity reasons. ... SecurityException "Unable to impersonate user" instead of ... WindowsIdentity wid_admin = new WindowsIdentity; ... >> Why then would LogonUser not recognise the password? ...
    (microsoft.public.dotnet.languages.csharp)
  • Re: Issues with .IsInRole in an Impersonated WindowsPrinciple
    ... /// Hack to call private method of WindowsIdentity to get groups ... > Dim newId As New WindowsIdentity ... >>> impersonate a User Account in the Domain. ... >>> Dim newId As New WindowsIdentity ...
    (microsoft.public.dotnet.security)
  • Re: how can you impersonate on a remote machine
    ... > "The local computer is the computer from which LogonUser was called. ... > newfilename) where newfilename is on a file server and the myusername is a ... > Dim dupeTokenHandle As New IntPtr ... > ' Free the tokens. ...
    (microsoft.public.dotnet.security)