Re: ActiveDirectory authentication - more issues

Hi;

I believe you that it works this way. But I am curious as to why for this
one use case.

User is prompted (forms) for username & password. username/password are
authenticated via ActiveDirectory and IsInRole hits ActiveDirectory. This
means the user's username/password in ActiveDirectory were passed to AD and
verified in AD.

Why can't it at that point create a WindowsPrincipal/Identity? It has the
user and has authenticated them. It seems to me that it would be legit at
that point to issue the credentials. And this would then handle the case of a
domain user using firefox or oasis.

--
thanks - dave
david_at_windward_dot_net
http://www.windwardreports.com



"Dominick Baier [DevelopMentor]" wrote:

hi,

ok...

1) this can be mapped in web.config - both formats are supported. See in
visual studio help for all varations

e.g, attributeMapUsername="SAMAccountName"

uses only the username without domain

2) no -you are doing forms authentication. NTLM would be IIS authentication
and <authentication mode="Windows" /> would be set. Then you cannot use the
membership providers

3) no - see 2

4) see 2. You could maybe use Protocol Transition (only for domain accounts,
only on w2k3, only in w2k3 domains) to get a token or use the Win32 LogonUser
API (needs to store the password on the server - not recommended).

5) still no idea

have you ordered the book already?

---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com

Hi;

Ok, I have ActiveDirectory authentication working but have a couple of
issues:
1) My username must be dave@xxxxxxxxxxxxxx - it does not take
windward\dave
- why?
2) The authentication type is shown as forms - shouldn't it be NTLM?
3) Since I'm running from a computer on the domain and using IE,
shouldn't
it handle this automatically?
4) I do not get a WindowsIdentity but instead a FormsIdentity. I need
a
WindowsIdentity so I can do impersonation. How do I get that?
5) Context.User.IsInRole() returns false for groups I am a member of
such as
"windward\\Domain Users" - why?



.

Relevant Pages

  • RE: Web Forms Auth fails when rfValidator triggered
    ... © 2002 Microsoft Corporation. ... | Content-Type: text/plain ... | | basically has a username field, ... | | If I enter garbage text in BOTH fields, the authentication ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • RE: Adding a virtual FTP folder to IIS
    ... I think we can follow the Form Authentication modal. ... application will use the ASPNET account. ... If we change the username ... Windows identity different from that of the default process identity. ...
    (microsoft.public.dotnet.framework)
  • Re: OWA login problems
    ... But anyway, since just using USERNAME works from the desktop, this indicates ... Maybe one of the authentication ... Outlook Web Access For PDA, ... the Virtual Directory named Exchange and select properties. ...
    (microsoft.public.exchange.connectivity)
  • RE: Web Forms Auth fails when rfValidator triggered
    ... | basically has a username field, ... | If I enter garbage text in BOTH fields, the authentication ... | controls do their job and display the "error text" stating ... | Jeff Ptak ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: RWW authentication
    ... By entering just the username without any ... Much of this RWW info is right inside of there. ... but the Isa firewall ... SSL authentication seems to work just fine however on the actual RWW login ...
    (microsoft.public.windows.server.sbs)