Re: Windows authentication in code

Well, it is and it isn't. With Windows auth, the browser actually
authenticates on each request. If you use a tool like IE HTTP Headers
(freeware), you'll actually see the authorization header being sent by the
browser on each request. With basic auth, the header is just the username
and password base64 encoded. With IWA, it is either an NTLM
challenge/response or a Kerberos ticket.

Forms auth does something similar in that it generates a cookie for the user
that is used to perform subsequent authentications.

If you aren't using Windows auth, the browser will not send authorization
headers, so you have to rely on a cookie.

The real problem with doing Windows auth in code on top of Forms auth is
that you need a way to generate the logon token in each round trip. I
already discussed two ways you can accomplish that, but neither is perfect.

Joe K.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
"Jerry C" <jerryed@xxxxxxxxxxxxx> wrote in message
news:AA32CFB0-355D-4F09-8BBC-6C96BA103042@xxxxxxxxxxxxxxxx
Joe,

Thank you for the reply. I guess that replicating Windows authentication
in
code is not possible.
--
Jerry


"Joe Kaplan (MVP - ADSI)" wrote:

A couple of things:

I'd suggest checking out the solution MS provides for calling LogonUser
in
MSDN under the WindowsImpersonationContext class documentation. That
shows
how to properly duplicate the token handle and close it as well. Also, I
think I'd use the "network" or "network cleartext" logon method instead
of
interactive as it will be faster.

You will probably want to make this logon routine part of a forms
authentication implementation. The problem you will have though is how
to
recreate the token on subsequent page visits. You will either need to
cache
the token itself or the user's plaintext credentials so you can
regenerate
the token.

Also, I don't know how you'll get this to integrate with SharePoint. It
expects Windows authentication. I'm not aware of any good ways to
support
forms authentication with SharePoint except for maybe with ADFS. I think
you might consider going to basic authentication with SSL to get maximum
compatibility across browsers.

Joe K.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services
Programming"
http://www.directoryprogramming.net
--
"Jerry C" <jerryed@xxxxxxxxxxxxx> wrote in message
news:880EC82D-3CEB-4848-81E1-52409492F060@xxxxxxxxxxxxxxxx
Thanks for the reply. Here is the code I am trying to get to work. It
may
illustrate what I am trying to do. I have hard coded username domain
password
and left out the "Declare Function" for simplicity. The page is set to
anonymous user and I am trying to logon a user to the workgroup, or
domain
and create an http context that will authenticate the user on all other
pages
for this session just like integrated windows authentication.
Integrated
windows authentication is great stuff but other browsers don't do it
and
the
customer does not like the default login popup and would like to
duplicate
that functionality. I am also linking to another web site (sharepoint
on
the
same machine) and would like the user to be recognized by that site.

Dim temp2WindowsIdentity As WindowsIdentity
Dim token As IntPtr = IntPtr.Zero

LogonUserA("Jerry", "CD", "xxxx", LOGON32_LOGON_INTERACTIVE,
LOGON32_PROVIDER_DEFAULT, token)

temp2WindowsIdentity = New WindowsIdentity(token, "NTLM",
WindowsAccountType.Normal, True)

HttpContext.Current.User = New WindowsPrincipal(temp2WindowsIdentity)

The question is is this the correct way to do this and are there other
considerations like how directory security is set in IIS6.0 and so on.
Just looking for some guidence on this issue.

Thank you.

--
Jerry


"Joe Kaplan (MVP - ADSI)" wrote:

I'd really suggest you read up on some of the MSDN samples on forms
authentication. There are plenty of walk throughs available, and it
is
pretty easy to get working. ASP.NET does most of the work for you.

This forum will be more effective for you if you pose specific
questions
about things that aren't working.

One thing that is worth knowing is that the ASP.NET pipeline executes
for
each request. There are different events on the pipeline, such as
Authenticate and Authorize, that are executed as part of the pipeline
each
time. The various authentication modules such as forms and windows
handle
these events and handle security accordingly. There have also been
some
really useful MSDN articles in the past explaining the ASP.NET
pipeline
and
illustrating how it works.

Joe K.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services
Programming"
http://www.directoryprogramming.net
--
"Jerry C" <jerryed@xxxxxxxxxxxxx> wrote in message
news:7E9CE9DC-98C6-465E-9900-19F140328D34@xxxxxxxxxxxxxxxx
Joe and Luke,

Thank you for the reply. I am using Windows Auth for users that are
using
IE
and have a companion account or a domain account and that works OK.
Other
users are on Macks or using IE not have Companion accounts on the
server
(No
domain) or using
some other browser that does not log them on. These users will get
the
Windows Logon Popup. The customer does not like that popup and wants
these
users to go to a different custom logon page that is set to
anonymous
and
enter a user and password. At this point I have a username and a
password.
I
do not know how to program a form auth or the cookie to
reauthenticate
on
each request. Some code examples would help. I don't have any
experience
on
how HTTP reauthenticates on each request or programming
authentication
or
cookies.

--
Jerry


"Luke Zhang [MSFT]" wrote:

Hello Jerry,

If you just want to get a user account name ( windows
authenticated),
you
may use a cookie/session to store it. Or, the solution in another
thread
we
discuss "Mixing Forms and Windows Securiey", use
"this.User.Identity.Name"
after authenticated by "winlogin.aspx".

Regards,

Luke Zhang
Microsoft Online Community Lead

==================================================
When responding to posts, please "Reply to Group" via your
newsreader
so
that others may learn and benefit from your issue.
==================================================

(This posting is provided "AS IS", with no warranties, and confers
no
rights.)










.

Relevant Pages

  • Re: Substituting new Context.User.Identity for Authentication in SPS 2003
    ... MS SharePoint Portal Server does not perform authentication. ... MS SPS does perform authorization based on a Windows account presented ... Since SPS is accessed via a browser, ...
    (microsoft.public.sharepoint.portalserver.development)
  • Re: Change in ASP.Net authentication between Win2000 and Win2003
    ... > is turning on/off Kerberos is occuring. ... It control how IE deals with "Authentication: ... when you put IIS6 in a domain and have "Integrated Windows Authentication" ...
    (microsoft.public.windows.server.security)
  • Re: Change in ASP.Net authentication between Win2000 and Win2003
    ... > is turning on/off Kerberos is occuring. ... It control how IE deals with "Authentication: ... when you put IIS6 in a domain and have "Integrated Windows Authentication" ...
    (microsoft.public.inetserver.iis.security)
  • Re: auto authenticate
    ... Microsoft has done away with sending credentials via URL, for security ... unless you are using a browser with no patches after say 2 ... You can however, try cookie authentication, where you check the cookie for a ... > file that is placed in the windows scheduler. ...
    (microsoft.public.inetserver.asp.general)
  • Re: Error using Windows Authentication in Access
    ... I know that I can use Windows Auth. ... I have the server set to SQL Server Authentication by default, ...
    (microsoft.public.sqlserver.msde)