Re: custom page for user credentials?
From: David Wang [Msft] (someone_at_online.microsoft.com)
Date: 07/09/03
- Previous message: Vassilis Galinos: "Re: URLSCAN makes pages with integrated authentication very slow"
- In reply to: Sven Erik Matzen: "Re: custom page for user credentials?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 8 Jul 2003 22:55:11 -0700
If I understand you correctly, there are two different stores of
username/password. One set is in your SQL DB, the other set is sprinkled
throught the various domains. You want to implement your own SSPI front end
that uses a web page to fetch credentials, and you want to verify these
credentials against the various domains. Then, you want to make all those
users map to one user (because this is how the application worked when used
against the SQL DB).
#1
I cannot think of a way to have IE interact with the web page to do
Negotiate, so I imagine you either have to use some custom ActiveX Control
on every participating IE, or you have to transfer the credentials to the
server.
#2
With IIS6, I can think of ways to change the impersonated user of a request
after the user authenticates with IIS handling the SSPI Negotiation. That
is, you can make sure that every user which successfully authenticates will
run as your chosen credential. I cannot think of a way on previous versions
of IIS to change the impersonated user of a request AND have IIS handle the
SSPI Negotiation. I also have heard of other people configuring IIS to
validate NT Users against "multiple trusted domains" -- which seems to cross
what you want since you don't have all these domains in one AD.
I have another thought, though I'm not certain how this works -- but it is
possible for IIS6 to link a Passport user account to an AD user account --
with the person only authenticating via Passport authentication and
subsequently acting as the AD user account. It seems to be in the same vein
of what you're trying to do for problem #1, since you are concerned with
domain user credentials over the network yet you still want to authenticate
against them.
-- //David This posting is provided "AS IS" with no warranties, and confers no rights. // "Sven Erik Matzen" <sven.matzen@ppepro.com> wrote in message news:Oc648DURDHA.1868@TK2MSFTNGP11.phx.gbl... With "no impersonation of IIS" I mean: the application should use the same windows account for all users. I just want to know if the user credentials the user enters at the client side match a specific windows account - and I need the user name and domain of this account. In my application, the user password is normally managed in an sql database (so normally it's not an nt account, that's because we have about 6000 users in 2000 domains). Now for internal purpose we want to "attach" our domain users to this system without changing too much code. So I've implemented an additional "login provider" - simply a com class implementing a specific interface to build up an authentication html page and check user credentials from this page. All this is already there and I'm not able to change the application interfaces. Now I need a way to validate the users input. Currently I'm using SSPI to check the users name, password, domain read from a post - but this is not very nice, because someone may enable IIS-logging or may replace the "login provider" com dll with its own one ... then he/she is able to log the passwords of our domain => very bad. Because of all this, I'm searching for a way to not transport the password over the network but use IE built in capabilities to build up something that I can check on the server side. My optimal solution would be : 1) tell IE to use the content of input-tag 1 as the user name and input-tag 2 as the password and input-tag 3 as the domain 2) to have a routine at the server side that handles the requests in from the login page in a way similar to standard IIS handling, but does not impersonate to the user - just checks if the password is ok and returns true if so. "Roger Abell [MVP]" <mvpNoSpam@asu.edu> wrote in message news:#J0VjWSRDHA.2476@TK2MSFTNGP10.phx.gbl... > Sven, > > I am not fully catching what you mean by > the requirement "no impersonation of IIS" > > Is what you are after, in the end, is to have a valid > Windows token/credentials, which may vary based > on the browsing identity but not necessarily be the > browsing identity nor any account used by IIS ? > If so, you may want to look into "protocol transitioning" > feature (which is not available in W2k, it is W2k3 only). > > -- > Roger > > "Sven Erik Matzen" <sven.matzen@ppepro.com> wrote in message > news:O6SuPIFRDHA.3192@tk2msftngp13.phx.gbl... > > Hi there, > > > > I want to use SSPI at the server side to authenticate user logins. I > already > > have routines to do this, but currently I need to transmit the user name, > > domain and password over the net to make it work. It's not a big problem > in > > my situation (encrypted password, HTTPS and switched LAN) but I want to > make > > it better. My needs: > > - custom page for entering login credentials (changes from client to > client) > > - support for IE6 greater > > - support for Windows 2000 and greater > > - no impersonation of IIS > > > > Is there a way to make this work? Can I generate a JScript to tell IE to > use > > specific credentials for a server-login? > > > > Sven > > > > > >
- Previous message: Vassilis Galinos: "Re: URLSCAN makes pages with integrated authentication very slow"
- In reply to: Sven Erik Matzen: "Re: custom page for user credentials?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
