Windows authentication

Could you use integrated authentication if the users are using IE?

"Bob Everland" <an*******@discussions.microsoft.com> wrote in message
news:09****************************@phx.gbl...

I have an application that is ISAPI and the only way to
secure it is through NT permissions. I need to have a way
to login to windows authentication so that when I get to
the ISAPI application no boxes come up. I want an ASP page
to sit between the user and the ISAPI application. The
rest of my application is using authentication that is
database driven and wouldn't want the users to know the
userid and password. Is this possible? If so how would I
accomplish it.

Well I'm trying to get away from the user having to do
anything because this is our extranet so out customers
would be forced to touch the browser. I just want to make
a script that allows for seemless login. Heck I don't even
care if I have to pass something through url parameters.
Bob

-----Original Message-----
Could you use integrated authentication if the users are using IE?
"Bob Everland" <an*******@discussions.microsoft.com> wrote in messagenews:09****************************@phx.gbl...

I have an application that is ISAPI and the only way to
secure it is through NT permissions. I need to have a way to login to windows authentication so that when I get to
the ISAPI application no boxes come up. I want an ASP page to sit between the user and the ISAPI application. The
rest of my application is using authentication that is
database driven and wouldn't want the users to know the
userid and password. Is this possible? If so how would I
accomplish it.

.

Ok I now know that is has to do with me setting the
request headers so that my browser will cache them. Has
anyone dont anything like this before?
http://www.ietf.org/rfc/rfc2617.txt

I mean't enable integrated authentication for the web site in the web site
properties in IIS. So long as internet explorer is enabled to use
integrated authentication (tools, options, advanced) the NT username will be
sent to the web server automatically without the user doing anything. The
user name can be retrieved if needed using server variables:

USERNAME: Request.ServerVariables("AUTH_USER")

Here's some info cut from iis help:

Integrated Windows Authentication
Integrated Windows authentication (formerly called NTLM or Windows NT
Challenge/Response authentication) is a secure form of authentication
because the user name and password are not sent across the network. When you
enable integrated Windows authentication, the user's browser proves its
knowledge of the password through a cryptographic exchange with your Web
server, involving hashing.

Integrated Windows authentication can use both the Kerberos v5
authentication protocol and its own challenge/response authentication
protocol. If Directory Services is installed on the server, and the browser
is compatible with the Kerberos v5 authentication protocol, both the
Kerberos v5 protocol and the challenge/response protocol are used; otherwise
only the challenge/response protocol is used.

The Kerberos v5 authentication protocol is a feature of the Windows 2000
Distributed Services architecture. In order for Kerberos v5 authentication
to be successful, both the client and server must have a trusted connection
to a Key Distribution Center (KDC) and be Directory Services compatible. For
more information about the protocol, see the Windows documentation.

Integrated Windows authentication proceeds as follows:

1.. Unlike Basic authentication, it does not initially prompt users for a
user name and password. The current Windows user information on the client
computer is used for the integrated Windows authentication.
Note Internet Explorer, version 4.0 and later, can be configured to
initially prompt for user information if needed. For more information, see
the Internet Explorer documentation.

2.. However, if the authentication exchange initially fails to identify
the user, the browser will prompt the user for a Windows user account user
name and password, which it will process by using integrated Windows
authentication.
3.. Internet Explorer will continue to prompt the user until the user
enters a valid user name and password, or closes the prompt dialog box.
Although integrated Windows authentication is secure, it does have two
limitations.

1.. Only Microsoft Internet Explorer, version 2.0 or later, supports this
authentication method.
2.. Integrated Windows authentication does not work over HTTP Proxy
connections.
Therefore, integrated Windows authentication is best suited for an intranet
environment, where both user and Web server computers are in the same
domain, and where administrators can ensure that every user has Microsoft
Internet Explorer, version 2.0 or later.

Regards

Paul

<an*******@discussions.microsoft.com> wrote in message
news:0a****************************@phx.gbl...

Well I'm trying to get away from the user having to do
anything because this is our extranet so out customers
would be forced to touch the browser. I just want to make
a script that allows for seemless login. Heck I don't even
care if I have to pass something through url parameters.
Bob

-----Original Message-----
Could you use integrated authentication if the users are

using IE?

"Bob Everland" <an*******@discussions.microsoft.com>

wrote in message

news:09****************************@phx.gbl...

I have an application that is ISAPI and the only way to
secure it is through NT permissions. I need to have a way to login to windows authentication so that when I get to
the ISAPI application no boxes come up. I want an ASP page to sit between the user and the ISAPI application. The
rest of my application is using authentication that is
database driven and wouldn't want the users to know the
userid and password. Is this possible? If so how would I
accomplish it.

.

Hi Paul,

Funny you should write about this, because I'm in the process of
implementing something similar to what you've outlined below. I do have
one question for you, though - how can you log the user out once in?

For example, if I visit my intranet site, I'm greeted by the log on box
asking for my credentials.. however, the browser won't prompt for
credentials again until the browser is closed and re-opened. I'd like to
provide a log-off button, though. Any ideas?

Thanks!

Jonathan

Paul McNally wrote:

I mean't enable integrated authentication for the web site in the web site
properties in IIS. So long as internet explorer is enabled to use
integrated authentication (tools, options, advanced) the NT username will be
sent to the web server automatically without the user doing anything. The
user name can be retrieved if needed using server variables:

USERNAME: Request.ServerVariables("AUTH_USER")

Here's some info cut from iis help:

Integrated Windows Authentication
Integrated Windows authentication (formerly called NTLM or Windows NT
Challenge/Response authentication) is a secure form of authentication
because the user name and password are not sent across the network. When you
enable integrated Windows authentication, the user's browser proves its
knowledge of the password through a cryptographic exchange with your Web
server, involving hashing.

Integrated Windows authentication can use both the Kerberos v5
authentication protocol and its own challenge/response authentication
protocol. If Directory Services is installed on the server, and the browser
is compatible with the Kerberos v5 authentication protocol, both the
Kerberos v5 protocol and the challenge/response protocol are used; otherwise
only the challenge/response protocol is used.

The Kerberos v5 authentication protocol is a feature of the Windows 2000
Distributed Services architecture. In order for Kerberos v5 authentication
to be successful, both the client and server must have a trusted connection
to a Key Distribution Center (KDC) and be Directory Services compatible. For
more information about the protocol, see the Windows documentation.

Integrated Windows authentication proceeds as follows:

1.. Unlike Basic authentication, it does not initially prompt users for a
user name and password. The current Windows user information on the client
computer is used for the integrated Windows authentication.
Note Internet Explorer, version 4.0 and later, can be configured to
initially prompt for user information if needed. For more information, see
the Internet Explorer documentation.

2.. However, if the authentication exchange initially fails to identify
the user, the browser will prompt the user for a Windows user account user
name and password, which it will process by using integrated Windows
authentication.
3.. Internet Explorer will continue to prompt the user until the user
enters a valid user name and password, or closes the prompt dialog box.
Although integrated Windows authentication is secure, it does have two
limitations.

1.. Only Microsoft Internet Explorer, version 2.0 or later, supports this
authentication method.
2.. Integrated Windows authentication does not work over HTTP Proxy
connections.
Therefore, integrated Windows authentication is best suited for an intranet
environment, where both user and Web server computers are in the same
domain, and where administrators can ensure that every user has Microsoft
Internet Explorer, version 2.0 or later.

Regards

Paul

<an*******@discussions.microsoft.com> wrote in message
news:0a****************************@phx.gbl...

Well I'm trying to get away from the user having to do
anything because this is our extranet so out customers
would be forced to touch the browser. I just want to make
a script that allows for seemless login. Heck I don't even
care if I have to pass something through url parameters.
Bob

-----Original Message-----
Could you use integrated authentication if the users are

using IE?

"Bob Everland" <an*******@discussions.microsoft.com>

wrote in message

news:09****************************@phx.gbl.. .

I have an application that is ISAPI and the only way to
secure it is through NT permissions. I need to have a

way

to login to windows authentication so that when I get to
the ISAPI application no boxes come up. I want an ASP

page

to sit between the user and the ISAPI application. The
rest of my application is using authentication that is
database driven and wouldn't want the users to know the
userid and password. Is this possible? If so how would I
accomplish it.

.

Hi Jonathan

I don't believe there is a log off command you can use but you could have a
button on the web page which sets all the objects related to the user to
nothing and then redirects to your logon page.

Regards

Paul

"Jonathan S." <sp**@jdspt.com> wrote in message
news:eC**************@TK2MSFTNGP11.phx.gbl...

Hi Paul,

Funny you should write about this, because I'm in the process of
implementing something similar to what you've outlined below. I do have
one question for you, though - how can you log the user out once in?

For example, if I visit my intranet site, I'm greeted by the log on box
asking for my credentials.. however, the browser won't prompt for
credentials again until the browser is closed and re-opened. I'd like to
provide a log-off button, though. Any ideas?

Thanks!

Jonathan

Paul McNally wrote:

I mean't enable integrated authentication for the web site in the web site properties in IIS. So long as internet explorer is enabled to use
integrated authentication (tools, options, advanced) the NT username will be sent to the web server automatically without the user doing anything. The user name can be retrieved if needed using server variables:

USERNAME: Request.ServerVariables("AUTH_USER")

Here's some info cut from iis help:

Integrated Windows Authentication
Integrated Windows authentication (formerly called NTLM or Windows NT
Challenge/Response authentication) is a secure form of authentication
because the user name and password are not sent across the network. When you enable integrated Windows authentication, the user's browser proves its
knowledge of the password through a cryptographic exchange with your Web
server, involving hashing.

Integrated Windows authentication can use both the Kerberos v5
authentication protocol and its own challenge/response authentication
protocol. If Directory Services is installed on the server, and the browser is compatible with the Kerberos v5 authentication protocol, both the
Kerberos v5 protocol and the challenge/response protocol are used; otherwise only the challenge/response protocol is used.

The Kerberos v5 authentication protocol is a feature of the Windows 2000
Distributed Services architecture. In order for Kerberos v5 authentication to be successful, both the client and server must have a trusted connection to a Key Distribution Center (KDC) and be Directory Services compatible. For more information about the protocol, see the Windows documentation.

Integrated Windows authentication proceeds as follows:

1.. Unlike Basic authentication, it does not initially prompt users for a user name and password. The current Windows user information on the client computer is used for the integrated Windows authentication.
Note Internet Explorer, version 4.0 and later, can be configured to
initially prompt for user information if needed. For more information, see the Internet Explorer documentation.

2.. However, if the authentication exchange initially fails to identify the user, the browser will prompt the user for a Windows user account user name and password, which it will process by using integrated Windows
authentication.
3.. Internet Explorer will continue to prompt the user until the user
enters a valid user name and password, or closes the prompt dialog box.
Although integrated Windows authentication is secure, it does have two
limitations.

1.. Only Microsoft Internet Explorer, version 2.0 or later, supports this authentication method.
2.. Integrated Windows authentication does not work over HTTP Proxy
connections.
Therefore, integrated Windows authentication is best suited for an intranet environment, where both user and Web server computers are in the same
domain, and where administrators can ensure that every user has Microsoft Internet Explorer, version 2.0 or later.

Regards

Paul

<an*******@discussions.microsoft.com> wrote in message
news:0a****************************@phx.gbl...

Well I'm trying to get away from the user having to do
anything because this is our extranet so out customers
would be forced to touch the browser. I just want to make
a script that allows for seemless login. Heck I don't even
care if I have to pass something through url parameters.
Bob

-----Original Message-----
Could you use integrated authentication if the users are

using IE?

"Bob Everland" <an*******@discussions.microsoft.com>

wrote in message

news:09****************************@phx.gbl.. .

>I have an application that is ISAPI and the only way to
>secure it is through NT permissions. I need to have a

way

>to login to windows authentication so that when I get to
>the ISAPI application no boxes come up. I want an ASP

page

>to sit between the user and the ISAPI application. The
>rest of my application is using authentication that is
>database driven and wouldn't want the users to know the
>userid and password. Is this possible? If so how would I
>accomplish it.
>
.

Hi!

I am trying to do some of the same things as you. I want to log a user
to an nt user through asp. The user is allready loged in, because untill
now the credentials are verified against a database. Now I need to use
nt authentication because users will be allowed to upload files to
folders they create.

Did you find a solution?

Henning :-)

*** Sent via Developersdex http://www.developersdex.com ***
Don't just participate in USENET...get rewarded for it!

Great Post Paul!

Question: If the user does not get validated automatically, is there a
way to display a custom logon form instead of the popup microsoft
window?

Basically, I want to auto-log a known user using the method you
described, but if they fail, I want to authenticate them against my sql
database.

Is there an event launched when an auto-logon fails?

Thanks
*** Sent via Developersdex http://www.developersdex.com ***
Don't just participate in USENET...get rewarded for it!