Hi guys,
I have couple of ASP.NET applications that only support digest windows
authentication, and credentials are managed in a central AD. When users
login to one app, they can easily navigate to other apps without reenter
UID/PWD. Everything works except it doesn't meet our security policy for new
created users. When creating a new user, it's required to have "user must
change password when first time login". In this case, the user will just get
an 401.1 access deny error without any other clue.
One solution is to write a wrapper web app that can detect this setting and
allows user to change their password through internet. This can be done by
using Form Authentication to authenticate against AD. Now the question is
after a user successfully authenticated in this wrapper app, if the user
navigate to other apps (which require windows authentication) , the
authentication dialog will popup again. This is really what we hate to see.
I am stuck here. So my question is if there is a way to let IE knows that
the current connection is already authenticated, so IE doesn't need to popup
the dialog again.
Your help is greatly appreciated!
Ming 6 3352
Hi there,
isn't it case that after they set their new password using your wrapper
application that they only have to login once using the windows
authentication
with their new password and after that everything will be automatic
again?
or is it prompting them one time for each app?
in which case I would look at getting all the apps to use the
same authentication realm, so IE only keeps one setting for all of
them.
look at the web.config file for <authenticati on realm="try and make
this the same across all your apps"/>
(this corresponds to the realm parameter in the www-authenticate http
header)
(this is what ie uses to make the key for storing auth credentials)
i am just brainstorming to try and help
so sorry if i am on the wrong track
John
ps cool name you have :)
Ming Zhang wrote: Hi guys, I have couple of ASP.NET applications that only support digest windows authentication, and credentials are managed in a central AD. When users login to one app, they can easily navigate to other apps without reenter UID/PWD. Everything works except it doesn't meet our security policy for new created users. When creating a new user, it's required to have "user must change password when first time login". In this case, the user will just get an 401.1 access deny error without any other clue.
One solution is to write a wrapper web app that can detect this setting and allows user to change their password through internet. This can be done by using Form Authentication to authenticate against AD. Now the question is after a user successfully authenticated in this wrapper app, if the user navigate to other apps (which require windows authentication) , the authentication dialog will popup again. This is really what we hate to see. I am stuck here. So my question is if there is a way to let IE knows that the current connection is already authenticated, so IE doesn't need to popup the dialog again.
Your help is greatly appreciated!
Ming
"Ming Zhang" <mz****@mpsbc.c om> wrote in message
news:%2******** ********@TK2MSF TNGP12.phx.gbl. .. Hi guys, ... When creating a new user, it's required to have "user must change password when first time login". In this case, the user will just get an 401.1 access deny error without any other clue.
You may want to disable "User must change PW" policy on your domain/local
policy assume that you are using Windows 2k or 2k3.
.... if the user navigate to other apps (which require windows authentication) , the authentication dialog will popup again. .... I am stuck here. So my question is if there is a way to let IE knows that the current connection is already authenticated, so IE doesn't need to popup the dialog again.
Are your users member of your domain ? If so, are they successfully
authenticated by your domain when they start-up their PC ? As this is the
only possible way to let local IE browser knows so that it does not ask for
the same login again. On top of that, you must disable "Anonymous" and
enable Windows Integrated for your website on the IIS box.
John
Hi John,
Thanks for your response.
The wrapper app has to use form authentication (can NOT use windows
authentication) because there is no way to handle cases like "must change
password the first time login" if use windows authentication. Under windows
authentication, iis just return HTTP 401.1 if "must change password the
first time login" is set to true even the user provides correct password,
hence there is no way to distinguish whether it's wrong password, or need to
change password.
My existing apps require to use windows authentication (this is just the
requirement of those apps, I can't change it). So the problem is how to pass
the credential that authenticated against AD (by form authentication) to
other apps that only support windows authentication.
I know this might be a wired problem, but this is the case I am facing.
Thanks
Ming
"John Rivers" <fi*****@btinte rnet.com> wrote in message
news:11******** **************@ g43g2000cwa.goo glegroups.com.. . Hi there,
isn't it case that after they set their new password using your wrapper application that they only have to login once using the windows authentication with their new password and after that everything will be automatic again?
or is it prompting them one time for each app?
in which case I would look at getting all the apps to use the same authentication realm, so IE only keeps one setting for all of them.
look at the web.config file for <authenticati on realm="try and make this the same across all your apps"/>
(this corresponds to the realm parameter in the www-authenticate http header) (this is what ie uses to make the key for storing auth credentials)
i am just brainstorming to try and help so sorry if i am on the wrong track
John
ps cool name you have :) Ming Zhang wrote: Hi guys, I have couple of ASP.NET applications that only support digest windows authentication, and credentials are managed in a central AD. When users login to one app, they can easily navigate to other apps without reenter UID/PWD. Everything works except it doesn't meet our security policy for new created users. When creating a new user, it's required to have "user must change password when first time login". In this case, the user will just get an 401.1 access deny error without any other clue.
One solution is to write a wrapper web app that can detect this setting and allows user to change their password through internet. This can be done by using Form Authentication to authenticate against AD. Now the question is after a user successfully authenticated in this wrapper app, if the user navigate to other apps (which require windows authentication) , the authentication dialog will popup again. This is really what we hate to see. I am stuck here. So my question is if there is a way to let IE knows that the current connection is already authenticated, so IE doesn't need to popup the dialog again.
Your help is greatly appreciated!
Ming
Thanks for reply.
First, I can't disable "user must change PW". This is the security policy of
our company.
Users are internet users, so they aren't login to the domain. We can't use
the default credential that the user used to login to their PC. We use AD to
manage their Credential simply because we need a central place to store all
credentials so that all apps can be authenticated against the AD.
Thanks
Ming
"WJ" <Jo*******@HotM ail.Com> wrote in message
news:%2******** ********@TK2MSF TNGP09.phx.gbl. .. "Ming Zhang" <mz****@mpsbc.c om> wrote in message news:%2******** ********@TK2MSF TNGP12.phx.gbl. .. Hi guys, ... When creating a new user, it's required to have "user must change password when first time login". In this case, the user will just get an 401.1 access deny error without any other clue.
You may want to disable "User must change PW" policy on your domain/local policy assume that you are using Windows 2k or 2k3.
.... if the user navigate to other apps (which require windows authentication) , the authentication dialog will popup again. .... I am stuck here. So my question is if there is a way to let IE knows that the current connection is already authenticated, so IE doesn't need to popup the dialog again. Are your users member of your domain ? If so, are they successfully authenticated by your domain when they start-up their PC ? As this is the only possible way to let local IE browser knows so that it does not ask for the same login again. On top of that, you must disable "Anonymous" and enable Windows Integrated for your website on the IIS box.
John
"Ming Zhang" <mz****@mpsbc.c om> wrote in message
news:eL******** ******@TK2MSFTN GP09.phx.gbl... Thanks for reply. First, I can't disable "user must change PW". This is the security policy of our company. Users are internet users, so they aren't login to the domain. We can't use the default credential that the user used to login to their PC. We use AD to manage their Credential simply because we need a central place to store all credentials so that all apps can be authenticated against the AD.
Wow, that can fill up your AD database pretty quick. Then one way to do it
is to use custom cookie and or session state and donot let Asp.Net to manage
your login. Involves lots of coding!
John
here is an idea, although it may not work and its a horrible bodge:
after they have authenticated do a redirect to a url like this: http://username:password@hostname/script.asp
the browser will take the username and password and use it to fill
in the auth box, hopefully it should never appear in the history!
i have to leave testing it to you, i can't right now
but i have used this in the past, maybe it still works now? This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics |
by: Michael Foord |
last post by:
#!/usr/bin/python -u
# 15-09-04
# v1.0.0
# auth_example.py
# A simple script manually demonstrating basic authentication.
# Copyright Michael Foord
# Free to use, modify and relicense.
# No warranty express or implied for the accuracy, fitness to purpose
|
by: Bob Everland |
last post by:
I have an application that is ISAPI and the only way to
secure it is through NT permissions. I need to have a way
to login to windows authentication so that when I get to
the ISAPI application no boxes come up. I want an ASP page
to sit between the user and the ISAPI application. The
rest of my application is using authentication that is
database driven and wouldn't want the users to know the
userid and password. Is this possible? If so...
|
by: Billy Jacobs |
last post by:
I have a website which has both secure and non-secure
pages. I want to uses forms authentication. How do I
accomplish this?
Originally I had my web.config file in the root with Forms
Authentication set up and it worked just fine. Then I
realized that I needed to have some pages unsecure.
I then created 2 directories. One named Secure and the
other named Public. I placed my web.config file in my
|
by: Tom B |
last post by:
In my web.config file I've specified Windows for the authentication, in IIS
I've set it to Integrated Authentication.
But my SQL connection is still showing Anonymous.
Is there somewhere else I need to check?
Thanks
Win 2003, SQL Server 2000
|
by: Anonieko Ramos |
last post by:
ASP.NET Forms Authentication Best Practices
Dr. Dobb's Journal February 2004
Protecting user information is critical
By Douglas Reilly
Douglas is the author of Designing Microsoft ASP.NET Applications and
owner of Access Microsystems. Doug can be reached at
doug@accessmicrosystems.com.
--------------------------------------------------------------------------------
| |
by: Andrew |
last post by:
Hey all,
I would like to preface my question by stating I am still learning ASP.net
and while I am confident in the basics and foundation, the more advanced
stuff is still a challenge. Ok. :)
|
by: Albertas |
last post by:
What I'm doing wrong that I can't make my authentication to work.
Here is the situation: I'm hosting a Web Service from a Windows forms
application, using .NET Framework 3.0 WCF. And I want to implement user
authentication.
Here is my Web Service class called "methods":
public class Authentication : SoapHeader
{
public String user;
public String pwd;
|
by: troywalker |
last post by:
I am new to LDAP and Directory Services, and I have a project that
requires me to authenticate users against a Sun Java System Directory
Server in order to access the application. I have found dozens of
examples of how to authenticate users against Active Directory, but AD
seems to be a different animal than Sun Java System Directory Server.
Could someone provide me with an example of how to authenticate a user
against a Directory...
|
by: Frank Swarbrick |
last post by:
I am trying to understand "client authentication" works. My environment is
DB2/UDB LUW 8.2 on zSeries SLES9 as the database server and DB2 for VSE 7.4
as the client. We currently have DB2/LUW set up as follows:
Client Userid-Password Plugin (CLNT_PW_PLUGIN) =
Client Kerberos Plugin (CLNT_KRB_PLUGIN) =
Group Plugin (GROUP_PLUGIN) =
GSS Plugin for Local Authorization ...
|
by: Rory Becker |
last post by:
Having now created a Custom MembershipProvider that seems to work correctly
with my Logon and ChangePassword controls, I am, as they say, a happy bunny.
The next stange is to move on to the creation of content which adjusts based
on the user.
I have several pages which require a user to be logged on and several which
do not. Prior to this point in time I have used 2 different master pages.
one with a control which checks a session...
|
by: marktang |
last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However, people are often confused as to whether an ONU can Work As a Router. In this blog post, we’ll explore What is ONU, What Is Router, ONU & Router’s main usage, and What is the difference between ONU and Router. Let’s take a closer look !
Part I. Meaning of...
| |
by: Oralloy |
last post by:
Hello folks,
I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>".
The problem is that using the GNU compilers, it seems that the internal comparison operator "<=>" tries to promote arguments from unsigned to signed.
This is as boiled down as I can make it.
Here is my compilation command:
g++-12 -std=c++20 -Wnarrowing bit_field.cpp
Here is the code in...
|
by: tracyyun |
last post by:
Dear forum friends,
With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each protocol has its own unique characteristics and advantages, but as a user who is planning to build a smart home system, I am a bit confused by the choice of these technologies. I'm particularly interested in Zigbee because I've heard it does some...
|
by: agi2029 |
last post by:
Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development project—planning, coding, testing, and deployment—without human intervention. Imagine an AI that can take a project description, break it down, write the code, debug it, and then launch it, all on its own....
Now, this would greatly impact the work of software developers. The idea...
|
by: isladogs |
last post by:
The next Access Europe User Group meeting will be on Wednesday 1 May 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM).
In this session, we are pleased to welcome a new presenter, Adolph Dupré who will be discussing some powerful techniques for using class modules.
He will explain when you may want to use classes instead of User Defined Types (UDT). For example, to manage the data in unbound forms.
Adolph will...
|
by: TSSRALBI |
last post by:
Hello
I'm a network technician in training and I need your help.
I am currently learning how to create and manage the different types of VPNs and I have a question about LAN-to-LAN VPNs.
The last exercise I practiced was to create a LAN-to-LAN VPN between two Pfsense firewalls, by using IPSEC protocols.
I succeeded, with both firewalls in the same network. But I'm wondering if it's possible to do the same thing, with 2 Pfsense firewalls...
|
by: 6302768590 |
last post by:
Hai team
i want code for transfer the data from one system to another through IP address by using C# our system has to for every 5mins then we have to update the data what the data is updated we have to send another system
| |
by: muto222 |
last post by:
How can i add a mobile payment intergratation into php mysql website.
|
by: bsmnconsultancy |
last post by:
In today's digital era, a well-designed website is crucial for businesses looking to succeed. Whether you're a small business owner or a large corporation in Toronto, having a strong online presence can significantly impact your brand's success. BSMN Consultancy, a leader in Website Development in Toronto offers valuable insights into creating effective websites that not only look great but also perform exceptionally well. In this comprehensive...
| |