473,839 Members | 1,495 Online
Bytes | Software Development & Data Engineering Community
+ Post

Home Posts Topics Members FAQ

Can I force a Windows Authentication / Login?

I'm looking for a way to force the user to re-authenticate with their Windows
username/password/domain after clicking the submit button on an ASP.NET page.
This is for an internal application.

Does anyone know if/how this can be done?
Nov 19 '05 #1
8 16550
You mean you want to let the user authenticate using Windows Auth.
You can set that in IIS by checking integrated Windows and uncheck Anonymous
login
Patrick

"Keith H" <kh*****@newsgr oup.nospam> wrote in message
news:60******** *************** ***********@mic rosoft.com...
I'm looking for a way to force the user to re-authenticate with their Windows username/password/domain after clicking the submit button on an ASP.NET page. This is for an internal application.

Does anyone know if/how this can be done?

Nov 19 '05 #2
Hi Keith,

One technique is to redirect them to a page that denies access to anonymous
users. This throws up the login dialogue box.

In your Web.config, add a <location> before <system.web>

<configuratio n>
<location path="auth.aspx ">
<system.web>
<authorizatio n>
<deny users="?"/>
</authorization>
</system.web>
</location>
<system.web>
....

Then create a page called auth.aspx.

In your button click code redirect like this:

Private Sub Button1_Click _
(ByVal sender As System.Object, _
ByVal e As System.EventArg s) Handles Button1.Click
Response.Redire ct("auth.aspx" )
End Sub

Let us know if this helps?

Ken
Microsoft MVP [ASP.NET]


"Keith H" <kh*****@newsgr oup.nospam> wrote in message
news:60******** *************** ***********@mic rosoft.com...
I'm looking for a way to force the user to re-authenticate with their
Windows
username/password/domain after clicking the submit button on an ASP.NET
page.
This is for an internal application.

Does anyone know if/how this can be done?

Nov 19 '05 #3
Hi Keith,

For forcing the clientuser pass the windows authentication logon, as
Patrick has mentioned, we can use the IIS server's windows integrated
windows authentication( disable anonymous access) which will force the
client provide a valid windows identity. Also, if you're manually collect
the username/password through web page UI and programmaticall y authenticat
the user, you'll need to manually call some windows security API like
logonUser .... , but I don't think this is a good means from security and
performance perspective.

Thanks,

Steven Cheng
Microsoft Online Support

Get Secure! www.microsoft.com/security

--------------------
| From: "Patirck Ige" <na********@hot mail.com>
| References: <60************ *************** *******@microso ft.com>
| Subject: Re: Can I force a Windows Authentication / Login?
| Date: Fri, 7 Oct 2005 09:35:40 +1000
| Lines: 16
| X-Priority: 3
| X-MSMail-Priority: Normal
| X-Newsreader: Microsoft Outlook Express 6.00.2800.1437
| X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1441
| Message-ID: <eP************ **@TK2MSFTNGP09 .phx.gbl>
| Newsgroups: microsoft.publi c.dotnet.framew ork.aspnet
| NNTP-Posting-Host: 203.36.211.134
| Path: TK2MSFTNGXA01.p hx.gbl!TK2MSFTN GP08.phx.gbl!TK 2MSFTNGP09.phx. gbl
| Xref: TK2MSFTNGXA01.p hx.gbl
microsoft.publi c.dotnet.framew ork.aspnet:1296 34
| X-Tomcat-NG: microsoft.publi c.dotnet.framew ork.aspnet
|
| You mean you want to let the user authenticate using Windows Auth.
| You can set that in IIS by checking integrated Windows and uncheck
Anonymous
| login
| Patrick
|
| "Keith H" <kh*****@newsgr oup.nospam> wrote in message
| news:60******** *************** ***********@mic rosoft.com...
| > I'm looking for a way to force the user to re-authenticate with their
| Windows
| > username/password/domain after clicking the submit button on an ASP.NET
| page.
| > This is for an internal application.
| >
| > Does anyone know if/how this can be done?
|
|
|

Nov 19 '05 #4
All you need to do is send back a 302 response from your page (Response.Statu sCode).
As long as you're using Windows authentication and IIS then this will trigger
IIS to challenge the browser such that the user must reauthenticate.

-Brock
DevelopMentor
http://staff.develop.com/ballen
I'm looking for a way to force the user to re-authenticate with their
Windows username/password/domain after clicking the submit button on
an ASP.NET page. This is for an internal application.

Does anyone know if/how this can be done?

Nov 19 '05 #5
Thanks Brock -- I tried this, and it did prompt me to authenticate again
(with response.status code = 401, not 302), but the behavior is a little
wacky. Sometimes I authenticate once and it accepts it but then doesn't
continue to do the rest of the code in the button_click event; other times it
repeats the authentication prompt three times and then DOES continue to do
the rest of the code.

What I really want is to write a function that forces the user to
authenticate again, returns true if the user authenticates successfully,
returns false otherwise; then I can do other code or send the user to an
error page based on the return value of the function.

It's just the part about forcing the authentication prompt and verifying
whether it was successful that I don't know how to do.

"Brock Allen" wrote:
All you need to do is send back a 302 response from your page (Response.Statu sCode).
As long as you're using Windows authentication and IIS then this will trigger
IIS to challenge the browser such that the user must reauthenticate.

-Brock
DevelopMentor
http://staff.develop.com/ballen
I'm looking for a way to force the user to re-authenticate with their
Windows username/password/domain after clicking the submit button on
an ASP.NET page. This is for an internal application.

Does anyone know if/how this can be done?


Nov 19 '05 #6
Thanks Ken,

But I don't want to do forms authentication. What I want to do is, ideally,
write a function that will prompt the user to re-authenticate against their
Windows domain account, return true if successful and false if not.

Then I would put the function in the button click event; if returns true I
continue to do more code, if returns false I give the user an error message
in a label on the page.

I already understand about turning off anonymous access in IIS admin, etc.
But that doesn't actually force the user to re-authenticate, it just provides
the Windows identity info in the context, like the LOGON_USER, etc. And I
don't want them to enter their username and password until they click the
button on the page.

I've tried poking through some of the security classes in the .NET
documentation, but I haven't seen any sample code that points me in the right
direction...
"Ken Cox [Microsoft MVP]" wrote:
Hi Keith,

One technique is to redirect them to a page that denies access to anonymous
users. This throws up the login dialogue box.

In your Web.config, add a <location> before <system.web>

<configuratio n>
<location path="auth.aspx ">
<system.web>
<authorizatio n>
<deny users="?"/>
</authorization>
</system.web>
</location>
<system.web>
....

Then create a page called auth.aspx.

In your button click code redirect like this:

Private Sub Button1_Click _
(ByVal sender As System.Object, _
ByVal e As System.EventArg s) Handles Button1.Click
Response.Redire ct("auth.aspx" )
End Sub

Let us know if this helps?

Ken
Microsoft MVP [ASP.NET]


"Keith H" <kh*****@newsgr oup.nospam> wrote in message
news:60******** *************** ***********@mic rosoft.com...
I'm looking for a way to force the user to re-authenticate with their
Windows
username/password/domain after clicking the submit button on an ASP.NET
page.
This is for an internal application.

Does anyone know if/how this can be done?


Nov 19 '05 #7
What you can do is to trap statuscode = 401 if access is denied or not
(But remember you wuld have to trap "statuscode = 401" in your
global.asax )
And maybe redirect the user to some where and from there....do what ever you
want with them
Hope that helps
Patrick

"Keith H" <kh*****@newsgr oup.nospam> wrote in message
news:E7******** *************** ***********@mic rosoft.com...
Thanks Brock -- I tried this, and it did prompt me to authenticate again
(with response.status code = 401, not 302), but the behavior is a little
wacky. Sometimes I authenticate once and it accepts it but then doesn't
continue to do the rest of the code in the button_click event; other times it repeats the authentication prompt three times and then DOES continue to do
the rest of the code.

What I really want is to write a function that forces the user to
authenticate again, returns true if the user authenticates successfully,
returns false otherwise; then I can do other code or send the user to an
error page based on the return value of the function.

It's just the part about forcing the authentication prompt and verifying
whether it was successful that I don't know how to do.

"Brock Allen" wrote:
All you need to do is send back a 302 response from your page (Response.Statu sCode). As long as you're using Windows authentication and IIS then this will trigger IIS to challenge the browser such that the user must reauthenticate.

-Brock
DevelopMentor
http://staff.develop.com/ballen
I'm looking for a way to force the user to re-authenticate with their
Windows username/password/domain after clicking the submit button on
an ASP.NET page. This is for an internal application.

Does anyone know if/how this can be done?


Nov 19 '05 #8
Hi Keith,

From your further description, I think your current problem is how to
manually collect the username/password from the enduser and do a windows
logon auhtenticate, yes? The Integrated windows authentication in IIS is
done automatically before each webrequest and we can not manually redo the
authentication. Currently the only available approach may be manually call
the WINDOWS LogonUser API to validate the user acccount, we need to provide
the cleartext username/password when calling this API, do you think this is
possible? If so the following kb article has mentioned use LogonUser API
through .net PInvoke in asp.net application.

#How to implement impersonation in an ASP.NET application
http://support.microsoft.com/default...b;en-us;306158

Hope helps. Thanks,

Steven Cheng
Microsoft Online Support

Get Secure! www.microsoft.com/security

--------------------
| Thread-Topic: Can I force a Windows Authentication / Login?
| thread-index: AcXLZJySqJqzylO GQpucW7kNlnrfJQ ==
| X-WBNR-Posting-Host: 204.250.153.2
| From: "=?Utf-8?B?S2VpdGggSA= =?=" <kh*****@newsgr oup.nospam>
| References: <60************ *************** *******@microso ft.com>
<Og************ **@TK2MSFTNGP10 .phx.gbl>
| Subject: Re: Can I force a Windows Authentication / Login?
| Date: Fri, 7 Oct 2005 10:29:03 -0700
| Lines: 71
| Message-ID: <D7************ *************** *******@microso ft.com>
| MIME-Version: 1.0
| Content-Type: text/plain;
| charset="Utf-8"
| Content-Transfer-Encoding: 7bit
| X-Newsreader: Microsoft CDO for Windows 2000
| Content-Class: urn:content-classes:message
| Importance: normal
| Priority: normal
| X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0
| Newsgroups: microsoft.publi c.dotnet.framew ork.aspnet
| NNTP-Posting-Host: TK2MSFTNGXA03.p hx.gbl 10.40.2.250
| Path: TK2MSFTNGXA01.p hx.gbl!TK2MSFTN GXA03.phx.gbl
| Xref: TK2MSFTNGXA01.p hx.gbl
microsoft.publi c.dotnet.framew ork.aspnet:1298 60
| X-Tomcat-NG: microsoft.publi c.dotnet.framew ork.aspnet
|
| Thanks Ken,
|
| But I don't want to do forms authentication. What I want to do is,
ideally,
| write a function that will prompt the user to re-authenticate against
their
| Windows domain account, return true if successful and false if not.
|
| Then I would put the function in the button click event; if returns true
I
| continue to do more code, if returns false I give the user an error
message
| in a label on the page.
|
| I already understand about turning off anonymous access in IIS admin,
etc.
| But that doesn't actually force the user to re-authenticate, it just
provides
| the Windows identity info in the context, like the LOGON_USER, etc. And I
| don't want them to enter their username and password until they click the
| button on the page.
|
| I've tried poking through some of the security classes in the .NET
| documentation, but I haven't seen any sample code that points me in the
right
| direction...
|
|
| "Ken Cox [Microsoft MVP]" wrote:
|
| > Hi Keith,
| >
| > One technique is to redirect them to a page that denies access to
anonymous
| > users. This throws up the login dialogue box.
| >
| > In your Web.config, add a <location> before <system.web>
| >
| > <configuratio n>
| > <location path="auth.aspx ">
| > <system.web>
| > <authorizatio n>
| > <deny users="?"/>
| > </authorization>
| > </system.web>
| > </location>
| > <system.web>
| > ....
| >
| > Then create a page called auth.aspx.
| >
| > In your button click code redirect like this:
| >
| > Private Sub Button1_Click _
| > (ByVal sender As System.Object, _
| > ByVal e As System.EventArg s) Handles Button1.Click
| > Response.Redire ct("auth.aspx" )
| > End Sub
| >
| > Let us know if this helps?
| >
| > Ken
| > Microsoft MVP [ASP.NET]
| >
| >
| >
| >
| > "Keith H" <kh*****@newsgr oup.nospam> wrote in message
| > news:60******** *************** ***********@mic rosoft.com...
| > > I'm looking for a way to force the user to re-authenticate with their
| > > Windows
| > > username/password/domain after clicking the submit button on an
ASP.NET
| > > page.
| > > This is for an internal application.
| > >
| > > Does anyone know if/how this can be done?
| >
| >
| >
|

Nov 19 '05 #9

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

2
5478
by: thenetflyer | last post by:
<!-- The following sample should authorize the user to log on the site. This works once but after refreshing the browser, it does not prompt again for login until all browser (IE 6) windows are closed and the same page is opened. I turned off all caching but still it does cache (as a refresh doen not promt again). How can I force the page to prompt for a password at every refresh ?
8
3713
by: Bob Everland | last post by:
I have an application that is ISAPI and the only way to secure it is through NT permissions. I need to have a way to login to windows authentication so that when I get to the ISAPI application no boxes come up. I want an ASP page to sit between the user and the ISAPI application. The rest of my application is using authentication that is database driven and wouldn't want the users to know the userid and password. Is this possible? If so...
1
2140
by: sherkozmo | last post by:
I have my SQL 7.0 server set for Mixed security. I see now (finally) the advantages of having windows authentication security for windows groups. I do most of my developing in Access Projects which require a login of some type. I have been using my SQL login to develop with SQL and then when I give it to the user, I set the project to use Windows authentication. I want to be able to have Windows authentication on my domain account but...
4
4843
by: Dave | last post by:
Hi, Is there anyway to mimic forms authentication's loginUrl and RedirectFromLoginPage functionality using Windows authentication? We are developing intranet sites using basic authentication and we want to always redirect a user to a default 'splash' or welcome page that is set to anonymous if they are not logged in. This page would have
4
6814
by: Andrew | last post by:
Hey all, I would like to preface my question by stating I am still learning ASP.net and while I am confident in the basics and foundation, the more advanced stuff is still a challenge. Ok. :)
6
7564
by: Kevin Yu | last post by:
is it possible to for user to click a logout button to logout and when the user want to get into the system again, the user have to login again? Kevin
2
7775
by: Grant | last post by:
Hi, I am using Windows Authentication but want to force a login popup even if the users login is authenticated. This would allow other people to use my computer while im logged in to access and login to one of my applications. Note: I don't want to use Forms authentication mode. Does anybody know how to do this?
3
2423
by: serge calderara | last post by:
Dear all, I clearly underdand the advantage of both type of authentification but is it allowed or possible to set the Authentication mode to Windows and then handle a login form for defined users in Credential section like as follow : <authentication mode="Windows" > <forms loginUrl="Login.aspx"> <credentials passwordFormat="Clear"> <user name="Jessee" password="JuneBug"/>
2
2422
by: Abraham Andres Luna | last post by:
hello everyone, i have setup windows authentication with iis and asp.net. it works fine, however, how do i force a login anyway. that way the user has to type in their username and password when they end their session. thank you, abraham luna
0
9856
marktang
by: marktang | last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However, people are often confused as to whether an ONU can Work As a Router. In this blog post, we’ll explore What is ONU, What Is Router, ONU & Router’s main usage, and What is the difference between ONU and Router. Let’s take a closer look ! Part I. Meaning of...
0
10592
jinu1996
by: jinu1996 | last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven tapestry of website design and digital marketing. It's not merely about having a website; it's about crafting an immersive digital experience that captivates audiences and drives business growth. The Art of Business Website Design Your website is...
0
10299
tracyyun
by: tracyyun | last post by:
Dear forum friends, With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each protocol has its own unique characteristics and advantages, but as a user who is planning to build a smart home system, I am a bit confused by the choice of these technologies. I'm particularly interested in Zigbee because I've heard it does some...
1
7834
isladogs
by: isladogs | last post by:
The next Access Europe User Group meeting will be on Wednesday 1 May 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM). In this session, we are pleased to welcome a new presenter, Adolph Dupré who will be discussing some powerful techniques for using class modules. He will explain when you may want to use classes instead of User Defined Types (UDT). For example, to manage the data in unbound forms. Adolph will...
0
5684
by: TSSRALBI | last post by:
Hello I'm a network technician in training and I need your help. I am currently learning how to create and manage the different types of VPNs and I have a question about LAN-to-LAN VPNs. The last exercise I practiced was to create a LAN-to-LAN VPN between two Pfsense firewalls, by using IPSEC protocols. I succeeded, with both firewalls in the same network. But I'm wondering if it's possible to do the same thing, with 2 Pfsense firewalls...
0
5871
by: adsilva | last post by:
A Windows Forms form does not have the event Unload, like VB6. What one acts like?
1
4495
by: 6302768590 | last post by:
Hai team i want code for transfer the data from one system to another through IP address by using C# our system has to for every 5mins then we have to update the data what the data is updated we have to send another system
2
4067
muto222
by: muto222 | last post by:
How can i add a mobile payment intergratation into php mysql website.
3
3136
bsmnconsultancy
by: bsmnconsultancy | last post by:
In today's digital era, a well-designed website is crucial for businesses looking to succeed. Whether you're a small business owner or a large corporation in Toronto, having a strong online presence can significantly impact your brand's success. BSMN Consultancy, a leader in Website Development in Toronto offers valuable insights into creating effective websites that not only look great but also perform exceptionally well. In this comprehensive...

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.