473,811 Members | 2,691 Online
Bytes | Software Development & Data Engineering Community
+ Post

Home Posts Topics Members FAQ

Authentificatio n - Server Variables ( omg! )

Have two domains, which are non-trusted.. and will never be I've been told.
Users on one domain need to access a website on the other domain, but don't
want to have to enter any credentials as they've already logged into their
own domain. Their domain login user name is duplicated in a database on the
website domain, so authentication can be handled by the web app as long as
we can pass the user id across.

Oh bugger thinks I, that's a can of worms if ever I heard one.

In IIS6, they've just got Anonymous access checked, else they'd be prompted
for login details. So the only way I can think of doing this is to pick up
one of the request server variables that contains their local user.
Normally for netowrk authentication, we'd user logon_user, but due to the
anonymous access, that won't be there..

So what should I pick up instead.

And yes, I realise that security wise, this is awful, but as far as I can
tell, there's no other choice.. unless anyone knows different ?

Cheers
--
Adrian Parker
Sep 5 '06 #1
4 1111
Rob
Adrian,

There isn't a server variable available for what you want.

But... if the users actually have user id's in the second domain then you
could run the application with windows integrated security enabled. So long
as users keep thier passwords the same then they won't be prompted for
user/password.

If the users do not have user id's in the second domain then you're likely
out of luck.

You could look into passing an encrypted user id as a query string
variable... but that might be a bit open (no password... just an encrypted
user id... that's an easy secret to steal). You could try passing an
encrypted user id as a hidden form variable in a postback... but that's
still pretty easy to steal.

But... any scheme that involves just a user id to log on will be risky. This
is why Windows Integrated Security is so nice... it's been built to be
secure (behind the scenes IE passes user id and password hash). Trying to do
the same thing on your own... well... good luck :)

Regards,

Rob

"Adrian Parker" <ap******@nospa m.nospamwrote in message
news:OT******** ******@TK2MSFTN GP06.phx.gbl...
Have two domains, which are non-trusted.. and will never be I've been
told.
Users on one domain need to access a website on the other domain, but
don't
want to have to enter any credentials as they've already logged into their
own domain. Their domain login user name is duplicated in a database on
the
website domain, so authentication can be handled by the web app as long as
we can pass the user id across.

Oh bugger thinks I, that's a can of worms if ever I heard one.

In IIS6, they've just got Anonymous access checked, else they'd be
prompted
for login details. So the only way I can think of doing this is to pick
up
one of the request server variables that contains their local user.
Normally for netowrk authentication, we'd user logon_user, but due to the
anonymous access, that won't be there..

So what should I pick up instead.

And yes, I realise that security wise, this is awful, but as far as I can
tell, there's no other choice.. unless anyone knows different ?

Cheers
--
Adrian Parker


Sep 5 '06 #2
Hi Adrian,

I think Rob's analysis here is reasonable. As for IE, it will always send
an anonymous request to the remote web site first, then depend on whether
the webserver enable anonymous access or not, the following occurs:

**If allow anonymous, the first request can pass and be processed
successfully, there is no authentication info in the request/response

**If not allow anonymous, first request is rejected by 401 error, and the
IE will try sending a credential to server, here depend on whether the
credential is authenticatable on server, it will result the below behavior:

<< If the credential can be authenticatable ( duplicated local account on
both client and server or a domain user account in shared domain or trusted
domain), the second request get processed.

<<If the credential not authenticatable , request fail.....

and as for those Server Variable (related to authentication info ), it will
contains the client user's value only if the request has passed the
authentication. Therefore, in your case, since the client machine can not
provide a valid account that is authenticatable on server, we really have
no luck here.

BTW, is the reason you don't want user to input username/password
credentials here specific to security consideration? If so, do you think it
is possible to use https/ssl security channel for authentication here?
This is the most common approach for passing clear/text credential over
internet. And on the server-side, the application and authenticate the
credentials against AD through ActiveDirectory membership provider... If
you think this doable for your scenario, we can provide some detailed
reference on this.

Please feel free to let me know if you have any other ideas or concerns
here.

Sincerely,

Steven Cheng

Microsoft MSDN Online Support Lead

=============== =============== =============== =====

Get notification to my posts through email? Please refer to
http://msdn.microsoft.com/subscripti...ult.aspx#notif
ications.

Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
where an initial response from the community or a Microsoft Support
Engineer within 1 business day is acceptable. Please note that each follow
up response may take approximately 2 business days as the support
professional working with you may need further investigation to reach the
most efficient resolution. The offering is not appropriate for situations
that require urgent, real-time or phone-based interactions or complex
project analysis and dump analysis issues. Issues of this nature are best
handled working with a dedicated Microsoft Support Engineer by contacting
Microsoft Customer Support Services (CSS) at
http://msdn.microsoft.com/subscripti...t/default.aspx.

=============== =============== =============== =====

This posting is provided "AS IS" with no warranties, and confers no rights.

Sep 6 '06 #3
Thanks for the responses guys.

I think we've got two choices.. tell them no. or create a windows app
that will encrypt the current user and send it as a querystring to the
remote url.. ho hum..

Cheers
-Adrian

"Steven Cheng[MSFT]" <st*****@online .microsoft.comw rote in message
news:HR******** ******@TK2MSFTN GXA01.phx.gbl.. .
| Hi Adrian,
|
| I think Rob's analysis here is reasonable. As for IE, it will always send
| an anonymous request to the remote web site first, then depend on whether
| the webserver enable anonymous access or not, the following occurs:
|
| **If allow anonymous, the first request can pass and be processed
| successfully, there is no authentication info in the request/response
|
| **If not allow anonymous, first request is rejected by 401 error, and the
| IE will try sending a credential to server, here depend on whether the
| credential is authenticatable on server, it will result the below
behavior:
|
| << If the credential can be authenticatable ( duplicated local account on
| both client and server or a domain user account in shared domain or
trusted
| domain), the second request get processed.
|
| <<If the credential not authenticatable , request fail.....
|
| and as for those Server Variable (related to authentication info ), it
will
| contains the client user's value only if the request has passed the
| authentication. Therefore, in your case, since the client machine can not
| provide a valid account that is authenticatable on server, we really have
| no luck here.
|
| BTW, is the reason you don't want user to input username/password
| credentials here specific to security consideration? If so, do you think
it
| is possible to use https/ssl security channel for authentication here?
| This is the most common approach for passing clear/text credential over
| internet. And on the server-side, the application and authenticate the
| credentials against AD through ActiveDirectory membership provider... If
| you think this doable for your scenario, we can provide some detailed
| reference on this.
|
| Please feel free to let me know if you have any other ideas or concerns
| here.
|
| Sincerely,
|
| Steven Cheng
|
| Microsoft MSDN Online Support Lead
|
|
|
| =============== =============== =============== =====
|
| Get notification to my posts through email? Please refer to
|
http://msdn.microsoft.com/subscripti...ult.aspx#notif
| ications.
|
|
|
| Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
| where an initial response from the community or a Microsoft Support
| Engineer within 1 business day is acceptable. Please note that each follow
| up response may take approximately 2 business days as the support
| professional working with you may need further investigation to reach the
| most efficient resolution. The offering is not appropriate for situations
| that require urgent, real-time or phone-based interactions or complex
| project analysis and dump analysis issues. Issues of this nature are best
| handled working with a dedicated Microsoft Support Engineer by contacting
| Microsoft Customer Support Services (CSS) at
| http://msdn.microsoft.com/subscripti...t/default.aspx.
|
| =============== =============== =============== =====
|
|
|
| This posting is provided "AS IS" with no warranties, and confers no
rights.
|
Sep 6 '06 #4
Thanks for the reply Adrian,

Yes, if you're using a rich client such as winform application, you can
encrypte the request url and querystring parameters. while in browser based
scenario, this is quite limited without using https/ssl on server.

Anyway, if there is anything else we can help, please feel free to post
here.

Sincerely,

Steven Cheng

Microsoft MSDN Online Support Lead
This posting is provided "AS IS" with no warranties, and confers no rights.
Sep 7 '06 #5

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

0
2258
by: Laurent | last post by:
Hello, I have some problems with ldap and php fot my authentification. I don't understand why. My DN is correct in my ldap server Can you help me please? My php script : $login = $_POST; $passe = $_POST; $ldapServer = "localhost";
0
2500
by: Dana Morris | last post by:
Call for Participation OMG's First Annual Software-Based Communications (SBC) Workshop: From Mobile to Agile Communications http://www.omg.org/news/meetings/SBC2004/call.htm September 13-16, 2004 Washington, DC USA Introduction
2
1339
by: Jonathan | last post by:
Hi! I am trying to get my C++ connecting and communicating with a mySQL server on my developer PC. I did a next-next-finish installation of mySQL and installed the developer libraries as well. I started programming in MS VC++ and can communicate with my server. However, every time I connect with a user that has no password (blank) I am able to communicate with the server and query some test tables. As soon as I set the password on the...
6
1280
by: Ivan Demkovitch | last post by:
Hi! I'm reading thru everything I could find on "user Authentification" topic. There is couple of options ASP.NET suggest: Forms, Passport, etc... My application is simple portal with forums and Online store will be added in future. It will be hosted using hosting provider (no way to setup security, etc..)
0
922
by: serge calderara | last post by:
Dear all, I am testing a simple web application with authentification and authorisation I have define the following entry in my web.config file: <authentication mode="Forms" > <forms loginUrl="Login.aspx"> <credentials passwordFormat="Clear"> <user name="Jessee" password="JuneBug"/> <user name="Linda" password="Liste"/>
3
2423
by: serge calderara | last post by:
Dear all, I clearly underdand the advantage of both type of authentification but is it allowed or possible to set the Authentication mode to Windows and then handle a login form for defined users in Credential section like as follow : <authentication mode="Windows" > <forms loginUrl="Login.aspx"> <credentials passwordFormat="Clear"> <user name="Jessee" password="JuneBug"/>
1
1273
by: HIK | last post by:
I am porting an ASP.net 1.1 application from a win2K server to win2k3 server. The application uses forms authentification. The authentification information is in a query string. The user goes to A.htm A refers to B.htm for validation and if valid goes back to A. htm with the following code in the validating page: Dim strredirect As String = Request("ReturnURL") Response.Redirect(strredirect, True)
2
1462
by: Greg Hill | last post by:
Hi I'm trying to access a web server that requires authentification for a https page. I can access http pages on that server but get "(401) Authentification Error" for the https page. I have a login for that page but don't know where my code is wrong. Any hints will be appreciated. TIA Greg Code:
3
2533
oll3i
by: oll3i | last post by:
i m trying to write a hello world server but i get the following 3 errors cd u please help me javac HelloServer.java HelloApp/*.java HelloServer.java:52: cannot find symbol symbol: class _HelloImplBase class HelloServant extends _HelloImplBase ^ HelloServer.java:26: connect(org.omg.CORBA.Object) in org.omg.CORBA.ORB cannot b e applied to (HelloServant)
0
9605
by: Hystou | last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can effortlessly switch the default language on Windows 10 without reinstalling. I'll walk you through it. First, let's disable language synchronization. With a Microsoft account, language settings sync across devices. To prevent any complications,...
0
10648
Oralloy
by: Oralloy | last post by:
Hello folks, I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>". The problem is that using the GNU compilers, it seems that the internal comparison operator "<=>" tries to promote arguments from unsigned to signed. This is as boiled down as I can make it. Here is my compilation command: g++-12 -std=c++20 -Wnarrowing bit_field.cpp Here is the code in...
0
10389
jinu1996
by: jinu1996 | last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven tapestry of website design and digital marketing. It's not merely about having a website; it's about crafting an immersive digital experience that captivates audiences and drives business growth. The Art of Business Website Design Your website is...
0
10135
tracyyun
by: tracyyun | last post by:
Dear forum friends, With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each protocol has its own unique characteristics and advantages, but as a user who is planning to build a smart home system, I am a bit confused by the choice of these technologies. I'm particularly interested in Zigbee because I've heard it does some...
0
9205
agi2029
by: agi2029 | last post by:
Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development project—planning, coding, testing, and deployment—without human intervention. Imagine an AI that can take a project description, break it down, write the code, debug it, and then launch it, all on its own.... Now, this would greatly impact the work of software developers. The idea...
0
6890
by: conductexam | last post by:
I have .net C# application in which I am extracting data from word file and save it in database particularly. To store word all data as it is I am converting the whole word file firstly in HTML and then checking html paragraph one by one. At the time of converting from word file to html my equations which are in the word document file was convert into image. Globals.ThisAddIn.Application.ActiveDocument.Select();...
0
5554
by: TSSRALBI | last post by:
Hello I'm a network technician in training and I need your help. I am currently learning how to create and manage the different types of VPNs and I have a question about LAN-to-LAN VPNs. The last exercise I practiced was to create a LAN-to-LAN VPN between two Pfsense firewalls, by using IPSEC protocols. I succeeded, with both firewalls in the same network. But I'm wondering if it's possible to do the same thing, with 2 Pfsense firewalls...
2
3867
muto222
by: muto222 | last post by:
How can i add a mobile payment intergratation into php mysql website.
3
3018
bsmnconsultancy
by: bsmnconsultancy | last post by:
In today's digital era, a well-designed website is crucial for businesses looking to succeed. Whether you're a small business owner or a large corporation in Toronto, having a strong online presence can significantly impact your brand's success. BSMN Consultancy, a leader in Website Development in Toronto offers valuable insights into creating effective websites that not only look great but also perform exceptionally well. In this comprehensive...

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.