Hi guys,
I have couple of ASP.NET applications that only support digest windows
authentication, and credentials are managed in a central AD. When users
login to one app, they can easily navigate to other apps without reenter
UID/PWD. Everything works except it doesn't meet our security policy for new
created users. When creating a new user, it's required to have "user must
change password when first time login". In this case, the user will just get
an 401.1 access deny error without any other clue.
One solution is to write a wrapper web app that can detect this setting and
allows user to change their password through internet. This can be done by
using Form Authentication to authenticate against AD. Now the question is
after a user successfully authenticated in this wrapper app, if the user
navigate to other apps (which require windows authentication), the
authentication dialog will popup again. This is really what we hate to see.
I am stuck here. So my question is if there is a way to let IE knows that
the current connection is already authenticated, so IE doesn't need to popup
the dialog again.
Your help is greatly appreciated!
Ming 6 3275
Hi there,
isn't it case that after they set their new password using your wrapper
application that they only have to login once using the windows
authentication
with their new password and after that everything will be automatic
again?
or is it prompting them one time for each app?
in which case I would look at getting all the apps to use the
same authentication realm, so IE only keeps one setting for all of
them.
look at the web.config file for <authentication realm="try and make
this the same across all your apps"/>
(this corresponds to the realm parameter in the www-authenticate http
header)
(this is what ie uses to make the key for storing auth credentials)
i am just brainstorming to try and help
so sorry if i am on the wrong track
John
ps cool name you have :)
Ming Zhang wrote: Hi guys, I have couple of ASP.NET applications that only support digest windows authentication, and credentials are managed in a central AD. When users login to one app, they can easily navigate to other apps without reenter UID/PWD. Everything works except it doesn't meet our security policy for new created users. When creating a new user, it's required to have "user must change password when first time login". In this case, the user will just get an 401.1 access deny error without any other clue.
One solution is to write a wrapper web app that can detect this setting and allows user to change their password through internet. This can be done by using Form Authentication to authenticate against AD. Now the question is after a user successfully authenticated in this wrapper app, if the user navigate to other apps (which require windows authentication), the authentication dialog will popup again. This is really what we hate to see. I am stuck here. So my question is if there is a way to let IE knows that the current connection is already authenticated, so IE doesn't need to popup the dialog again.
Your help is greatly appreciated!
Ming
"Ming Zhang" <mz****@mpsbc.com> wrote in message
news:%2****************@TK2MSFTNGP12.phx.gbl... Hi guys, ... When creating a new user, it's required to have "user must change password when first time login". In this case, the user will just get an 401.1 access deny error without any other clue.
You may want to disable "User must change PW" policy on your domain/local
policy assume that you are using Windows 2k or 2k3.
.... if the user navigate to other apps (which require windows authentication), the authentication dialog will popup again. .... I am stuck here. So my question is if there is a way to let IE knows that the current connection is already authenticated, so IE doesn't need to popup the dialog again.
Are your users member of your domain ? If so, are they successfully
authenticated by your domain when they start-up their PC ? As this is the
only possible way to let local IE browser knows so that it does not ask for
the same login again. On top of that, you must disable "Anonymous" and
enable Windows Integrated for your website on the IIS box.
John
Hi John,
Thanks for your response.
The wrapper app has to use form authentication (can NOT use windows
authentication) because there is no way to handle cases like "must change
password the first time login" if use windows authentication. Under windows
authentication, iis just return HTTP 401.1 if "must change password the
first time login" is set to true even the user provides correct password,
hence there is no way to distinguish whether it's wrong password, or need to
change password.
My existing apps require to use windows authentication (this is just the
requirement of those apps, I can't change it). So the problem is how to pass
the credential that authenticated against AD (by form authentication) to
other apps that only support windows authentication.
I know this might be a wired problem, but this is the case I am facing.
Thanks
Ming
"John Rivers" <fi*****@btinternet.com> wrote in message
news:11**********************@g43g2000cwa.googlegr oups.com... Hi there,
isn't it case that after they set their new password using your wrapper application that they only have to login once using the windows authentication with their new password and after that everything will be automatic again?
or is it prompting them one time for each app?
in which case I would look at getting all the apps to use the same authentication realm, so IE only keeps one setting for all of them.
look at the web.config file for <authentication realm="try and make this the same across all your apps"/>
(this corresponds to the realm parameter in the www-authenticate http header) (this is what ie uses to make the key for storing auth credentials)
i am just brainstorming to try and help so sorry if i am on the wrong track
John
ps cool name you have :) Ming Zhang wrote: Hi guys, I have couple of ASP.NET applications that only support digest windows authentication, and credentials are managed in a central AD. When users login to one app, they can easily navigate to other apps without reenter UID/PWD. Everything works except it doesn't meet our security policy for new created users. When creating a new user, it's required to have "user must change password when first time login". In this case, the user will just get an 401.1 access deny error without any other clue.
One solution is to write a wrapper web app that can detect this setting and allows user to change their password through internet. This can be done by using Form Authentication to authenticate against AD. Now the question is after a user successfully authenticated in this wrapper app, if the user navigate to other apps (which require windows authentication), the authentication dialog will popup again. This is really what we hate to see. I am stuck here. So my question is if there is a way to let IE knows that the current connection is already authenticated, so IE doesn't need to popup the dialog again.
Your help is greatly appreciated!
Ming
Thanks for reply.
First, I can't disable "user must change PW". This is the security policy of
our company.
Users are internet users, so they aren't login to the domain. We can't use
the default credential that the user used to login to their PC. We use AD to
manage their Credential simply because we need a central place to store all
credentials so that all apps can be authenticated against the AD.
Thanks
Ming
"WJ" <Jo*******@HotMail.Com> wrote in message
news:%2****************@TK2MSFTNGP09.phx.gbl... "Ming Zhang" <mz****@mpsbc.com> wrote in message news:%2****************@TK2MSFTNGP12.phx.gbl... Hi guys, ... When creating a new user, it's required to have "user must change password when first time login". In this case, the user will just get an 401.1 access deny error without any other clue.
You may want to disable "User must change PW" policy on your domain/local policy assume that you are using Windows 2k or 2k3.
.... if the user navigate to other apps (which require windows authentication), the authentication dialog will popup again. .... I am stuck here. So my question is if there is a way to let IE knows that the current connection is already authenticated, so IE doesn't need to popup the dialog again. Are your users member of your domain ? If so, are they successfully authenticated by your domain when they start-up their PC ? As this is the only possible way to let local IE browser knows so that it does not ask for the same login again. On top of that, you must disable "Anonymous" and enable Windows Integrated for your website on the IIS box.
John
"Ming Zhang" <mz****@mpsbc.com> wrote in message
news:eL**************@TK2MSFTNGP09.phx.gbl... Thanks for reply. First, I can't disable "user must change PW". This is the security policy of our company. Users are internet users, so they aren't login to the domain. We can't use the default credential that the user used to login to their PC. We use AD to manage their Credential simply because we need a central place to store all credentials so that all apps can be authenticated against the AD.
Wow, that can fill up your AD database pretty quick. Then one way to do it
is to use custom cookie and or session state and donot let Asp.Net to manage
your login. Involves lots of coding!
John
here is an idea, although it may not work and its a horrible bodge:
after they have authenticated do a redirect to a url like this: http://username:password@hostname/script.asp
the browser will take the username and password and use it to fill
in the auth box, hopefully it should never appear in the history!
i have to leave testing it to you, i can't right now
but i have used this in the past, maybe it still works now? This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics
by: Michael Foord |
last post by:
#!/usr/bin/python -u
# 15-09-04
# v1.0.0
# auth_example.py
# A simple script manually demonstrating basic authentication.
# Copyright Michael Foord
# Free to use, modify and relicense.
#...
|
by: Bob Everland |
last post by:
I have an application that is ISAPI and the only way to
secure it is through NT permissions. I need to have a way
to login to windows authentication so that when I get to
the ISAPI application no...
|
by: Billy Jacobs |
last post by:
I have a website which has both secure and non-secure
pages. I want to uses forms authentication. How do I
accomplish this?
Originally I had my web.config file in the root with Forms...
|
by: Tom B |
last post by:
In my web.config file I've specified Windows for the authentication, in IIS
I've set it to Integrated Authentication.
But my SQL connection is still showing Anonymous.
Is there somewhere else I...
|
by: Anonieko Ramos |
last post by:
ASP.NET Forms Authentication Best Practices
Dr. Dobb's Journal February 2004
Protecting user information is critical
By Douglas Reilly
Douglas is the author of Designing Microsoft ASP.NET...
|
by: Andrew |
last post by:
Hey all,
I would like to preface my question by stating I am still learning ASP.net
and while I am confident in the basics and foundation, the more advanced
stuff is still a challenge. Ok....
|
by: Albertas |
last post by:
What I'm doing wrong that I can't make my authentication to work.
Here is the situation: I'm hosting a Web Service from a Windows forms
application, using .NET Framework 3.0 WCF. And I want to...
|
by: troywalker |
last post by:
I am new to LDAP and Directory Services, and I have a project that
requires me to authenticate users against a Sun Java System Directory
Server in order to access the application. I have found...
|
by: Frank Swarbrick |
last post by:
I am trying to understand "client authentication" works. My environment is
DB2/UDB LUW 8.2 on zSeries SLES9 as the database server and DB2 for VSE 7.4
as the client. We currently have DB2/LUW set...
|
by: Rory Becker |
last post by:
Having now created a Custom MembershipProvider that seems to work correctly
with my Logon and ChangePassword controls, I am, as they say, a happy bunny.
The next stange is to move on to the...
|
by: DolphinDB |
last post by:
The formulas of 101 quantitative trading alphas used by WorldQuant were presented in the paper 101 Formulaic Alphas. However, some formulas are complex, leading to challenges in calculation.
Take...
|
by: ryjfgjl |
last post by:
ExcelToDatabase: batch import excel into database automatically...
|
by: isladogs |
last post by:
The next Access Europe meeting will be on Wednesday 6 Mar 2024 starting at 18:00 UK time (6PM UTC) and finishing at about 19:15 (7.15PM).
In this month's session, we are pleased to welcome back...
|
by: isladogs |
last post by:
The next Access Europe meeting will be on Wednesday 6 Mar 2024 starting at 18:00 UK time (6PM UTC) and finishing at about 19:15 (7.15PM).
In this month's session, we are pleased to welcome back...
|
by: Vimpel783 |
last post by:
Hello!
Guys, I found this code on the Internet, but I need to modify it a little. It works well, the problem is this: Data is sent from only one cell, in this case B5, but it is necessary that data...
|
by: jfyes |
last post by:
As a hardware engineer, after seeing that CEIWEI recently released a new tool for Modbus RTU Over TCP/UDP filtering and monitoring, I actively went to its official website to take a look. It turned...
|
by: ArrayDB |
last post by:
The error message I've encountered is; ERROR:root:Error generating model response: exception: access violation writing 0x0000000000005140, which seems to be indicative of an access violation...
|
by: Shællîpôpï 09 |
last post by:
If u are using a keypad phone, how do u turn on JavaScript, to access features like WhatsApp, Facebook, Instagram....
|
by: Faith0G |
last post by:
I am starting a new it consulting business and it's been a while since I setup a new website. Is wordpress still the best web based software for hosting a 5 page website? The webpages will be...
| |