473,320 Members | 1,884 Online
Bytes | Software Development & Data Engineering Community
Post Job

Home Posts Topics Members FAQ

Join Bytes to post your question to a community of 473,320 software developers and data experts.

Authentication

Hi guys,
I have couple of ASP.NET applications that only support digest windows
authentication, and credentials are managed in a central AD. When users
login to one app, they can easily navigate to other apps without reenter
UID/PWD. Everything works except it doesn't meet our security policy for new
created users. When creating a new user, it's required to have "user must
change password when first time login". In this case, the user will just get
an 401.1 access deny error without any other clue.

One solution is to write a wrapper web app that can detect this setting and
allows user to change their password through internet. This can be done by
using Form Authentication to authenticate against AD. Now the question is
after a user successfully authenticated in this wrapper app, if the user
navigate to other apps (which require windows authentication), the
authentication dialog will popup again. This is really what we hate to see.
I am stuck here. So my question is if there is a way to let IE knows that
the current connection is already authenticated, so IE doesn't need to popup
the dialog again.

Your help is greatly appreciated!

Ming
Nov 19 '05 #1
6 3275


Hi there,

isn't it case that after they set their new password using your wrapper
application that they only have to login once using the windows
authentication
with their new password and after that everything will be automatic
again?

or is it prompting them one time for each app?

in which case I would look at getting all the apps to use the
same authentication realm, so IE only keeps one setting for all of
them.

look at the web.config file for <authentication realm="try and make
this the same across all your apps"/>

(this corresponds to the realm parameter in the www-authenticate http
header)
(this is what ie uses to make the key for storing auth credentials)

i am just brainstorming to try and help
so sorry if i am on the wrong track

John

ps cool name you have :)

Ming Zhang wrote:
Hi guys,
I have couple of ASP.NET applications that only support digest windows
authentication, and credentials are managed in a central AD. When users
login to one app, they can easily navigate to other apps without reenter
UID/PWD. Everything works except it doesn't meet our security policy for new
created users. When creating a new user, it's required to have "user must
change password when first time login". In this case, the user will just get
an 401.1 access deny error without any other clue.

One solution is to write a wrapper web app that can detect this setting and
allows user to change their password through internet. This can be done by
using Form Authentication to authenticate against AD. Now the question is
after a user successfully authenticated in this wrapper app, if the user
navigate to other apps (which require windows authentication), the
authentication dialog will popup again. This is really what we hate to see.
I am stuck here. So my question is if there is a way to let IE knows that
the current connection is already authenticated, so IE doesn't need to popup
the dialog again.

Your help is greatly appreciated!

Ming


Nov 19 '05 #2
WJ
"Ming Zhang" <mz****@mpsbc.com> wrote in message
news:%2****************@TK2MSFTNGP12.phx.gbl...
Hi guys,
... When creating a new user, it's required to have "user must change
password when first time login". In this case, the user will just get an
401.1 access deny error without any other clue.

You may want to disable "User must change PW" policy on your domain/local
policy assume that you are using Windows 2k or 2k3.
.... if the user navigate to other apps (which require windows
authentication), the authentication dialog will popup again.
.... I am stuck here. So my question is if there is a way to let IE knows
that the current connection is already authenticated, so IE doesn't need to
popup the dialog again.

Are your users member of your domain ? If so, are they successfully
authenticated by your domain when they start-up their PC ? As this is the
only possible way to let local IE browser knows so that it does not ask for
the same login again. On top of that, you must disable "Anonymous" and
enable Windows Integrated for your website on the IIS box.

John


Nov 19 '05 #3
Hi John,
Thanks for your response.
The wrapper app has to use form authentication (can NOT use windows
authentication) because there is no way to handle cases like "must change
password the first time login" if use windows authentication. Under windows
authentication, iis just return HTTP 401.1 if "must change password the
first time login" is set to true even the user provides correct password,
hence there is no way to distinguish whether it's wrong password, or need to
change password.

My existing apps require to use windows authentication (this is just the
requirement of those apps, I can't change it). So the problem is how to pass
the credential that authenticated against AD (by form authentication) to
other apps that only support windows authentication.

I know this might be a wired problem, but this is the case I am facing.

Thanks
Ming
"John Rivers" <fi*****@btinternet.com> wrote in message
news:11**********************@g43g2000cwa.googlegr oups.com...


Hi there,

isn't it case that after they set their new password using your wrapper
application that they only have to login once using the windows
authentication
with their new password and after that everything will be automatic
again?

or is it prompting them one time for each app?

in which case I would look at getting all the apps to use the
same authentication realm, so IE only keeps one setting for all of
them.

look at the web.config file for <authentication realm="try and make
this the same across all your apps"/>

(this corresponds to the realm parameter in the www-authenticate http
header)
(this is what ie uses to make the key for storing auth credentials)

i am just brainstorming to try and help
so sorry if i am on the wrong track

John

ps cool name you have :)

Ming Zhang wrote:
Hi guys,
I have couple of ASP.NET applications that only support digest windows
authentication, and credentials are managed in a central AD. When users
login to one app, they can easily navigate to other apps without reenter
UID/PWD. Everything works except it doesn't meet our security policy for
new
created users. When creating a new user, it's required to have "user must
change password when first time login". In this case, the user will just
get
an 401.1 access deny error without any other clue.

One solution is to write a wrapper web app that can detect this setting
and
allows user to change their password through internet. This can be done
by
using Form Authentication to authenticate against AD. Now the question is
after a user successfully authenticated in this wrapper app, if the user
navigate to other apps (which require windows authentication), the
authentication dialog will popup again. This is really what we hate to
see.
I am stuck here. So my question is if there is a way to let IE knows that
the current connection is already authenticated, so IE doesn't need to
popup
the dialog again.

Your help is greatly appreciated!

Ming

Nov 19 '05 #4
Thanks for reply.
First, I can't disable "user must change PW". This is the security policy of
our company.
Users are internet users, so they aren't login to the domain. We can't use
the default credential that the user used to login to their PC. We use AD to
manage their Credential simply because we need a central place to store all
credentials so that all apps can be authenticated against the AD.

Thanks
Ming
"WJ" <Jo*******@HotMail.Com> wrote in message
news:%2****************@TK2MSFTNGP09.phx.gbl...
"Ming Zhang" <mz****@mpsbc.com> wrote in message
news:%2****************@TK2MSFTNGP12.phx.gbl...
Hi guys,
... When creating a new user, it's required to have "user must change
password when first time login". In this case, the user will just get an
401.1 access deny error without any other clue.


You may want to disable "User must change PW" policy on your domain/local
policy assume that you are using Windows 2k or 2k3.
.... if the user navigate to other apps (which require windows
authentication), the authentication dialog will popup again.
.... I am stuck here. So my question is if there is a way to let IE knows
that the current connection is already authenticated, so IE doesn't need
to popup the dialog again.

Are your users member of your domain ? If so, are they successfully
authenticated by your domain when they start-up their PC ? As this is the
only possible way to let local IE browser knows so that it does not ask
for the same login again. On top of that, you must disable "Anonymous" and
enable Windows Integrated for your website on the IIS box.

John

Nov 19 '05 #5
WJ

"Ming Zhang" <mz****@mpsbc.com> wrote in message
news:eL**************@TK2MSFTNGP09.phx.gbl...
Thanks for reply.
First, I can't disable "user must change PW". This is the security policy
of our company.
Users are internet users, so they aren't login to the domain. We can't use
the default credential that the user used to login to their PC. We use AD
to manage their Credential simply because we need a central place to store
all credentials so that all apps can be authenticated against the AD.


Wow, that can fill up your AD database pretty quick. Then one way to do it
is to use custom cookie and or session state and donot let Asp.Net to manage
your login. Involves lots of coding!

John

Nov 19 '05 #6
here is an idea, although it may not work and its a horrible bodge:

after they have authenticated do a redirect to a url like this:

http://username:password@hostname/script.asp

the browser will take the username and password and use it to fill
in the auth box, hopefully it should never appear in the history!

i have to leave testing it to you, i can't right now
but i have used this in the past, maybe it still works now?

Nov 19 '05 #7

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

7
by: Michael Foord | last post by:
#!/usr/bin/python -u # 15-09-04 # v1.0.0 # auth_example.py # A simple script manually demonstrating basic authentication. # Copyright Michael Foord # Free to use, modify and relicense. #...
8
by: Bob Everland | last post by:
I have an application that is ISAPI and the only way to secure it is through NT permissions. I need to have a way to login to windows authentication so that when I get to the ISAPI application no...
6
by: Billy Jacobs | last post by:
I have a website which has both secure and non-secure pages. I want to uses forms authentication. How do I accomplish this? Originally I had my web.config file in the root with Forms...
9
by: Tom B | last post by:
In my web.config file I've specified Windows for the authentication, in IIS I've set it to Integrated Authentication. But my SQL connection is still showing Anonymous. Is there somewhere else I...
0
by: Anonieko Ramos | last post by:
ASP.NET Forms Authentication Best Practices Dr. Dobb's Journal February 2004 Protecting user information is critical By Douglas Reilly Douglas is the author of Designing Microsoft ASP.NET...
4
by: Andrew | last post by:
Hey all, I would like to preface my question by stating I am still learning ASP.net and while I am confident in the basics and foundation, the more advanced stuff is still a challenge. Ok....
0
by: Albertas | last post by:
What I'm doing wrong that I can't make my authentication to work. Here is the situation: I'm hosting a Web Service from a Windows forms application, using .NET Framework 3.0 WCF. And I want to...
18
by: troywalker | last post by:
I am new to LDAP and Directory Services, and I have a project that requires me to authenticate users against a Sun Java System Directory Server in order to access the application. I have found...
2
by: Frank Swarbrick | last post by:
I am trying to understand "client authentication" works. My environment is DB2/UDB LUW 8.2 on zSeries SLES9 as the database server and DB2 for VSE 7.4 as the client. We currently have DB2/LUW set...
5
by: Rory Becker | last post by:
Having now created a Custom MembershipProvider that seems to work correctly with my Logon and ChangePassword controls, I am, as they say, a happy bunny. The next stange is to move on to the...
0
by: DolphinDB | last post by:
The formulas of 101 quantitative trading alphas used by WorldQuant were presented in the paper 101 Formulaic Alphas. However, some formulas are complex, leading to challenges in calculation. Take...
0
by: ryjfgjl | last post by:
ExcelToDatabase: batch import excel into database automatically...
0
isladogs
by: isladogs | last post by:
The next Access Europe meeting will be on Wednesday 6 Mar 2024 starting at 18:00 UK time (6PM UTC) and finishing at about 19:15 (7.15PM). In this month's session, we are pleased to welcome back...
1
isladogs
by: isladogs | last post by:
The next Access Europe meeting will be on Wednesday 6 Mar 2024 starting at 18:00 UK time (6PM UTC) and finishing at about 19:15 (7.15PM). In this month's session, we are pleased to welcome back...
0
by: Vimpel783 | last post by:
Hello! Guys, I found this code on the Internet, but I need to modify it a little. It works well, the problem is this: Data is sent from only one cell, in this case B5, but it is necessary that data...
0
by: jfyes | last post by:
As a hardware engineer, after seeing that CEIWEI recently released a new tool for Modbus RTU Over TCP/UDP filtering and monitoring, I actively went to its official website to take a look. It turned...
0
by: ArrayDB | last post by:
The error message I've encountered is; ERROR:root:Error generating model response: exception: access violation writing 0x0000000000005140, which seems to be indicative of an access violation...
0
by: Shællîpôpï 09 | last post by:
If u are using a keypad phone, how do u turn on JavaScript, to access features like WhatsApp, Facebook, Instagram....
0
by: Faith0G | last post by:
I am starting a new it consulting business and it's been a while since I setup a new website. Is wordpress still the best web based software for hosting a 5 page website? The webpages will be...

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.