Hello!
I am attempting to discover the remote user for an INTRAnet site, but cannot
see how to do this cleanly. It seems so simple, too... (IIS is NOT being
used)
ALL I need is the user ID that logged in; when they log into their
workstation, that is good enough for this intranet set, and I am willing to
believe who they say they are. I would like them to be automatically logged
into the site using their ID (this part is simple, assuming, of course, I
actually had the ID). For this application, I do not need to know, nor even
care about, their password.
But the problem comes when I try to GET the remote user ID. I realize that
in theory I can use something an Apache module (like mod_auth_sspi), but
these authenticate against the web server, which in this case is in the DMZ
and ignorant of all other users. Simply getting the user name with PHP
returns the user name that PHP is running as, which is exactly what I do not
want.
I saw a brilliant hack that dug the user name out of NetBios in PHP, but
naturally, NetBios is turned off.
There seems to be ways to do this with .htaccess, but the users are stored
in Active Directory. The goal here is that once the user is added to the AD,
then they should have access to the intranet. I can actually handle the
security settings from within the intranet via LDAP. That works like a
champ. But it works because at that point I know the User ID. I want to
figure out what the user ID is in the first place. So, using .htaccess is
not really an acceptable solution.
One suggestion made was to start IE with a .bat file that passes the user
name as a parameter (i.e.; iexporer http://mysite.mydomain.com/login.php?login=%LOGINNAME% but this makes the
user use a certain browser and click a certain link/icon.) I would like the
server to be able to cope with this all by itself.
It seems that no matter what direction I go, the door is closed. What is
really frustrating is that it IIS does this out of the box! Switching to IIS
is not an option.
Thank you for any pointers!
david
The environment is:
Server: Apache/2.0.48 (Win32) mod_perl/1.99_12 Perl/v5.8.3 mod_ssl/2.0.48
OpenSSL/0.9.7c. Clients are Windows Workstations. Server is Windows 2000. 3 1794
"david" <someone> wrote: Hello!
I am attempting to discover the remote user for an INTRAnet site, but cannot see how to do this cleanly. It seems so simple, too... (IIS is NOT being used)
ALL I need is the user ID that logged in; when they log into their workstation, that is good enough for this intranet set, and I am willing to believe who they say they are. I would like them to be automatically logged into the site using their ID (this part is simple, assuming, of course, I actually had the ID). For this application, I do not need to know, nor even care about, their password.
But the problem comes when I try to GET the remote user ID. I realize that in theory I can use something an Apache module (like mod_auth_sspi), but these authenticate against the web server, which in this case is in the DMZ and ignorant of all other users. Simply getting the user name with PHP returns the user name that PHP is running as, which is exactly what I do not want.
I saw a brilliant hack that dug the user name out of NetBios in PHP, but naturally, NetBios is turned off.
There seems to be ways to do this with .htaccess, but the users are stored in Active Directory. The goal here is that once the user is added to the AD, then they should have access to the intranet. I can actually handle the security settings from within the intranet via LDAP. That works like a champ. But it works because at that point I know the User ID. I want to figure out what the user ID is in the first place. So, using .htaccess is not really an acceptable solution.
One suggestion made was to start IE with a .bat file that passes the user name as a parameter (i.e.; iexporer http://mysite.mydomain.com/login.php?login=%LOGINNAME% but this makes the user use a certain browser and click a certain link/icon.) I would like the server to be able to cope with this all by itself.
It seems that no matter what direction I go, the door is closed. What is really frustrating is that it IIS does this out of the box! Switching to IIS is not an option.
Thank you for any pointers! david
The environment is: Server: Apache/2.0.48 (Win32) mod_perl/1.99_12 Perl/v5.8.3 mod_ssl/2.0.48 OpenSSL/0.9.7c. Clients are Windows Workstations. Server is Windows 2000.
A couple of questions first, before anything else.
Security? Say a person is at their desk and walks off to go to the bathroom
and doesn't lock their workstation. What is to stop a malicious co-worker
from jumping on their machine and doing something on the 'intranet' that
could get the potty-breaking worker fired? If you're automagically logging
the person is, the answer is nothing.
What in the world is your INTRANET doing in the DMZ?!! In my, sometimes
warped, way of thinking that site should be behind at least one firewall
with no access from the outside world. There may be a legit reason for
this, but it raises some concerns for me.
Now for a couple of answers to the question:
How about a session cookie approach. Have the person log in, register a
session cookie, and they're set. Since you have AD this shouldn't be that
hard to do. So what if is another time they have to log in -- you can sell
this approach as a security precaution.
Another approach, also using cookies, would be to register a cookie that
expires in a month or so. But, this would raise a concern with me, again
the malicious co-worker thing.
Even these suggestions are flawed and wouldn't work where I work. We have
several people that share workstations, so registering a session cookie or
an expiring one would not be practical.
I think the way our intranet group designed the site is about the best
approach. You login, a session is started. If you are inactive for 60
minutes you're automatically logged out.
Honestly, I think you're wasting your time with looking for and SSO type
solution. Code something that works with AD and makes the person log in
and be done with it.
Mike:
Thank you for your comments. They are much appreciated.
I can answer a couple of your questions, first off.
Have you ever heard the lyrics that go "I fought the law and the law won?".
Regarding your SSO comments, I could not agree more. Unfortunately, however,
management has deemed that a SSO, despite the inherient security flaws, is
the way that it will be done. Personally, I am dead set against it, but in
the case, it does not matter because it has been decreed to be a Good Thing.
We will not talk about the wildly varying security levels within the
intranet.
As for the DMZ, this too is necessity. The intranet is available from the
outside world (but outsiders do not get the benefit of the SSO). The DMZ is
probably the best location for this. But I am open to suggestions, bearing
in mind that it must be available to insiders and outsiders.
I have thought about the cookie thing. Is that specific to the user or the
workstation?
I already use sessions, and keep the session alive until the browser window
is closed (again, this flies in the face of seemingly good security. Then
again, it is the way it is by preference.) I already go against AD, so that
is not a problem. I just want to automatically discover the User ID (login
value), which just didn't seem that hard. At first.
My hands are also tied on the SSO. I have no choice. My entire goal here is
to (against seemingly common sense, but sometimes what corporate America
wants, corporate America gets, because they pay the bills at the end of the
day, and food on my table has always been attractive to me) provide an SSO.
I have already already waged the battle as to whether or not this is a good
idea, and, sadly, lost.
Thanks so much, Mike!
david ALL I need is the user ID that logged in; when they log into their workstation, that is good enough for this intranet set, and I am willing to believe who they say they are. I would like them to be automatically logged into the site using their ID (this part is simple, assuming, of course, I actually had the ID). For this application, I do not need to know, nor even care about, their password.
But the problem comes when I try to GET the remote user ID. I realize
that in theory I can use something an Apache module (like mod_auth_sspi), but these authenticate against the web server, which in this case is in the DMZ and ignorant of all other users. Simply getting the user name with
PHP returns the user name that PHP is running as, which is exactly what I do not want. It seems that no matter what direction I go, the door is closed. What is really frustrating is that it IIS does this out of the box! Switching to IIS is not an option.
Thank you for any pointers! david A couple of questions first, before anything else.
Security? Say a person is at their desk and walks off to go to the
bathroom and doesn't lock their workstation. What is to stop a malicious co-worker from jumping on their machine and doing something on the 'intranet' that could get the potty-breaking worker fired? If you're automagically
logging the person is, the answer is nothing.
What in the world is your INTRANET doing in the DMZ?!! In my, sometimes warped, way of thinking that site should be behind at least one firewall with no access from the outside world. There may be a legit reason for this, but it raises some concerns for me.
Now for a couple of answers to the question:
How about a session cookie approach. Have the person log in, register a session cookie, and they're set. Since you have AD this shouldn't be that hard to do. So what if is another time they have to log in -- you can
sell this approach as a security precaution.
Another approach, also using cookies, would be to register a cookie that expires in a month or so. But, this would raise a concern with me, again the malicious co-worker thing.
Even these suggestions are flawed and wouldn't work where I work. We have several people that share workstations, so registering a session cookie or an expiring one would not be practical.
I think the way our intranet group designed the site is about the best approach. You login, a session is started. If you are inactive for 60 minutes you're automatically logged out.
Honestly, I think you're wasting your time with looking for and SSO type solution. Code something that works with AD and makes the person log in and be done with it.
I hate having to do what I know is just wrong. Our intranet is available to
outside people as well, in a sense. You can get to it from outside the
company, but only if you VPN into the network first. In our case this is
the best set up since we do have some sensitive data on ours. I'm sure you
do too.
Don't you have a network security person or group around there. Often, when
the higher-ups start looking into doing some oddball thing that we (me and
the members of the group I'm in) know is wrong, we'll calf-rope one of them
and drag them in front of these higher ups to explain the potential
security flaws and what might happen if one of them is taken advantage of.
The cookie is specific to the workstation, which ties a person to the
machine. Having one that sticks around for a month or so could be a
dangerous thing, as dangerous as the SSO approach.
"david" <someone> wrote: Mike:
Thank you for your comments. They are much appreciated.
I can answer a couple of your questions, first off.
Have you ever heard the lyrics that go "I fought the law and the law won?". Regarding your SSO comments, I could not agree more. Unfortunately, however, management has deemed that a SSO, despite the inherient security flaws, is the way that it will be done. Personally, I am dead set against it, but in the case, it does not matter because it has been decreed to be a Good Thing. We will not talk about the wildly varying security levels within the intranet.
As for the DMZ, this too is necessity. The intranet is available from the outside world (but outsiders do not get the benefit of the SSO). The DMZ is probably the best location for this. But I am open to suggestions, bearing in mind that it must be available to insiders and outsiders.
I have thought about the cookie thing. Is that specific to the user or the workstation?
I already use sessions, and keep the session alive until the browser window is closed (again, this flies in the face of seemingly good security. Then again, it is the way it is by preference.) I already go against AD, so that is not a problem. I just want to automatically discover the User ID (login value), which just didn't seem that hard. At first.
My hands are also tied on the SSO. I have no choice. My entire goal here is to (against seemingly common sense, but sometimes what corporate America wants, corporate America gets, because they pay the bills at the end of the day, and food on my table has always been attractive to me) provide an SSO. I have already already waged the battle as to whether or not this is a good idea, and, sadly, lost.
Thanks so much, Mike! david
> > ALL I need is the user ID that logged in; when they log into their > workstation, that is good enough for this intranet set, and I am > willing to believe who they say they are. I would like them to be > automatically logged into the site using their ID (this part is simple, > assuming, of course, I actually had the ID). For this application, I do > not need to know, nor even care about, their password. > > But the problem comes when I try to GET the remote user ID. I realize that > in theory I can use something an Apache module (like mod_auth_sspi), > but these authenticate against the web server, which in this case is in > the DMZ and ignorant of all other users. Simply getting the user name > with PHP > returns the user name that PHP is running as, which is exactly what I > do not want. > > > It seems that no matter what direction I go, the door is closed. What > is really frustrating is that it IIS does this out of the box! > Switching to IIS is not an option. > > Thank you for any pointers! > david
A couple of questions first, before anything else.
Security? Say a person is at their desk and walks off to go to the
bathroom and doesn't lock their workstation. What is to stop a malicious co-worker from jumping on their machine and doing something on the 'intranet' that could get the potty-breaking worker fired? If you're automagically logging the person is, the answer is nothing.
What in the world is your INTRANET doing in the DMZ?!! In my, sometimes warped, way of thinking that site should be behind at least one firewall with no access from the outside world. There may be a legit reason for this, but it raises some concerns for me.
Now for a couple of answers to the question:
How about a session cookie approach. Have the person log in, register a session cookie, and they're set. Since you have AD this shouldn't be that hard to do. So what if is another time they have to log in -- you can sell this approach as a security precaution.
Another approach, also using cookies, would be to register a cookie that expires in a month or so. But, this would raise a concern with me, again the malicious co-worker thing.
Even these suggestions are flawed and wouldn't work where I work. We have several people that share workstations, so registering a session cookie or an expiring one would not be practical.
I think the way our intranet group designed the site is about the best approach. You login, a session is started. If you are inactive for 60 minutes you're automatically logged out.
Honestly, I think you're wasting your time with looking for and SSO type solution. Code something that works with AD and makes the person log in and be done with it. This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics |
by: Michael Foord |
last post by:
#!/usr/bin/python -u
# 15-09-04
# v1.0.0
# auth_example.py
# A simple script manually demonstrating basic authentication.
# Copyright Michael Foord
# Free to use, modify and relicense.
# No warranty express or implied for the accuracy, fitness to purpose
|
by: Bob Everland |
last post by:
I have an application that is ISAPI and the only way to
secure it is through NT permissions. I need to have a way
to login to windows authentication so that when I get to
the ISAPI application no boxes come up. I want an ASP page
to sit between the user and the ISAPI application. The
rest of my application is using authentication that is
database driven and wouldn't want the users to know the
userid and password. Is this possible? If so...
|
by: tcg_gilbert |
last post by:
I'm developing a web application for our local intranet that will allow users
to pull up a webpage and update or deleted or insert records into a database
as well as run reports etc...
Our DB server is on a Win2k3 OS using SQL Server 2000
Our Web server is on a separate Win2kr OS using IIS 6
Both the servers and the clients are part of the same domain.
We've turned anonymous access off on the web and are passing the integrated...
|
by: Lior Amar |
last post by:
Hey All,
Trying to understand why I can not get SQL server to trust my IIS server. I
have two machines set up, 1 App and 1 DB, and I'm trying to validate the
applications access to the DB server via NT Authentication. The App comes in
via NTLM which from my understanding only supports Single hop security
delegation. So far I understand why it doesn't work, although seems to me
like a very bad problem. Now, Basic Authentication will...
|
by: Tom B |
last post by:
In my web.config file I've specified Windows for the authentication, in IIS
I've set it to Integrated Authentication.
But my SQL connection is still showing Anonymous.
Is there somewhere else I need to check?
Thanks
Win 2003, SQL Server 2000
| |
by: Kris van der Mast |
last post by:
Hi,
I've created a little site for my sports club. In the root folder there are
pages that are viewable by every anonymous user but at a certain subfolder
my administration pages should be protected by forms authentication.
When I create forms authentication at root level it works but when I move my
code up to the subfolder I get this error:
Server Error in '/TestProjects/FormsAuthenticationTestingArea' Application.
|
by: Patrick Fogarty |
last post by:
I am programming what is to be a web service client that will use an
HTTP-POST to request and retrieve data. The remote server (written in java
for what it's worth) requires basic authentication as per RFC 2617
(http://www.faqs.org/rfcs/rfc2617.html). My attempts to authenticate are
failing. The server requires the header to be present with the request.
For security reasons, it will not reply in any way if the header is not
present.
...
|
by: Eng.Rana |
last post by:
Hello All,
i was wondering what is the main difference between the windows
authentication and mixed mode authentication??
according to security recommendations, we should enable windows
authentication, rather than mixed one, i don get the point why do we
refuse the mixed mode authentication, although it includes windows
authentication together with an extra layer of defense by the aid of an
extra authentication mechanism, sql...
|
by: troywalker |
last post by:
I am new to LDAP and Directory Services, and I have a project that
requires me to authenticate users against a Sun Java System Directory
Server in order to access the application. I have found dozens of
examples of how to authenticate users against Active Directory, but AD
seems to be a different animal than Sun Java System Directory Server.
Could someone provide me with an example of how to authenticate a user
against a Directory...
|
by: Frank Swarbrick |
last post by:
I am trying to understand "client authentication" works. My environment is
DB2/UDB LUW 8.2 on zSeries SLES9 as the database server and DB2 for VSE 7.4
as the client. We currently have DB2/LUW set up as follows:
Client Userid-Password Plugin (CLNT_PW_PLUGIN) =
Client Kerberos Plugin (CLNT_KRB_PLUGIN) =
Group Plugin (GROUP_PLUGIN) =
GSS Plugin for Local Authorization ...
|
by: marktang |
last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However, people are often confused as to whether an ONU can Work As a Router. In this blog post, we’ll explore What is ONU, What Is Router, ONU & Router’s main usage, and What is the difference between ONU and Router. Let’s take a closer look !
Part I. Meaning of...
| |
by: jinu1996 |
last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven tapestry of website design and digital marketing. It's not merely about having a website; it's about crafting an immersive digital experience that captivates audiences and drives business growth.
The Art of Business Website Design
Your website is...
|
by: Hystou |
last post by:
Overview:
Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows Update option using the Control Panel or Settings app; it automatically checks for updates and installs any it finds, whether you like it or not. For most users, this new feature is actually very convenient. If you want to control the update process,...
|
by: tracyyun |
last post by:
Dear forum friends,
With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each protocol has its own unique characteristics and advantages, but as a user who is planning to build a smart home system, I am a bit confused by the choice of these technologies. I'm particularly interested in Zigbee because I've heard it does some...
|
by: isladogs |
last post by:
The next Access Europe User Group meeting will be on Wednesday 1 May 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM).
In this session, we are pleased to welcome a new presenter, Adolph Dupré who will be discussing some powerful techniques for using class modules.
He will explain when you may want to use classes instead of User Defined Types (UDT). For example, to manage the data in unbound forms.
Adolph will...
|
by: conductexam |
last post by:
I have .net C# application in which I am extracting data from word file and save it in database particularly. To store word all data as it is I am converting the whole word file firstly in HTML and then checking html paragraph one by one.
At the time of converting from word file to html my equations which are in the word document file was convert into image.
Globals.ThisAddIn.Application.ActiveDocument.Select();...
|
by: TSSRALBI |
last post by:
Hello
I'm a network technician in training and I need your help.
I am currently learning how to create and manage the different types of VPNs and I have a question about LAN-to-LAN VPNs.
The last exercise I practiced was to create a LAN-to-LAN VPN between two Pfsense firewalls, by using IPSEC protocols.
I succeeded, with both firewalls in the same network. But I'm wondering if it's possible to do the same thing, with 2 Pfsense firewalls...
| |
by: 6302768590 |
last post by:
Hai team
i want code for transfer the data from one system to another through IP address by using C# our system has to for every 5mins then we have to update the data what the data is updated we have to send another system
|
by: muto222 |
last post by:
How can i add a mobile payment intergratation into php mysql website.
| |