473,320 Members | 1,823 Online
Bytes | Software Development & Data Engineering Community
Post Job

Home Posts Topics Members FAQ

Join Bytes to post your question to a community of 473,320 software developers and data experts.

Authentication by the Server

Hello!

I am attempting to discover the remote user for an INTRAnet site, but cannot
see how to do this cleanly. It seems so simple, too... (IIS is NOT being
used)

ALL I need is the user ID that logged in; when they log into their
workstation, that is good enough for this intranet set, and I am willing to
believe who they say they are. I would like them to be automatically logged
into the site using their ID (this part is simple, assuming, of course, I
actually had the ID). For this application, I do not need to know, nor even
care about, their password.

But the problem comes when I try to GET the remote user ID. I realize that
in theory I can use something an Apache module (like mod_auth_sspi), but
these authenticate against the web server, which in this case is in the DMZ
and ignorant of all other users. Simply getting the user name with PHP
returns the user name that PHP is running as, which is exactly what I do not
want.

I saw a brilliant hack that dug the user name out of NetBios in PHP, but
naturally, NetBios is turned off.

There seems to be ways to do this with .htaccess, but the users are stored
in Active Directory. The goal here is that once the user is added to the AD,
then they should have access to the intranet. I can actually handle the
security settings from within the intranet via LDAP. That works like a
champ. But it works because at that point I know the User ID. I want to
figure out what the user ID is in the first place. So, using .htaccess is
not really an acceptable solution.

One suggestion made was to start IE with a .bat file that passes the user
name as a parameter (i.e.; iexporer
http://mysite.mydomain.com/login.php?login=%LOGINNAME% but this makes the
user use a certain browser and click a certain link/icon.) I would like the
server to be able to cope with this all by itself.

It seems that no matter what direction I go, the door is closed. What is
really frustrating is that it IIS does this out of the box! Switching to IIS
is not an option.

Thank you for any pointers!
david

The environment is:
Server: Apache/2.0.48 (Win32) mod_perl/1.99_12 Perl/v5.8.3 mod_ssl/2.0.48
OpenSSL/0.9.7c. Clients are Windows Workstations. Server is Windows 2000.


Jul 17 '05 #1
3 1780
"david" <someone> wrote:
Hello!

I am attempting to discover the remote user for an INTRAnet site, but
cannot see how to do this cleanly. It seems so simple, too... (IIS is NOT
being used)

ALL I need is the user ID that logged in; when they log into their
workstation, that is good enough for this intranet set, and I am willing
to believe who they say they are. I would like them to be automatically
logged into the site using their ID (this part is simple, assuming, of
course, I actually had the ID). For this application, I do not need to
know, nor even care about, their password.

But the problem comes when I try to GET the remote user ID. I realize that
in theory I can use something an Apache module (like mod_auth_sspi), but
these authenticate against the web server, which in this case is in the
DMZ and ignorant of all other users. Simply getting the user name with PHP
returns the user name that PHP is running as, which is exactly what I do
not want.

I saw a brilliant hack that dug the user name out of NetBios in PHP, but
naturally, NetBios is turned off.

There seems to be ways to do this with .htaccess, but the users are stored
in Active Directory. The goal here is that once the user is added to the
AD, then they should have access to the intranet. I can actually handle
the security settings from within the intranet via LDAP. That works like a
champ. But it works because at that point I know the User ID. I want to
figure out what the user ID is in the first place. So, using .htaccess is
not really an acceptable solution.

One suggestion made was to start IE with a .bat file that passes the user
name as a parameter (i.e.; iexporer
http://mysite.mydomain.com/login.php?login=%LOGINNAME% but this makes the
user use a certain browser and click a certain link/icon.) I would like
the server to be able to cope with this all by itself.

It seems that no matter what direction I go, the door is closed. What is
really frustrating is that it IIS does this out of the box! Switching to
IIS is not an option.

Thank you for any pointers!
david

The environment is:
Server: Apache/2.0.48 (Win32) mod_perl/1.99_12 Perl/v5.8.3 mod_ssl/2.0.48
OpenSSL/0.9.7c. Clients are Windows Workstations. Server is Windows 2000.


A couple of questions first, before anything else.

Security? Say a person is at their desk and walks off to go to the bathroom
and doesn't lock their workstation. What is to stop a malicious co-worker
from jumping on their machine and doing something on the 'intranet' that
could get the potty-breaking worker fired? If you're automagically logging
the person is, the answer is nothing.

What in the world is your INTRANET doing in the DMZ?!! In my, sometimes
warped, way of thinking that site should be behind at least one firewall
with no access from the outside world. There may be a legit reason for
this, but it raises some concerns for me.

Now for a couple of answers to the question:

How about a session cookie approach. Have the person log in, register a
session cookie, and they're set. Since you have AD this shouldn't be that
hard to do. So what if is another time they have to log in -- you can sell
this approach as a security precaution.

Another approach, also using cookies, would be to register a cookie that
expires in a month or so. But, this would raise a concern with me, again
the malicious co-worker thing.

Even these suggestions are flawed and wouldn't work where I work. We have
several people that share workstations, so registering a session cookie or
an expiring one would not be practical.

I think the way our intranet group designed the site is about the best
approach. You login, a session is started. If you are inactive for 60
minutes you're automatically logged out.

Honestly, I think you're wasting your time with looking for and SSO type
solution. Code something that works with AD and makes the person log in
and be done with it.
Jul 17 '05 #2
Mike:

Thank you for your comments. They are much appreciated.

I can answer a couple of your questions, first off.

Have you ever heard the lyrics that go "I fought the law and the law won?".
Regarding your SSO comments, I could not agree more. Unfortunately, however,
management has deemed that a SSO, despite the inherient security flaws, is
the way that it will be done. Personally, I am dead set against it, but in
the case, it does not matter because it has been decreed to be a Good Thing.
We will not talk about the wildly varying security levels within the
intranet.

As for the DMZ, this too is necessity. The intranet is available from the
outside world (but outsiders do not get the benefit of the SSO). The DMZ is
probably the best location for this. But I am open to suggestions, bearing
in mind that it must be available to insiders and outsiders.

I have thought about the cookie thing. Is that specific to the user or the
workstation?

I already use sessions, and keep the session alive until the browser window
is closed (again, this flies in the face of seemingly good security. Then
again, it is the way it is by preference.) I already go against AD, so that
is not a problem. I just want to automatically discover the User ID (login
value), which just didn't seem that hard. At first.

My hands are also tied on the SSO. I have no choice. My entire goal here is
to (against seemingly common sense, but sometimes what corporate America
wants, corporate America gets, because they pay the bills at the end of the
day, and food on my table has always been attractive to me) provide an SSO.
I have already already waged the battle as to whether or not this is a good
idea, and, sadly, lost.

Thanks so much, Mike!
david

ALL I need is the user ID that logged in; when they log into their
workstation, that is good enough for this intranet set, and I am willing
to believe who they say they are. I would like them to be automatically
logged into the site using their ID (this part is simple, assuming, of
course, I actually had the ID). For this application, I do not need to
know, nor even care about, their password.

But the problem comes when I try to GET the remote user ID. I realize that in theory I can use something an Apache module (like mod_auth_sspi), but
these authenticate against the web server, which in this case is in the
DMZ and ignorant of all other users. Simply getting the user name with PHP returns the user name that PHP is running as, which is exactly what I do
not want.

It seems that no matter what direction I go, the door is closed. What is
really frustrating is that it IIS does this out of the box! Switching to
IIS is not an option.

Thank you for any pointers!
david

A couple of questions first, before anything else.

Security? Say a person is at their desk and walks off to go to the bathroom and doesn't lock their workstation. What is to stop a malicious co-worker
from jumping on their machine and doing something on the 'intranet' that
could get the potty-breaking worker fired? If you're automagically logging the person is, the answer is nothing.

What in the world is your INTRANET doing in the DMZ?!! In my, sometimes
warped, way of thinking that site should be behind at least one firewall
with no access from the outside world. There may be a legit reason for
this, but it raises some concerns for me.

Now for a couple of answers to the question:

How about a session cookie approach. Have the person log in, register a
session cookie, and they're set. Since you have AD this shouldn't be that
hard to do. So what if is another time they have to log in -- you can sell this approach as a security precaution.

Another approach, also using cookies, would be to register a cookie that
expires in a month or so. But, this would raise a concern with me, again
the malicious co-worker thing.

Even these suggestions are flawed and wouldn't work where I work. We have
several people that share workstations, so registering a session cookie or
an expiring one would not be practical.

I think the way our intranet group designed the site is about the best
approach. You login, a session is started. If you are inactive for 60
minutes you're automatically logged out.

Honestly, I think you're wasting your time with looking for and SSO type
solution. Code something that works with AD and makes the person log in
and be done with it.

Jul 17 '05 #3
I hate having to do what I know is just wrong. Our intranet is available to
outside people as well, in a sense. You can get to it from outside the
company, but only if you VPN into the network first. In our case this is
the best set up since we do have some sensitive data on ours. I'm sure you
do too.

Don't you have a network security person or group around there. Often, when
the higher-ups start looking into doing some oddball thing that we (me and
the members of the group I'm in) know is wrong, we'll calf-rope one of them
and drag them in front of these higher ups to explain the potential
security flaws and what might happen if one of them is taken advantage of.

The cookie is specific to the workstation, which ties a person to the
machine. Having one that sticks around for a month or so could be a
dangerous thing, as dangerous as the SSO approach.

"david" <someone> wrote:
Mike:

Thank you for your comments. They are much appreciated.

I can answer a couple of your questions, first off.

Have you ever heard the lyrics that go "I fought the law and the law
won?". Regarding your SSO comments, I could not agree more. Unfortunately,
however, management has deemed that a SSO, despite the inherient security
flaws, is the way that it will be done. Personally, I am dead set against
it, but in the case, it does not matter because it has been decreed to be
a Good Thing. We will not talk about the wildly varying security levels
within the intranet.

As for the DMZ, this too is necessity. The intranet is available from the
outside world (but outsiders do not get the benefit of the SSO). The DMZ
is probably the best location for this. But I am open to suggestions,
bearing in mind that it must be available to insiders and outsiders.

I have thought about the cookie thing. Is that specific to the user or the
workstation?

I already use sessions, and keep the session alive until the browser
window is closed (again, this flies in the face of seemingly good
security. Then again, it is the way it is by preference.) I already go
against AD, so that is not a problem. I just want to automatically
discover the User ID (login value), which just didn't seem that hard. At
first.

My hands are also tied on the SSO. I have no choice. My entire goal here
is to (against seemingly common sense, but sometimes what corporate
America wants, corporate America gets, because they pay the bills at the
end of the day, and food on my table has always been attractive to me)
provide an SSO. I have already already waged the battle as to whether or
not this is a good idea, and, sadly, lost.

Thanks so much, Mike!
david
>
> ALL I need is the user ID that logged in; when they log into their
> workstation, that is good enough for this intranet set, and I am
> willing to believe who they say they are. I would like them to be
> automatically logged into the site using their ID (this part is simple,
> assuming, of course, I actually had the ID). For this application, I do
> not need to know, nor even care about, their password.
>
> But the problem comes when I try to GET the remote user ID. I realize that > in theory I can use something an Apache module (like mod_auth_sspi),
> but these authenticate against the web server, which in this case is in
> the DMZ and ignorant of all other users. Simply getting the user name
> with PHP > returns the user name that PHP is running as, which is exactly what I
> do not want.
> >
> It seems that no matter what direction I go, the door is closed. What
> is really frustrating is that it IIS does this out of the box!
> Switching to IIS is not an option.
>
> Thank you for any pointers!
> david


A couple of questions first, before anything else.

Security? Say a person is at their desk and walks off to go to the

bathroom
and doesn't lock their workstation. What is to stop a malicious
co-worker from jumping on their machine and doing something on the
'intranet' that
could get the potty-breaking worker fired? If you're automagically

logging
the person is, the answer is nothing.

What in the world is your INTRANET doing in the DMZ?!! In my, sometimes
warped, way of thinking that site should be behind at least one firewall
with no access from the outside world. There may be a legit reason for
this, but it raises some concerns for me.

Now for a couple of answers to the question:

How about a session cookie approach. Have the person log in, register a
session cookie, and they're set. Since you have AD this shouldn't be
that
hard to do. So what if is another time they have to log in -- you can

sell
this approach as a security precaution.

Another approach, also using cookies, would be to register a cookie that
expires in a month or so. But, this would raise a concern with me, again
the malicious co-worker thing.

Even these suggestions are flawed and wouldn't work where I work. We
have several people that share workstations, so registering a session
cookie or an expiring one would not be practical.

I think the way our intranet group designed the site is about the best
approach. You login, a session is started. If you are inactive for 60
minutes you're automatically logged out.

Honestly, I think you're wasting your time with looking for and SSO type
solution. Code something that works with AD and makes the person log in
and be done with it.


Jul 17 '05 #4

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

7
by: Michael Foord | last post by:
#!/usr/bin/python -u # 15-09-04 # v1.0.0 # auth_example.py # A simple script manually demonstrating basic authentication. # Copyright Michael Foord # Free to use, modify and relicense. #...
8
by: Bob Everland | last post by:
I have an application that is ISAPI and the only way to secure it is through NT permissions. I need to have a way to login to windows authentication so that when I get to the ISAPI application no...
8
by: tcg_gilbert | last post by:
I'm developing a web application for our local intranet that will allow users to pull up a webpage and update or deleted or insert records into a database as well as run reports etc... Our DB...
2
by: Lior Amar | last post by:
Hey All, Trying to understand why I can not get SQL server to trust my IIS server. I have two machines set up, 1 App and 1 DB, and I'm trying to validate the applications access to the DB server...
9
by: Tom B | last post by:
In my web.config file I've specified Windows for the authentication, in IIS I've set it to Integrated Authentication. But my SQL connection is still showing Anonymous. Is there somewhere else I...
3
by: Kris van der Mast | last post by:
Hi, I've created a little site for my sports club. In the root folder there are pages that are viewable by every anonymous user but at a certain subfolder my administration pages should be...
3
by: Patrick Fogarty | last post by:
I am programming what is to be a web service client that will use an HTTP-POST to request and retrieve data. The remote server (written in java for what it's worth) requires basic authentication...
6
by: Eng.Rana | last post by:
Hello All, i was wondering what is the main difference between the windows authentication and mixed mode authentication?? according to security recommendations, we should enable windows...
18
by: troywalker | last post by:
I am new to LDAP and Directory Services, and I have a project that requires me to authenticate users against a Sun Java System Directory Server in order to access the application. I have found...
2
by: Frank Swarbrick | last post by:
I am trying to understand "client authentication" works. My environment is DB2/UDB LUW 8.2 on zSeries SLES9 as the database server and DB2 for VSE 7.4 as the client. We currently have DB2/LUW set...
0
by: DolphinDB | last post by:
Tired of spending countless mintues downsampling your data? Look no further! In this article, you’ll learn how to efficiently downsample 6.48 billion high-frequency records to 61 million...
0
by: ryjfgjl | last post by:
ExcelToDatabase: batch import excel into database automatically...
0
by: jfyes | last post by:
As a hardware engineer, after seeing that CEIWEI recently released a new tool for Modbus RTU Over TCP/UDP filtering and monitoring, I actively went to its official website to take a look. It turned...
0
by: ArrayDB | last post by:
The error message I've encountered is; ERROR:root:Error generating model response: exception: access violation writing 0x0000000000005140, which seems to be indicative of an access violation...
1
by: PapaRatzi | last post by:
Hello, I am teaching myself MS Access forms design and Visual Basic. I've created a table to capture a list of Top 30 singles and forms to capture new entries. The final step is a form (unbound)...
0
by: CloudSolutions | last post by:
Introduction: For many beginners and individual users, requiring a credit card and email registration may pose a barrier when starting to use cloud servers. However, some cloud server providers now...
0
by: Defcon1945 | last post by:
I'm trying to learn Python using Pycharm but import shutil doesn't work
0
by: af34tf | last post by:
Hi Guys, I have a domain whose name is BytesLimited.com, and I want to sell it. Does anyone know about platforms that allow me to list my domain in auction for free. Thank you
0
by: Faith0G | last post by:
I am starting a new it consulting business and it's been a while since I setup a new website. Is wordpress still the best web based software for hosting a 5 page website? The webpages will be...

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.