473,549 Members | 2,334 Online
Bytes | Software Development & Data Engineering Community
+ Post

Home Posts Topics Members FAQ

Windows authentication

I have an application that is ISAPI and the only way to
secure it is through NT permissions. I need to have a way
to login to windows authentication so that when I get to
the ISAPI application no boxes come up. I want an ASP page
to sit between the user and the ISAPI application. The
rest of my application is using authentication that is
database driven and wouldn't want the users to know the
userid and password. Is this possible? If so how would I
accomplish it.

Jul 19 '05 #1
8 3682
Could you use integrated authentication if the users are using IE?

"Bob Everland" <an*******@disc ussions.microso ft.com> wrote in message
news:09******** *************** *****@phx.gbl.. .
I have an application that is ISAPI and the only way to
secure it is through NT permissions. I need to have a way
to login to windows authentication so that when I get to
the ISAPI application no boxes come up. I want an ASP page
to sit between the user and the ISAPI application. The
rest of my application is using authentication that is
database driven and wouldn't want the users to know the
userid and password. Is this possible? If so how would I
accomplish it.

Jul 19 '05 #2
Well I'm trying to get away from the user having to do
anything because this is our extranet so out customers
would be forced to touch the browser. I just want to make
a script that allows for seemless login. Heck I don't even
care if I have to pass something through url parameters.
Bob

-----Original Message-----
Could you use integrated authentication if the users are using IE?
"Bob Everland" <an*******@disc ussions.microso ft.com> wrote in messagenews:09******* *************** ******@phx.gbl. ..
I have an application that is ISAPI and the only way to
secure it is through NT permissions. I need to have a way to login to windows authentication so that when I get to
the ISAPI application no boxes come up. I want an ASP page to sit between the user and the ISAPI application. The
rest of my application is using authentication that is
database driven and wouldn't want the users to know the
userid and password. Is this possible? If so how would I
accomplish it.

.

Jul 19 '05 #3
Ok I now know that is has to do with me setting the
request headers so that my browser will cache them. Has
anyone dont anything like this before?
http://www.ietf.org/rfc/rfc2617.txt
Jul 19 '05 #4
I mean't enable integrated authentication for the web site in the web site
properties in IIS. So long as internet explorer is enabled to use
integrated authentication (tools, options, advanced) the NT username will be
sent to the web server automatically without the user doing anything. The
user name can be retrieved if needed using server variables:

USERNAME: Request.ServerV ariables("AUTH_ USER")

Here's some info cut from iis help:

Integrated Windows Authentication
Integrated Windows authentication (formerly called NTLM or Windows NT
Challenge/Response authentication) is a secure form of authentication
because the user name and password are not sent across the network. When you
enable integrated Windows authentication, the user's browser proves its
knowledge of the password through a cryptographic exchange with your Web
server, involving hashing.

Integrated Windows authentication can use both the Kerberos v5
authentication protocol and its own challenge/response authentication
protocol. If Directory Services is installed on the server, and the browser
is compatible with the Kerberos v5 authentication protocol, both the
Kerberos v5 protocol and the challenge/response protocol are used; otherwise
only the challenge/response protocol is used.

The Kerberos v5 authentication protocol is a feature of the Windows 2000
Distributed Services architecture. In order for Kerberos v5 authentication
to be successful, both the client and server must have a trusted connection
to a Key Distribution Center (KDC) and be Directory Services compatible. For
more information about the protocol, see the Windows documentation.

Integrated Windows authentication proceeds as follows:

1.. Unlike Basic authentication, it does not initially prompt users for a
user name and password. The current Windows user information on the client
computer is used for the integrated Windows authentication.
Note Internet Explorer, version 4.0 and later, can be configured to
initially prompt for user information if needed. For more information, see
the Internet Explorer documentation.

2.. However, if the authentication exchange initially fails to identify
the user, the browser will prompt the user for a Windows user account user
name and password, which it will process by using integrated Windows
authentication.
3.. Internet Explorer will continue to prompt the user until the user
enters a valid user name and password, or closes the prompt dialog box.
Although integrated Windows authentication is secure, it does have two
limitations.

1.. Only Microsoft Internet Explorer, version 2.0 or later, supports this
authentication method.
2.. Integrated Windows authentication does not work over HTTP Proxy
connections.
Therefore, integrated Windows authentication is best suited for an intranet
environment, where both user and Web server computers are in the same
domain, and where administrators can ensure that every user has Microsoft
Internet Explorer, version 2.0 or later.

Regards

Paul

<an*******@disc ussions.microso ft.com> wrote in message
news:0a******** *************** *****@phx.gbl.. .
Well I'm trying to get away from the user having to do
anything because this is our extranet so out customers
would be forced to touch the browser. I just want to make
a script that allows for seemless login. Heck I don't even
care if I have to pass something through url parameters.
Bob

-----Original Message-----
Could you use integrated authentication if the users are

using IE?

"Bob Everland" <an*******@disc ussions.microso ft.com>

wrote in message
news:09******* *************** ******@phx.gbl. ..
I have an application that is ISAPI and the only way to
secure it is through NT permissions. I need to have a way to login to windows authentication so that when I get to
the ISAPI application no boxes come up. I want an ASP page to sit between the user and the ISAPI application. The
rest of my application is using authentication that is
database driven and wouldn't want the users to know the
userid and password. Is this possible? If so how would I
accomplish it.

.

Jul 19 '05 #5
Hi Paul,

Funny you should write about this, because I'm in the process of
implementing something similar to what you've outlined below. I do have
one question for you, though - how can you log the user out once in?

For example, if I visit my intranet site, I'm greeted by the log on box
asking for my credentials.. however, the browser won't prompt for
credentials again until the browser is closed and re-opened. I'd like to
provide a log-off button, though. Any ideas?

Thanks!

Jonathan

Paul McNally wrote:
I mean't enable integrated authentication for the web site in the web site
properties in IIS. So long as internet explorer is enabled to use
integrated authentication (tools, options, advanced) the NT username will be
sent to the web server automatically without the user doing anything. The
user name can be retrieved if needed using server variables:

USERNAME: Request.ServerV ariables("AUTH_ USER")

Here's some info cut from iis help:

Integrated Windows Authentication
Integrated Windows authentication (formerly called NTLM or Windows NT
Challenge/Response authentication) is a secure form of authentication
because the user name and password are not sent across the network. When you
enable integrated Windows authentication, the user's browser proves its
knowledge of the password through a cryptographic exchange with your Web
server, involving hashing.

Integrated Windows authentication can use both the Kerberos v5
authentication protocol and its own challenge/response authentication
protocol. If Directory Services is installed on the server, and the browser
is compatible with the Kerberos v5 authentication protocol, both the
Kerberos v5 protocol and the challenge/response protocol are used; otherwise
only the challenge/response protocol is used.

The Kerberos v5 authentication protocol is a feature of the Windows 2000
Distributed Services architecture. In order for Kerberos v5 authentication
to be successful, both the client and server must have a trusted connection
to a Key Distribution Center (KDC) and be Directory Services compatible. For
more information about the protocol, see the Windows documentation.

Integrated Windows authentication proceeds as follows:

1.. Unlike Basic authentication, it does not initially prompt users for a
user name and password. The current Windows user information on the client
computer is used for the integrated Windows authentication.
Note Internet Explorer, version 4.0 and later, can be configured to
initially prompt for user information if needed. For more information, see
the Internet Explorer documentation.

2.. However, if the authentication exchange initially fails to identify
the user, the browser will prompt the user for a Windows user account user
name and password, which it will process by using integrated Windows
authentication.
3.. Internet Explorer will continue to prompt the user until the user
enters a valid user name and password, or closes the prompt dialog box.
Although integrated Windows authentication is secure, it does have two
limitations.

1.. Only Microsoft Internet Explorer, version 2.0 or later, supports this
authentication method.
2.. Integrated Windows authentication does not work over HTTP Proxy
connections.
Therefore, integrated Windows authentication is best suited for an intranet
environment, where both user and Web server computers are in the same
domain, and where administrators can ensure that every user has Microsoft
Internet Explorer, version 2.0 or later.

Regards

Paul

<an*******@disc ussions.microso ft.com> wrote in message
news:0a******** *************** *****@phx.gbl.. .
Well I'm trying to get away from the user having to do
anything because this is our extranet so out customers
would be forced to touch the browser. I just want to make
a script that allows for seemless login. Heck I don't even
care if I have to pass something through url parameters.
Bob
-----Original Message-----
Could you use integrated authentication if the users are


using IE?
"Bob Everland" <an*******@disc ussions.microso ft.com>


wrote in message
news:09***** *************** ********@phx.gb l...

I have an application that is ISAPI and the only way to
secure it is through NT permissions. I need to have a


way
to login to windows authentication so that when I get to
the ISAPI application no boxes come up. I want an ASP


page
to sit between the user and the ISAPI application. The
rest of my application is using authentication that is
database driven and wouldn't want the users to know the
userid and password. Is this possible? If so how would I
accomplis h it.

.


Jul 19 '05 #6
Hi Jonathan

I don't believe there is a log off command you can use but you could have a
button on the web page which sets all the objects related to the user to
nothing and then redirects to your logon page.

Regards

Paul

"Jonathan S." <sp**@jdspt.com > wrote in message
news:eC******** ******@TK2MSFTN GP11.phx.gbl...
Hi Paul,

Funny you should write about this, because I'm in the process of
implementing something similar to what you've outlined below. I do have
one question for you, though - how can you log the user out once in?

For example, if I visit my intranet site, I'm greeted by the log on box
asking for my credentials.. however, the browser won't prompt for
credentials again until the browser is closed and re-opened. I'd like to
provide a log-off button, though. Any ideas?

Thanks!

Jonathan

Paul McNally wrote:
I mean't enable integrated authentication for the web site in the web site properties in IIS. So long as internet explorer is enabled to use
integrated authentication (tools, options, advanced) the NT username will be sent to the web server automatically without the user doing anything. The user name can be retrieved if needed using server variables:

USERNAME: Request.ServerV ariables("AUTH_ USER")

Here's some info cut from iis help:

Integrated Windows Authentication
Integrated Windows authentication (formerly called NTLM or Windows NT
Challenge/Response authentication) is a secure form of authentication
because the user name and password are not sent across the network. When you enable integrated Windows authentication, the user's browser proves its
knowledge of the password through a cryptographic exchange with your Web
server, involving hashing.

Integrated Windows authentication can use both the Kerberos v5
authentication protocol and its own challenge/response authentication
protocol. If Directory Services is installed on the server, and the browser is compatible with the Kerberos v5 authentication protocol, both the
Kerberos v5 protocol and the challenge/response protocol are used; otherwise only the challenge/response protocol is used.

The Kerberos v5 authentication protocol is a feature of the Windows 2000
Distributed Services architecture. In order for Kerberos v5 authentication to be successful, both the client and server must have a trusted connection to a Key Distribution Center (KDC) and be Directory Services compatible. For more information about the protocol, see the Windows documentation.

Integrated Windows authentication proceeds as follows:

1.. Unlike Basic authentication, it does not initially prompt users for a user name and password. The current Windows user information on the client computer is used for the integrated Windows authentication.
Note Internet Explorer, version 4.0 and later, can be configured to
initially prompt for user information if needed. For more information, see the Internet Explorer documentation.

2.. However, if the authentication exchange initially fails to identify the user, the browser will prompt the user for a Windows user account user name and password, which it will process by using integrated Windows
authentication.
3.. Internet Explorer will continue to prompt the user until the user
enters a valid user name and password, or closes the prompt dialog box.
Although integrated Windows authentication is secure, it does have two
limitations.

1.. Only Microsoft Internet Explorer, version 2.0 or later, supports this authentication method.
2.. Integrated Windows authentication does not work over HTTP Proxy
connections.
Therefore, integrated Windows authentication is best suited for an intranet environment, where both user and Web server computers are in the same
domain, and where administrators can ensure that every user has Microsoft Internet Explorer, version 2.0 or later.

Regards

Paul

<an*******@disc ussions.microso ft.com> wrote in message
news:0a******** *************** *****@phx.gbl.. .
Well I'm trying to get away from the user having to do
anything because this is our extranet so out customers
would be forced to touch the browser. I just want to make
a script that allows for seemless login. Heck I don't even
care if I have to pass something through url parameters.
Bob

-----Original Message-----
Could you use integrated authentication if the users are

using IE?

"Bob Everland" <an*******@disc ussions.microso ft.com>

wrote in message

news:09***** *************** ********@phx.gb l...

>I have an application that is ISAPI and the only way to
>secure it is through NT permissions. I need to have a

way

>to login to windows authentication so that when I get to
>the ISAPI application no boxes come up. I want an ASP

page

>to sit between the user and the ISAPI application. The
>rest of my application is using authentication that is
>database driven and wouldn't want the users to know the
>userid and password. Is this possible? If so how would I
>accomplis h it.
>
.


Jul 19 '05 #7
Hi!

I am trying to do some of the same things as you. I want to log a user
to an nt user through asp. The user is allready loged in, because untill
now the credentials are verified against a database. Now I need to use
nt authentication because users will be allowed to upload files to
folders they create.

Did you find a solution?

Henning :-)

*** Sent via Developersdex http://www.developersdex.com ***
Don't just participate in USENET...get rewarded for it!
Jul 19 '05 #8
Great Post Paul!

Question: If the user does not get validated automatically, is there a
way to display a custom logon form instead of the popup microsoft
window?

Basically, I want to auto-log a known user using the method you
described, but if they fail, I want to authenticate them against my sql
database.

Is there an event launched when an auto-logon fails?

Thanks
*** Sent via Developersdex http://www.developersdex.com ***
Don't just participate in USENET...get rewarded for it!
Jul 22 '05 #9

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

1
2118
by: sherkozmo | last post by:
I have my SQL 7.0 server set for Mixed security. I see now (finally) the advantages of having windows authentication security for windows groups. I do most of my developing in Access Projects which require a login of some type. I have been using my SQL login to develop with SQL and then when I give it to the user, I set the project to use...
1
528
by: Mark | last post by:
When our staff are logged into a computer on our domain, they're still prompted for their domain login and password to get into our ASP.NET application in Internet Explorer when using Windows Authentication. Is it possible to leverage the windows authentication from a client pc that is already on the domain and authenticated?? Thanks in...
4
6792
by: Andrew | last post by:
Hey all, I would like to preface my question by stating I am still learning ASP.net and while I am confident in the basics and foundation, the more advanced stuff is still a challenge. Ok. :)
5
2677
by: pberna | last post by:
Dear all, I built a Web Form application to start and stop a Windows Service remotely. I successful tested the application on Windows 2000 server + IIS. I must include the ASPNET user to the Administration group (on server side) to have the necessary authorization to start a Windows Service (I don't understand why "Power User" rights are...
6
7531
by: Kevin Yu | last post by:
is it possible to for user to click a logout button to logout and when the user want to get into the system again, the user have to login again? Kevin
8
3415
by: Nils Magnus Englund | last post by:
Hello, I am having trouble using Integrated Windows Authentication between our intranet server and our database server, both of which are on our local domain. Windows authentication works for our intranet server - my domain user "DOM\nme" is correctly authenticated and authorized to view the ASP.NET page on our intranet. The ASP.NET...
10
4037
by: Hriday | last post by:
Hi there, Please help me..It is urgent This is Hriday, working on windows authentication with Active Directory... My requirment is when a user sends a request to my web Applicatoin I want to Pop up windows Authentication box so that user will give his userId, Password & domain name for authenticaion. After that I want to take these...
7
3013
by: Alice Wong | last post by:
I am setting up my Web ASP.net application to connect to Sql server using windows authentication. I set up IIS to have integrated windows authenication and sql to allow Windows authentication. And I trun annonymous login. I use this connection to connect. server={0};database={1};Integrated Security=SSPI where {0} servname and {1}...
4
2340
by: Preben Zacho | last post by:
Hi there The scenario I got is this: I have created a Windows application in VS and I want to deploy it to another machine running Windows Vista. Since I have no control over this other machine, I've set it up to run SQL Authentication and I have added a new user called "MyUser" and applied a password. This user/password is used in my...
0
7546
marktang
by: marktang | last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However, people are often confused as to whether an ONU can Work As a Router. In this blog post, we’ll explore What is ONU, What Is Router, ONU & Router’s main...
0
7471
by: Hystou | last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can effortlessly switch the default language on Windows 10 without reinstalling. I'll walk you through it. First, let's disable language...
0
7740
Oralloy
by: Oralloy | last post by:
Hello folks, I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>". The problem is that using the GNU compilers, it seems that the internal comparison operator "<=>" tries to promote arguments from unsigned to signed. This is as boiled down as I can make it. ...
0
7830
tracyyun
by: tracyyun | last post by:
Dear forum friends, With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each protocol has its own unique characteristics and advantages, but as a user who is planning to build a smart home system, I am a bit confused by the...
0
6071
agi2029
by: agi2029 | last post by:
Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development project—planning, coding, testing, and deployment—without human intervention. Imagine an AI that can take a project description, break it down, write the code, debug it, and then...
1
5387
isladogs
by: isladogs | last post by:
The next Access Europe User Group meeting will be on Wednesday 1 May 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM). In this session, we are pleased to welcome a new presenter, Adolph Dupré who will be discussing some powerful techniques for using class modules. He will explain when you may want to use classes...
0
5111
by: conductexam | last post by:
I have .net C# application in which I am extracting data from word file and save it in database particularly. To store word all data as it is I am converting the whole word file firstly in HTML and then checking html paragraph one by one. At the time of converting from word file to html my equations which are in the word document file was convert...
0
3496
by: adsilva | last post by:
A Windows Forms form does not have the event Unload, like VB6. What one acts like?
1
1962
by: 6302768590 | last post by:
Hai team i want code for transfer the data from one system to another through IP address by using C# our system has to for every 5mins then we have to update the data what the data is updated we have to send another system

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.