Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Programming > ASP .Net > ASP .Net Security > get WindowsIdentity with forms authentication

Reply
Thread Tools

get WindowsIdentity with forms authentication

 
 
Niclas Lindblom
Guest
Posts: n/a
 
      10-10-2003
Hi,

I am trying to figure out a way to authenticate against Active Directory and
retrieve system.security.principal.WindowsIdentity object, without having to
see the awful grey Basic Authentication logon box. I have found
documentation that you can send a authtentication request programatically by
using the system.net.authenticationmanager.authenticate method, but i can
not get this to work and have not found any samples.

Does anyone know a way to Authenticate against AD and have your browser
session retrieve a identity using forms ?

regards

Niclas


 
Reply With Quote
 
 
 
 
Joe Kaplan \(MVP - ADSI\)
Guest
Posts: n/a
 
      10-10-2003
If you want an actual WindowsIdentity object, you must have a logon token
for the user, which means that you will need to call LogonUser with the
user's credentials.

If you would be okay with a GenericIdentity/GenericPrincipal, then you can
create one by authenticating to AD and building those objects yourself.
There is a sample on how to do this with System.DirectoryServices and Forms
authentication in the MS KB:

http://support.microsoft.com/default...b;en-us;326340

That article has some flaws in it, but it is an okay starting point. Note
that the recommended way of doing authentication is by using SSPI instead of
System.DirectoryServices with an LDAP bind, but I don't have a good managed
code wrapper example of SSPI. Maybe someone else does?

The disadvantage with the GenericIdentity is that you can't impersonate with
it, but it can be used to drive the security model in your application using
the standard IPrincipal interface.

HTH,

Joe K.

"Niclas Lindblom" <(E-Mail Removed)> wrote in message
news:%(E-Mail Removed)...
> Hi,
>
> I am trying to figure out a way to authenticate against Active Directory

and
> retrieve system.security.principal.WindowsIdentity object, without having

to
> see the awful grey Basic Authentication logon box. I have found
> documentation that you can send a authtentication request programatically

by
> using the system.net.authenticationmanager.authenticate method, but i can
> not get this to work and have not found any samples.
>
> Does anyone know a way to Authenticate against AD and have your browser
> session retrieve a identity using forms ?
>
> regards
>
> Niclas
>
>


 
Reply With Quote
 
 
 
 
MS Newsgroups
Guest
Posts: n/a
 
      10-11-2003
Is there no way i can do this and get the same functionality as using Basic
authentication with the grey box (not sure how this works) since this seem
to create a session identity automatically.

Thanks for your help

Niclas
"Joe Kaplan (MVP - ADSI)" <(E-Mail Removed)> wrote
in message news:(E-Mail Removed)...
> If you want an actual WindowsIdentity object, you must have a logon token
> for the user, which means that you will need to call LogonUser with the
> user's credentials.
>
> If you would be okay with a GenericIdentity/GenericPrincipal, then you can
> create one by authenticating to AD and building those objects yourself.
> There is a sample on how to do this with System.DirectoryServices and

Forms
> authentication in the MS KB:
>
> http://support.microsoft.com/default...b;en-us;326340
>
> That article has some flaws in it, but it is an okay starting point. Note
> that the recommended way of doing authentication is by using SSPI instead

of
> System.DirectoryServices with an LDAP bind, but I don't have a good

managed
> code wrapper example of SSPI. Maybe someone else does?
>
> The disadvantage with the GenericIdentity is that you can't impersonate

with
> it, but it can be used to drive the security model in your application

using
> the standard IPrincipal interface.
>
> HTH,
>
> Joe K.
>
> "Niclas Lindblom" <(E-Mail Removed)> wrote in message
> news:%(E-Mail Removed)...
> > Hi,
> >
> > I am trying to figure out a way to authenticate against Active Directory

> and
> > retrieve system.security.principal.WindowsIdentity object, without

having
> to
> > see the awful grey Basic Authentication logon box. I have found
> > documentation that you can send a authtentication request

programatically
> by
> > using the system.net.authenticationmanager.authenticate method, but i

can
> > not get this to work and have not found any samples.
> >
> > Does anyone know a way to Authenticate against AD and have your browser
> > session retrieve a identity using forms ?
> >
> > regards
> >
> > Niclas
> >
> >

>



 
Reply With Quote
 
Joe Kaplan \(MVP - ADSI\)
Guest
Posts: n/a
 
      10-12-2003
It sounds like you want a WindowsIdentity/logon token for the user, so you
will need to use an API that calls LogonUser. The easy way to do this would
be to build a Forms Auth. system that uses the new constructor on
WindowsIdentity in Framework 1.1 that takes a username and password. Note
that the documentation says that you must be running Win2K3 for this call to
work.

http://msdn.microsoft.com/library/de...asp?frame=true

The other option is to P/Invoke LogonUser directly. You need very high
privileges to call this function under Windows 2000 though, so the viability
of this solution may depend on your platform and security needs.

http://msdn.microsoft.com/library/de...asp?frame=true

Either of these (which do essentially the same thing under the hood) will
give you the same functionality as Basic authentication (a primary logon
token).

HTH,

Joe K.


"MS Newsgroups" <(E-Mail Removed)> wrote in message
news:%(E-Mail Removed)...
> Is there no way i can do this and get the same functionality as using

Basic
> authentication with the grey box (not sure how this works) since this seem
> to create a session identity automatically.
>
> Thanks for your help
>
> Niclas
> "Joe Kaplan (MVP - ADSI)" <(E-Mail Removed)> wrote
> in message news:(E-Mail Removed)...
> > If you want an actual WindowsIdentity object, you must have a logon

token
> > for the user, which means that you will need to call LogonUser with the
> > user's credentials.
> >
> > If you would be okay with a GenericIdentity/GenericPrincipal, then you

can
> > create one by authenticating to AD and building those objects yourself.
> > There is a sample on how to do this with System.DirectoryServices and

> Forms
> > authentication in the MS KB:
> >
> > http://support.microsoft.com/default...b;en-us;326340
> >
> > That article has some flaws in it, but it is an okay starting point.

Note
> > that the recommended way of doing authentication is by using SSPI

instead
> of
> > System.DirectoryServices with an LDAP bind, but I don't have a good

> managed
> > code wrapper example of SSPI. Maybe someone else does?
> >
> > The disadvantage with the GenericIdentity is that you can't impersonate

> with
> > it, but it can be used to drive the security model in your application

> using
> > the standard IPrincipal interface.
> >
> > HTH,
> >
> > Joe K.
> >
> > "Niclas Lindblom" <(E-Mail Removed)> wrote in message
> > news:%(E-Mail Removed)...
> > > Hi,
> > >
> > > I am trying to figure out a way to authenticate against Active

Directory
> > and
> > > retrieve system.security.principal.WindowsIdentity object, without

> having
> > to
> > > see the awful grey Basic Authentication logon box. I have found
> > > documentation that you can send a authtentication request

> programatically
> > by
> > > using the system.net.authenticationmanager.authenticate method, but i

> can
> > > not get this to work and have not found any samples.
> > >
> > > Does anyone know a way to Authenticate against AD and have your

browser
> > > session retrieve a identity using forms ?
> > >
> > > regards
> > >
> > > Niclas
> > >
> > >

> >

>
>


 
Reply With Quote
 
Niclas Lindblom
Guest
Posts: n/a
 
      10-12-2003
Thanks Joe, I have actually looked at this option. What i haven't figured
out yet is how to associate the current users session with the new
WindowsIdentity object i have created. I have a feeling that i need to use
impersonation, but haven't had time to test this yet.

Am I one the right track, or do you know how to get this working ?

Thanks for helping out

Niclas
"Joe Kaplan (MVP - ADSI)" <(E-Mail Removed)> wrote
in message news:(E-Mail Removed)...
> It sounds like you want a WindowsIdentity/logon token for the user, so you
> will need to use an API that calls LogonUser. The easy way to do this

would
> be to build a Forms Auth. system that uses the new constructor on
> WindowsIdentity in Framework 1.1 that takes a username and password. Note
> that the documentation says that you must be running Win2K3 for this call

to
> work.
>
>

http://msdn.microsoft.com/library/de...asp?frame=true
>
> The other option is to P/Invoke LogonUser directly. You need very high
> privileges to call this function under Windows 2000 though, so the

viability
> of this solution may depend on your platform and security needs.
>
>

http://msdn.microsoft.com/library/de...asp?frame=true
>
> Either of these (which do essentially the same thing under the hood) will
> give you the same functionality as Basic authentication (a primary logon
> token).
>
> HTH,
>
> Joe K.
>
>
> "MS Newsgroups" <(E-Mail Removed)> wrote in message
> news:%(E-Mail Removed)...
> > Is there no way i can do this and get the same functionality as using

> Basic
> > authentication with the grey box (not sure how this works) since this

seem
> > to create a session identity automatically.
> >
> > Thanks for your help
> >
> > Niclas
> > "Joe Kaplan (MVP - ADSI)" <(E-Mail Removed)>

wrote
> > in message news:(E-Mail Removed)...
> > > If you want an actual WindowsIdentity object, you must have a logon

> token
> > > for the user, which means that you will need to call LogonUser with

the
> > > user's credentials.
> > >
> > > If you would be okay with a GenericIdentity/GenericPrincipal, then you

> can
> > > create one by authenticating to AD and building those objects

yourself.
> > > There is a sample on how to do this with System.DirectoryServices and

> > Forms
> > > authentication in the MS KB:
> > >
> > > http://support.microsoft.com/default...b;en-us;326340
> > >
> > > That article has some flaws in it, but it is an okay starting point.

> Note
> > > that the recommended way of doing authentication is by using SSPI

> instead
> > of
> > > System.DirectoryServices with an LDAP bind, but I don't have a good

> > managed
> > > code wrapper example of SSPI. Maybe someone else does?
> > >
> > > The disadvantage with the GenericIdentity is that you can't

impersonate
> > with
> > > it, but it can be used to drive the security model in your application

> > using
> > > the standard IPrincipal interface.
> > >
> > > HTH,
> > >
> > > Joe K.
> > >
> > > "Niclas Lindblom" <(E-Mail Removed)> wrote in message
> > > news:%(E-Mail Removed)...
> > > > Hi,
> > > >
> > > > I am trying to figure out a way to authenticate against Active

> Directory
> > > and
> > > > retrieve system.security.principal.WindowsIdentity object, without

> > having
> > > to
> > > > see the awful grey Basic Authentication logon box. I have found
> > > > documentation that you can send a authtentication request

> > programatically
> > > by
> > > > using the system.net.authenticationmanager.authenticate method, but

i
> > can
> > > > not get this to work and have not found any samples.
> > > >
> > > > Does anyone know a way to Authenticate against AD and have your

> browser
> > > > session retrieve a identity using forms ?
> > > >
> > > > regards
> > > >
> > > > Niclas
> > > >
> > > >
> > >

> >
> >

>



 
Reply With Quote
 
Joe Kaplan \(MVP - ADSI\)
Guest
Posts: n/a
 
      10-13-2003
The normal thing to do would be to create the WindowIdentity, then to create
a new WindowsPrincipal from that and set the User property on the
HttpContext equal to that. Then the WindowsPrincipal for the current user
will be associated with that request and all of the normal ASP.NET
role-based security will flow from there.

Someone else may need to provide you with more details if that isn't enough
info as I am not a super expert in Forms authentication.

Joe K.

"Niclas Lindblom" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> Thanks Joe, I have actually looked at this option. What i haven't figured
> out yet is how to associate the current users session with the new
> WindowsIdentity object i have created. I have a feeling that i need to use
> impersonation, but haven't had time to test this yet.
>
> Am I one the right track, or do you know how to get this working ?
>
> Thanks for helping out
>
> Niclas
> "Joe Kaplan (MVP - ADSI)" <(E-Mail Removed)> wrote
> in message news:(E-Mail Removed)...
> > It sounds like you want a WindowsIdentity/logon token for the user, so

you
> > will need to use an API that calls LogonUser. The easy way to do this

> would
> > be to build a Forms Auth. system that uses the new constructor on
> > WindowsIdentity in Framework 1.1 that takes a username and password.

Note
> > that the documentation says that you must be running Win2K3 for this

call
> to
> > work.
> >
> >

>

http://msdn.microsoft.com/library/de...asp?frame=true
> >
> > The other option is to P/Invoke LogonUser directly. You need very high
> > privileges to call this function under Windows 2000 though, so the

> viability
> > of this solution may depend on your platform and security needs.
> >
> >

>

http://msdn.microsoft.com/library/de...pic.asp?frame=
true
> >
> > Either of these (which do essentially the same thing under the hood)

will
> > give you the same functionality as Basic authentication (a primary logon
> > token).
> >
> > HTH,
> >
> > Joe K.
> >
> >
> > "MS Newsgroups" <(E-Mail Removed)> wrote in message
> > news:%(E-Mail Removed)...
> > > Is there no way i can do this and get the same functionality as using

> > Basic
> > > authentication with the grey box (not sure how this works) since this

> seem
> > > to create a session identity automatically.
> > >
> > > Thanks for your help
> > >
> > > Niclas
> > > "Joe Kaplan (MVP - ADSI)" <(E-Mail Removed)>

> wrote
> > > in message news:(E-Mail Removed)...
> > > > If you want an actual WindowsIdentity object, you must have a logon

> > token
> > > > for the user, which means that you will need to call LogonUser with

> the
> > > > user's credentials.
> > > >
> > > > If you would be okay with a GenericIdentity/GenericPrincipal, then

you
> > can
> > > > create one by authenticating to AD and building those objects

> yourself.
> > > > There is a sample on how to do this with System.DirectoryServices

and
> > > Forms
> > > > authentication in the MS KB:
> > > >
> > > > http://support.microsoft.com/default...b;en-us;326340
> > > >
> > > > That article has some flaws in it, but it is an okay starting point.

> > Note
> > > > that the recommended way of doing authentication is by using SSPI

> > instead
> > > of
> > > > System.DirectoryServices with an LDAP bind, but I don't have a good
> > > managed
> > > > code wrapper example of SSPI. Maybe someone else does?
> > > >
> > > > The disadvantage with the GenericIdentity is that you can't

> impersonate
> > > with
> > > > it, but it can be used to drive the security model in your

application
> > > using
> > > > the standard IPrincipal interface.
> > > >
> > > > HTH,
> > > >
> > > > Joe K.
> > > >
> > > > "Niclas Lindblom" <(E-Mail Removed)> wrote in message
> > > > news:%(E-Mail Removed)...
> > > > > Hi,
> > > > >
> > > > > I am trying to figure out a way to authenticate against Active

> > Directory
> > > > and
> > > > > retrieve system.security.principal.WindowsIdentity object, without
> > > having
> > > > to
> > > > > see the awful grey Basic Authentication logon box. I have found
> > > > > documentation that you can send a authtentication request
> > > programatically
> > > > by
> > > > > using the system.net.authenticationmanager.authenticate method,

but
> i
> > > can
> > > > > not get this to work and have not found any samples.
> > > > >
> > > > > Does anyone know a way to Authenticate against AD and have your

> > browser
> > > > > session retrieve a identity using forms ?
> > > > >
> > > > > regards
> > > > >
> > > > > Niclas
> > > > >
> > > > >
> > > >
> > >
> > >

> >

>
>


 
Reply With Quote
 
Alan Mendelevich
Guest
Posts: n/a
 
      10-14-2003
Hi,

I've came to the same solution on my own but when I assign WindowsPrincipal
to the User property of HttpContext it get's assigned for the current
request but for the next request it's gone. User.Identity.Name becomes
"Anonymous" again and IsAuthenticated is false. What should I do for this
assignment to persist across requests?

Best regards,
Alan Mendelevich.

"Joe Kaplan (MVP - ADSI)" <(E-Mail Removed)> wrote
in message news:(E-Mail Removed)...
> The normal thing to do would be to create the WindowIdentity, then to

create
> a new WindowsPrincipal from that and set the User property on the
> HttpContext equal to that. Then the WindowsPrincipal for the current user
> will be associated with that request and all of the normal ASP.NET
> role-based security will flow from there.
>
> Someone else may need to provide you with more details if that isn't

enough
> info as I am not a super expert in Forms authentication.
>
> Joe K.
>
> "Niclas Lindblom" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed)...
> > Thanks Joe, I have actually looked at this option. What i haven't

figured
> > out yet is how to associate the current users session with the new
> > WindowsIdentity object i have created. I have a feeling that i need to

use
> > impersonation, but haven't had time to test this yet.
> >
> > Am I one the right track, or do you know how to get this working ?
> >
> > Thanks for helping out
> >
> > Niclas
> > "Joe Kaplan (MVP - ADSI)" <(E-Mail Removed)>

wrote
> > in message news:(E-Mail Removed)...
> > > It sounds like you want a WindowsIdentity/logon token for the user, so

> you
> > > will need to use an API that calls LogonUser. The easy way to do this

> > would
> > > be to build a Forms Auth. system that uses the new constructor on
> > > WindowsIdentity in Framework 1.1 that takes a username and password.

> Note
> > > that the documentation says that you must be running Win2K3 for this

> call
> > to
> > > work.
> > >
> > >

> >

>

http://msdn.microsoft.com/library/de...us/cpref/html/
frlrfSystemSecurityPrincipalWindowsIdentityClassct orTopic5.asp?frame=true
> > >
> > > The other option is to P/Invoke LogonUser directly. You need very

high
> > > privileges to call this function under Windows 2000 though, so the

> > viability
> > > of this solution may depend on your platform and security needs.
> > >
> > >

> >

>

http://msdn.microsoft.com/library/de...us/cpref/html/
frlrfSystemSecurityPrincipalWindowsImpersonationCo ntextClassTopic.asp?frame=
> true
> > >
> > > Either of these (which do essentially the same thing under the hood)

> will
> > > give you the same functionality as Basic authentication (a primary

logon
> > > token).
> > >
> > > HTH,
> > >
> > > Joe K.
> > >
> > >
> > > "MS Newsgroups" <(E-Mail Removed)> wrote in message
> > > news:%(E-Mail Removed)...
> > > > Is there no way i can do this and get the same functionality as

using
> > > Basic
> > > > authentication with the grey box (not sure how this works) since

this
> > seem
> > > > to create a session identity automatically.
> > > >
> > > > Thanks for your help
> > > >
> > > > Niclas
> > > > "Joe Kaplan (MVP - ADSI)" <(E-Mail Removed)>

> > wrote
> > > > in message news:(E-Mail Removed)...
> > > > > If you want an actual WindowsIdentity object, you must have a

logon
> > > token
> > > > > for the user, which means that you will need to call LogonUser

with
> > the
> > > > > user's credentials.
> > > > >
> > > > > If you would be okay with a GenericIdentity/GenericPrincipal, then

> you
> > > can
> > > > > create one by authenticating to AD and building those objects

> > yourself.
> > > > > There is a sample on how to do this with System.DirectoryServices

> and
> > > > Forms
> > > > > authentication in the MS KB:
> > > > >
> > > > > http://support.microsoft.com/default...b;en-us;326340
> > > > >
> > > > > That article has some flaws in it, but it is an okay starting

point.
> > > Note
> > > > > that the recommended way of doing authentication is by using SSPI
> > > instead
> > > > of
> > > > > System.DirectoryServices with an LDAP bind, but I don't have a

good
> > > > managed
> > > > > code wrapper example of SSPI. Maybe someone else does?
> > > > >
> > > > > The disadvantage with the GenericIdentity is that you can't

> > impersonate
> > > > with
> > > > > it, but it can be used to drive the security model in your

> application
> > > > using
> > > > > the standard IPrincipal interface.
> > > > >
> > > > > HTH,
> > > > >
> > > > > Joe K.
> > > > >
> > > > > "Niclas Lindblom" <(E-Mail Removed)> wrote in message
> > > > > news:%(E-Mail Removed)...
> > > > > > Hi,
> > > > > >
> > > > > > I am trying to figure out a way to authenticate against Active
> > > Directory
> > > > > and
> > > > > > retrieve system.security.principal.WindowsIdentity object,

without
> > > > having
> > > > > to
> > > > > > see the awful grey Basic Authentication logon box. I have found
> > > > > > documentation that you can send a authtentication request
> > > > programatically
> > > > > by
> > > > > > using the system.net.authenticationmanager.authenticate method,

> but
> > i
> > > > can
> > > > > > not get this to work and have not found any samples.
> > > > > >
> > > > > > Does anyone know a way to Authenticate against AD and have your
> > > browser
> > > > > > session retrieve a identity using forms ?
> > > > > >
> > > > > > regards
> > > > > >
> > > > > > Niclas
> > > > > >
> > > > > >
> > > > >
> > > >
> > > >
> > >

> >
> >

>



 
Reply With Quote
 
MS Newsgroups
Guest
Posts: n/a
 
      10-14-2003
This is how i done it:

Logon using API call to get a token, create a new WindowsIdentity Object and
create a new Windows principal

Add the principal to the session with

session.add("AuthID", ctype(myNewPrincipal,object))

Change userID for this call with:

context.User = CType(Session.Item("AuthID"), WindowsPrincipal)

Then i use global.asax to change the identity for every request

Private Sub Global_PreRequestHandlerExecute(ByVal sender As Object, ByVal e
As System.EventArgs) Handles MyBase.PreRequestHandlerExecute

If Not Session.Item("AuthIdentity") Is Nothing Then
Context.User = CType(Session.Item("AuthIdentity"),
WindowsPrincipal)
End If

What i have also done, but not included here, is that i save the anonymous
principal to the session before switching, so i can switch back if i would
like the user to be able to perform a log off and continue as anonymous

Any questions,

Let me know

Niclas Lindblom


"Alan Mendelevich" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> Hi,
>
> I've came to the same solution on my own but when I assign

WindowsPrincipal
> to the User property of HttpContext it get's assigned for the current
> request but for the next request it's gone. User.Identity.Name becomes
> "Anonymous" again and IsAuthenticated is false. What should I do for this
> assignment to persist across requests?
>
> Best regards,
> Alan Mendelevich.
>
> "Joe Kaplan (MVP - ADSI)" <(E-Mail Removed)> wrote
> in message news:(E-Mail Removed)...
> > The normal thing to do would be to create the WindowIdentity, then to

> create
> > a new WindowsPrincipal from that and set the User property on the
> > HttpContext equal to that. Then the WindowsPrincipal for the current

user
> > will be associated with that request and all of the normal ASP.NET
> > role-based security will flow from there.
> >
> > Someone else may need to provide you with more details if that isn't

> enough
> > info as I am not a super expert in Forms authentication.
> >
> > Joe K.
> >
> > "Niclas Lindblom" <(E-Mail Removed)> wrote in message
> > news:(E-Mail Removed)...
> > > Thanks Joe, I have actually looked at this option. What i haven't

> figured
> > > out yet is how to associate the current users session with the new
> > > WindowsIdentity object i have created. I have a feeling that i need to

> use
> > > impersonation, but haven't had time to test this yet.
> > >
> > > Am I one the right track, or do you know how to get this working ?
> > >
> > > Thanks for helping out
> > >
> > > Niclas
> > > "Joe Kaplan (MVP - ADSI)" <(E-Mail Removed)>

> wrote
> > > in message news:(E-Mail Removed)...
> > > > It sounds like you want a WindowsIdentity/logon token for the user,

so
> > you
> > > > will need to use an API that calls LogonUser. The easy way to do

this
> > > would
> > > > be to build a Forms Auth. system that uses the new constructor on
> > > > WindowsIdentity in Framework 1.1 that takes a username and password.

> > Note
> > > > that the documentation says that you must be running Win2K3 for this

> > call
> > > to
> > > > work.
> > > >
> > > >
> > >

> >

>

http://msdn.microsoft.com/library/de...us/cpref/html/
> frlrfSystemSecurityPrincipalWindowsIdentityClassct orTopic5.asp?frame=true
> > > >
> > > > The other option is to P/Invoke LogonUser directly. You need very

> high
> > > > privileges to call this function under Windows 2000 though, so the
> > > viability
> > > > of this solution may depend on your platform and security needs.
> > > >
> > > >
> > >

> >

>

http://msdn.microsoft.com/library/de...us/cpref/html/
>

frlrfSystemSecurityPrincipalWindowsImpersonationCo ntextClassTopic.asp?frame=
> > true
> > > >
> > > > Either of these (which do essentially the same thing under the hood)

> > will
> > > > give you the same functionality as Basic authentication (a primary

> logon
> > > > token).
> > > >
> > > > HTH,
> > > >
> > > > Joe K.
> > > >
> > > >
> > > > "MS Newsgroups" <(E-Mail Removed)> wrote in message
> > > > news:%(E-Mail Removed)...
> > > > > Is there no way i can do this and get the same functionality as

> using
> > > > Basic
> > > > > authentication with the grey box (not sure how this works) since

> this
> > > seem
> > > > > to create a session identity automatically.
> > > > >
> > > > > Thanks for your help
> > > > >
> > > > > Niclas
> > > > > "Joe Kaplan (MVP - ADSI)"

<(E-Mail Removed)>
> > > wrote
> > > > > in message news:(E-Mail Removed)...
> > > > > > If you want an actual WindowsIdentity object, you must have a

> logon
> > > > token
> > > > > > for the user, which means that you will need to call LogonUser

> with
> > > the
> > > > > > user's credentials.
> > > > > >
> > > > > > If you would be okay with a GenericIdentity/GenericPrincipal,

then
> > you
> > > > can
> > > > > > create one by authenticating to AD and building those objects
> > > yourself.
> > > > > > There is a sample on how to do this with

System.DirectoryServices
> > and
> > > > > Forms
> > > > > > authentication in the MS KB:
> > > > > >
> > > > > > http://support.microsoft.com/default...b;en-us;326340
> > > > > >
> > > > > > That article has some flaws in it, but it is an okay starting

> point.
> > > > Note
> > > > > > that the recommended way of doing authentication is by using

SSPI
> > > > instead
> > > > > of
> > > > > > System.DirectoryServices with an LDAP bind, but I don't have a

> good
> > > > > managed
> > > > > > code wrapper example of SSPI. Maybe someone else does?
> > > > > >
> > > > > > The disadvantage with the GenericIdentity is that you can't
> > > impersonate
> > > > > with
> > > > > > it, but it can be used to drive the security model in your

> > application
> > > > > using
> > > > > > the standard IPrincipal interface.
> > > > > >
> > > > > > HTH,
> > > > > >
> > > > > > Joe K.
> > > > > >
> > > > > > "Niclas Lindblom" <(E-Mail Removed)> wrote in message
> > > > > > news:%(E-Mail Removed)...
> > > > > > > Hi,
> > > > > > >
> > > > > > > I am trying to figure out a way to authenticate against Active
> > > > Directory
> > > > > > and
> > > > > > > retrieve system.security.principal.WindowsIdentity object,

> without
> > > > > having
> > > > > > to
> > > > > > > see the awful grey Basic Authentication logon box. I have

found
> > > > > > > documentation that you can send a authtentication request
> > > > > programatically
> > > > > > by
> > > > > > > using the system.net.authenticationmanager.authenticate

method,
> > but
> > > i
> > > > > can
> > > > > > > not get this to work and have not found any samples.
> > > > > > >
> > > > > > > Does anyone know a way to Authenticate against AD and have

your
> > > > browser
> > > > > > > session retrieve a identity using forms ?
> > > > > > >
> > > > > > > regards
> > > > > > >
> > > > > > > Niclas
> > > > > > >
> > > > > > >
> > > > > >
> > > > >
> > > > >
> > > >
> > >
> > >

> >

>
>



 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Best practices for using forms authentication and security in a hosted env (was: Re: Using a Forms authentication in a shared hosting environment) JEFF ASP .Net 1 11-12-2007 07:00 PM
IIS Authentication vs. WindowsIdentity Steve Lynch ASP .Net Security 1 09-02-2006 12:40 AM
forms authentication -- expired forms cookie vs. not provided forms cookie Eric ASP .Net Security 2 01-27-2006 10:09 PM
Forms Authentication question: How to have some pages open and some requiring forms authentication Eric ASP .Net 2 02-13-2004 02:14 PM
WindowsPrincipal and WindowsIdentity. Kevin Burton ASP .Net 1 01-08-2004 01:20 AM



Advertisments