Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Programming > ASP .Net > ASP .Net Security > WindowsAuthentication from code

Reply
Thread Tools

WindowsAuthentication from code

 
 
Alan Mendelevich
Guest
Posts: n/a
 
      10-14-2003
Hi,

I'm trying to build a login system where users login via web form, but then
they are logged in as they would with windows authentication only not
involving chalenge/response or basic authentication. I was able to login
user via LogonUser() function and to get WindowsIdentity and
WindowsPrincipal objects. But when I assign WindowsPrincipal object to the
HttpContext.Current.User property it get's assigned
(HttpContext.Current.User.Identity.Name becomes the name of the user and
IsAuthenticated becomes true) but lasts only for the current request. For
the next request HttpContext.Current.User.Identity.Name is Anonymous and
IsAuthenticated is false.

What should I do for this authentication to persist across requests?

Thanks in advance for your help!

Best regards,
Alan Mendelevich


 
Reply With Quote
 
 
 
 
MS Newsgroups
Guest
Posts: n/a
 
      10-14-2003
This is how i done it:

Logon using API call to get a token, create a new WindowsIdentity Object and
create a new Windows principal

Add the principal to the session with

session.add("AuthID", ctype(myNewPrincipal,object))

Change userID for this call with:

context.User = CType(Session.Item("AuthID"), WindowsPrincipal)

Then i use global.asax to change the identity for every request

Private Sub Global_PreRequestHandlerExecute(ByVal sender As Object, ByVal e
As System.EventArgs) Handles MyBase.PreRequestHandlerExecute

If Not Session.Item("AuthIdentity") Is Nothing Then
Context.User = CType(Session.Item("AuthIdentity"),
WindowsPrincipal)
End If

What i have also done, but not included here, is that i save the anonymous
principal to the session before switching, so i can switch back if i would
like the user to be able to perform a log off and continue as anonymous

Any questions,

Let me know

Niclas Lindblom


"Alan Mendelevich" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> Hi,
>
> I'm trying to build a login system where users login via web form, but

then
> they are logged in as they would with windows authentication only not
> involving chalenge/response or basic authentication. I was able to login
> user via LogonUser() function and to get WindowsIdentity and
> WindowsPrincipal objects. But when I assign WindowsPrincipal object to the
> HttpContext.Current.User property it get's assigned
> (HttpContext.Current.User.Identity.Name becomes the name of the user and
> IsAuthenticated becomes true) but lasts only for the current request. For
> the next request HttpContext.Current.User.Identity.Name is Anonymous and
> IsAuthenticated is false.
>
> What should I do for this authentication to persist across requests?
>
> Thanks in advance for your help!
>
> Best regards,
> Alan Mendelevich
>
>



 
Reply With Quote
 
 
 
 
Alan Mendelevich
Guest
Posts: n/a
 
      10-14-2003
Hi Niclas,

Thanks for the quick reply! As far as I can tell from the code it still is a
workaround. I mean IIS doesn't know that something like windows
authentication occured. What I try to achieve in the long run is that when
users access non-asp.net content protected by IIS with windows
authentication they don't have to enter login information once more.

Best regards,
Alan.

"MS Newsgroups" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> This is how i done it:
>
> Logon using API call to get a token, create a new WindowsIdentity Object

and
> create a new Windows principal
>
> Add the principal to the session with
>
> session.add("AuthID", ctype(myNewPrincipal,object))
>
> Change userID for this call with:
>
> context.User = CType(Session.Item("AuthID"), WindowsPrincipal)
>
> Then i use global.asax to change the identity for every request
>
> Private Sub Global_PreRequestHandlerExecute(ByVal sender As Object, ByVal

e
> As System.EventArgs) Handles MyBase.PreRequestHandlerExecute
>
> If Not Session.Item("AuthIdentity") Is Nothing Then
> Context.User = CType(Session.Item("AuthIdentity"),
> WindowsPrincipal)
> End If
>
> What i have also done, but not included here, is that i save the anonymous
> principal to the session before switching, so i can switch back if i would
> like the user to be able to perform a log off and continue as anonymous
>
> Any questions,
>
> Let me know
>
> Niclas Lindblom
>
>
> "Alan Mendelevich" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed)...
> > Hi,
> >
> > I'm trying to build a login system where users login via web form, but

> then
> > they are logged in as they would with windows authentication only not
> > involving chalenge/response or basic authentication. I was able to login
> > user via LogonUser() function and to get WindowsIdentity and
> > WindowsPrincipal objects. But when I assign WindowsPrincipal object to

the
> > HttpContext.Current.User property it get's assigned
> > (HttpContext.Current.User.Identity.Name becomes the name of the user and
> > IsAuthenticated becomes true) but lasts only for the current request.

For
> > the next request HttpContext.Current.User.Identity.Name is Anonymous and
> > IsAuthenticated is false.
> >
> > What should I do for this authentication to persist across requests?
> >
> > Thanks in advance for your help!
> >
> > Best regards,
> > Alan Mendelevich
> >
> >

>
>



 
Reply With Quote
 
MS Newsgroups
Guest
Posts: n/a
 
      10-14-2003
I agree on that, I have been trying to use impersonation to get the user to
proper WindowsIdentity as seen from IIS but i can not get this to work.

I was thinking a concept like this:

Dim myToken as intPtr

mytoken=logonuser bla bla API call

Dim myNewID as new WindowsIdentity(mytoken)

Dim myNewContext as WindowsImpersonationContext

myNewContext=myNewID.impersonate

I have tested this and also the sample for how to imperonate a specific user
in

http://support.microsoft.com/default.aspx?scid=306158

But i get an "Impersonation Failure" thrown when the contxt is about to
switch. I have given ASPNET account the "Act as part of operating system"
right add added the identity impersonate tag in web.config.

Let me know what you think, or if you have any success with this

Thanks

Niclas


"Alan Mendelevich" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> Hi Niclas,
>
> Thanks for the quick reply! As far as I can tell from the code it still is

a
> workaround. I mean IIS doesn't know that something like windows
> authentication occured. What I try to achieve in the long run is that when
> users access non-asp.net content protected by IIS with windows
> authentication they don't have to enter login information once more.
>
> Best regards,
> Alan.
>
> "MS Newsgroups" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed)...
> > This is how i done it:
> >
> > Logon using API call to get a token, create a new WindowsIdentity Object

> and
> > create a new Windows principal
> >
> > Add the principal to the session with
> >
> > session.add("AuthID", ctype(myNewPrincipal,object))
> >
> > Change userID for this call with:
> >
> > context.User = CType(Session.Item("AuthID"), WindowsPrincipal)
> >
> > Then i use global.asax to change the identity for every request
> >
> > Private Sub Global_PreRequestHandlerExecute(ByVal sender As Object,

ByVal
> e
> > As System.EventArgs) Handles MyBase.PreRequestHandlerExecute
> >
> > If Not Session.Item("AuthIdentity") Is Nothing Then
> > Context.User = CType(Session.Item("AuthIdentity"),
> > WindowsPrincipal)
> > End If
> >
> > What i have also done, but not included here, is that i save the

anonymous
> > principal to the session before switching, so i can switch back if i

would
> > like the user to be able to perform a log off and continue as anonymous
> >
> > Any questions,
> >
> > Let me know
> >
> > Niclas Lindblom
> >
> >
> > "Alan Mendelevich" <(E-Mail Removed)> wrote in message
> > news:(E-Mail Removed)...
> > > Hi,
> > >
> > > I'm trying to build a login system where users login via web form, but

> > then
> > > they are logged in as they would with windows authentication only not
> > > involving chalenge/response or basic authentication. I was able to

login
> > > user via LogonUser() function and to get WindowsIdentity and
> > > WindowsPrincipal objects. But when I assign WindowsPrincipal object to

> the
> > > HttpContext.Current.User property it get's assigned
> > > (HttpContext.Current.User.Identity.Name becomes the name of the user

and
> > > IsAuthenticated becomes true) but lasts only for the current request.

> For
> > > the next request HttpContext.Current.User.Identity.Name is Anonymous

and
> > > IsAuthenticated is false.
> > >
> > > What should I do for this authentication to persist across requests?
> > >
> > > Thanks in advance for your help!
> > >
> > > Best regards,
> > > Alan Mendelevich
> > >
> > >

> >
> >

>
>



 
Reply With Quote
 
Alan Mendelevich
Guest
Posts: n/a
 
      10-14-2003
I think impersonation is not really what is needed here. As far as I
understand impersonation makes it look like asp.net process is running under
different identity than it's actually is. After putting some thought into
whole this situation I'm leaning toward the conclusion that this kind of a
problem could not be solved. I think that in whole this windows
authentication process not only server but browser should also know that
some authentication has happened. At least in the case of basic
authentication actually browser sends credentials with every request no
matter that the logon dialog is shown only once. So if we "fake" windows
authentication on the server and browser knows nothing about it, then next
request is sent from the browser like nothing happened.

All these are just some random thoughts and I might be wrong. Maybe it's
possible to send some header back to the browser or something like that.
Please, let me know if you find any solution, and I'll let you know if I do.

Best regards,
Alan.

"MS Newsgroups" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> I agree on that, I have been trying to use impersonation to get the user

to
> proper WindowsIdentity as seen from IIS but i can not get this to work.
>
> I was thinking a concept like this:
>
> Dim myToken as intPtr
>
> mytoken=logonuser bla bla API call
>
> Dim myNewID as new WindowsIdentity(mytoken)
>
> Dim myNewContext as WindowsImpersonationContext
>
> myNewContext=myNewID.impersonate
>
> I have tested this and also the sample for how to imperonate a specific

user
> in
>
> http://support.microsoft.com/default.aspx?scid=306158
>
> But i get an "Impersonation Failure" thrown when the contxt is about to
> switch. I have given ASPNET account the "Act as part of operating system"
> right add added the identity impersonate tag in web.config.
>
> Let me know what you think, or if you have any success with this
>
> Thanks
>
> Niclas
>
>
> "Alan Mendelevich" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed)...
> > Hi Niclas,
> >
> > Thanks for the quick reply! As far as I can tell from the code it still

is
> a
> > workaround. I mean IIS doesn't know that something like windows
> > authentication occured. What I try to achieve in the long run is that

when
> > users access non-asp.net content protected by IIS with windows
> > authentication they don't have to enter login information once more.
> >
> > Best regards,
> > Alan.
> >
> > "MS Newsgroups" <(E-Mail Removed)> wrote in message
> > news:(E-Mail Removed)...
> > > This is how i done it:
> > >
> > > Logon using API call to get a token, create a new WindowsIdentity

Object
> > and
> > > create a new Windows principal
> > >
> > > Add the principal to the session with
> > >
> > > session.add("AuthID", ctype(myNewPrincipal,object))
> > >
> > > Change userID for this call with:
> > >
> > > context.User = CType(Session.Item("AuthID"), WindowsPrincipal)
> > >
> > > Then i use global.asax to change the identity for every request
> > >
> > > Private Sub Global_PreRequestHandlerExecute(ByVal sender As Object,

> ByVal
> > e
> > > As System.EventArgs) Handles MyBase.PreRequestHandlerExecute
> > >
> > > If Not Session.Item("AuthIdentity") Is Nothing Then
> > > Context.User = CType(Session.Item("AuthIdentity"),
> > > WindowsPrincipal)
> > > End If
> > >
> > > What i have also done, but not included here, is that i save the

> anonymous
> > > principal to the session before switching, so i can switch back if i

> would
> > > like the user to be able to perform a log off and continue as

anonymous
> > >
> > > Any questions,
> > >
> > > Let me know
> > >
> > > Niclas Lindblom
> > >
> > >
> > > "Alan Mendelevich" <(E-Mail Removed)> wrote in message
> > > news:(E-Mail Removed)...
> > > > Hi,
> > > >
> > > > I'm trying to build a login system where users login via web form,

but
> > > then
> > > > they are logged in as they would with windows authentication only

not
> > > > involving chalenge/response or basic authentication. I was able to

> login
> > > > user via LogonUser() function and to get WindowsIdentity and
> > > > WindowsPrincipal objects. But when I assign WindowsPrincipal object

to
> > the
> > > > HttpContext.Current.User property it get's assigned
> > > > (HttpContext.Current.User.Identity.Name becomes the name of the user

> and
> > > > IsAuthenticated becomes true) but lasts only for the current

request.
> > For
> > > > the next request HttpContext.Current.User.Identity.Name is Anonymous

> and
> > > > IsAuthenticated is false.
> > > >
> > > > What should I do for this authentication to persist across requests?
> > > >
> > > > Thanks in advance for your help!
> > > >
> > > > Best regards,
> > > > Alan Mendelevich
> > > >
> > > >
> > >
> > >

> >
> >

>
>



 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
what is the difference between code inside a <script> tag and code in the code-behind file? keithb ASP .Net 1 03-29-2006 01:00 AM
Fire Code behind code AND Javascript code associated to a Button Click Event =?Utf-8?B?Q2FybG8gTWFyY2hlc29uaQ==?= ASP .Net 4 02-11-2004 07:31 AM
Re: Code Behind vs. no code behind: error Ben Miller [msft] ASP .Net 1 06-28-2003 01:46 AM
Re: C# Equivalent of VB.Net Code -- One line of code, simple Ian ASP .Net 0 06-25-2003 01:14 PM
Re: C# Equivalent of VB.Net Code -- One line of code, simple Ron ASP .Net 1 06-24-2003 07:18 PM



Advertisments