«

Hello.

I'm creating a site that has basic authentication. Is it possible to have a
custom login page display instead of the Windows login page?

Thanks in advance,

Mike

Form Authentication will serve your purpose ad this requires Anonymous
instead of Basic. Keep in mind that Basic Auth. does not protect your
system.

John

"mike" <> wrote in message
news:...
> Hello.
>
> I'm creating a site that has basic authentication. Is it possible to have
> a custom login page display instead of the Windows login page?
>
> Thanks in advance,
>
> Mike
>

Hello WJ,

what do you mean by "does not protect you system"?? can you elaborate?

it is all a matter of where you store your user accounts, if you store them
in some windows backed store (LSA, Domain) then you have to resort to some
IIS authentication. And basic is the one with the broadest compatibility.
Of course, keep in mind that basic auth transmits the password in clear text,
so you HAVE to layer SSL of basic auth.

One gotcha is, that you have to live with the window login dialog - i can
give you code to do that, if you really want to go this route. But this would
mean that you have to do auth yourself.

Another option is to use Forms Authentication, typically with user accounts
stored in a database. This allows out of the box to provide your own login
UI - again you have to do auth yourself.

maybe this clear it up a little bit. feel free to ask.

---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com

> Form Authentication will serve your purpose ad this requires Anonymous
> instead of Basic. Keep in mind that Basic Auth. does not protect your
> system.
>
> John
>
> "mike" <> wrote in message
> news:...
>
>> Hello.
>>
>> I'm creating a site that has basic authentication. Is it possible to
>> have a custom login page display instead of the Windows login page?
>>
>> Thanks in advance,
>>
>> Mike
>>

Hi, Dominick.

The application is intended for our salesmen, and they are domain users, and
therefore I would like to use the WindowsPrincipal object instead of
GenericPrinciple, for purposes of delegation.

Although Basic Auth would only "natively" give me a one-hop delegate, I
would still like to have IIS authenticate against Active Directory.

Of course, if one of the "higher-ups" insists on a friendly-looking sign-in
page, then Forms Authentication will be the way.

Mike

"Dominick Baier [DevelopMentor]" <>
wrote in message news: om...
> Hello WJ,
>
> what do you mean by "does not protect you system"?? can you elaborate?
>
> it is all a matter of where you store your user accounts, if you store
> them in some windows backed store (LSA, Domain) then you have to resort to
> some IIS authentication. And basic is the one with the broadest
> compatibility. Of course, keep in mind that basic auth transmits the
> password in clear text, so you HAVE to layer SSL of basic auth.
>
> One gotcha is, that you have to live with the window login dialog - i can
> give you code to do that, if you really want to go this route. But this
> would mean that you have to do auth yourself.
>
> Another option is to use Forms Authentication, typically with user
> accounts stored in a database. This allows out of the box to provide your
> own login UI - again you have to do auth yourself.
>
> maybe this clear it up a little bit. feel free to ask.
>
> ---------------------------------------
> Dominick Baier - DevelopMentor
> http://www.leastprivilege.com
>
>> Form Authentication will serve your purpose ad this requires Anonymous
>> instead of Basic. Keep in mind that Basic Auth. does not protect your
>> system.
>>
>> John
>>
>> "mike" <> wrote in message
>> news:...
>>
>>> Hello.
>>>
>>> I'm creating a site that has basic authentication. Is it possible to
>>> have a custom login page display instead of the Windows login page?
>>>
>>> Thanks in advance,
>>>
>>> Mike
>>>
>
>

So I guess the answer is "No"?

"WJ" <> wrote in message
news:...
> Form Authentication will serve your purpose ad this requires Anonymous
> instead of Basic. Keep in mind that Basic Auth. does not protect your
> system.
>
> John
>
> "mike" <> wrote in message
> news:...
>> Hello.
>>
>> I'm creating a site that has basic authentication. Is it possible to have
>> a custom login page display instead of the Windows login page?
>>
>> Thanks in advance,
>>
>> Mike
>>
>
>

Hello Mike,

a) you can get rid of the windows dialog, even with basic - but that means
calling LogonUser to authenticate against AD, which would also give you a
token to construct a WindowsPrincipal for "delegation"

b) in theory you can also use integrated and configure IE to send credentials
automatically (theory=users must be logged onto the domain - keep alives
have to be enabled between web server and client)



---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com

> Hi, Dominick.
>
> The application is intended for our salesmen, and they are domain
> users, and therefore I would like to use the WindowsPrincipal object
> instead of GenericPrinciple, for purposes of delegation.
>
> Although Basic Auth would only "natively" give me a one-hop delegate,
> I would still like to have IIS authenticate against Active Directory.
>
> Of course, if one of the "higher-ups" insists on a friendly-looking
> sign-in page, then Forms Authentication will be the way.
>
> Mike
>
> "Dominick Baier [DevelopMentor]"
> <> wrote in message
> news: om...
>
>> Hello WJ,
>>
>> what do you mean by "does not protect you system"?? can you
>> elaborate?
>>
>> it is all a matter of where you store your user accounts, if you
>> store them in some windows backed store (LSA, Domain) then you have
>> to resort to some IIS authentication. And basic is the one with the
>> broadest compatibility. Of course, keep in mind that basic auth
>> transmits the password in clear text, so you HAVE to layer SSL of
>> basic auth.
>>
>> One gotcha is, that you have to live with the window login dialog - i
>> can give you code to do that, if you really want to go this route.
>> But this would mean that you have to do auth yourself.
>>
>> Another option is to use Forms Authentication, typically with user
>> accounts stored in a database. This allows out of the box to provide
>> your own login UI - again you have to do auth yourself.
>>
>> maybe this clear it up a little bit. feel free to ask.
>>
>> ---------------------------------------
>> Dominick Baier - DevelopMentor
>> http://www.leastprivilege.com
>>> Form Authentication will serve your purpose ad this requires
>>> Anonymous instead of Basic. Keep in mind that Basic Auth. does not
>>> protect your system.
>>>
>>> John
>>>
>>> "mike" <> wrote in message
>>> news:...
>>>> Hello.
>>>>
>>>> I'm creating a site that has basic authentication. Is it possible
>>>> to have a custom login page display instead of the Windows login
>>>> page?
>>>>
>>>> Thanks in advance,
>>>>
>>>> Mike
>>>>

HI, Dominick. Thanks for responding.

You said that I "can get rid of the windows dialog, even with basic", my
question is "How"?

Thanks again,

Mike

"Dominick Baier [DevelopMentor]" <>
wrote in message news: om...
> Hello Mike,
>
> a) you can get rid of the windows dialog, even with basic - but that means
> calling LogonUser to authenticate against AD, which would also give you a
> token to construct a WindowsPrincipal for "delegation"
>
> b) in theory you can also use integrated and configure IE to send
> credentials automatically (theory=users must be logged onto the domain -
> keep alives have to be enabled between web server and client)
>
>
>
> ---------------------------------------
> Dominick Baier - DevelopMentor
> http://www.leastprivilege.com
>
>> Hi, Dominick.
>>
>> The application is intended for our salesmen, and they are domain
>> users, and therefore I would like to use the WindowsPrincipal object
>> instead of GenericPrinciple, for purposes of delegation.
>>
>> Although Basic Auth would only "natively" give me a one-hop delegate,
>> I would still like to have IIS authenticate against Active Directory.
>>
>> Of course, if one of the "higher-ups" insists on a friendly-looking
>> sign-in page, then Forms Authentication will be the way.
>>
>> Mike
>>
>> "Dominick Baier [DevelopMentor]"
>> <> wrote in message
>> news: om...
>>
>>> Hello WJ,
>>>
>>> what do you mean by "does not protect you system"?? can you
>>> elaborate?
>>>
>>> it is all a matter of where you store your user accounts, if you
>>> store them in some windows backed store (LSA, Domain) then you have
>>> to resort to some IIS authentication. And basic is the one with the
>>> broadest compatibility. Of course, keep in mind that basic auth
>>> transmits the password in clear text, so you HAVE to layer SSL of
>>> basic auth.
>>>
>>> One gotcha is, that you have to live with the window login dialog - i
>>> can give you code to do that, if you really want to go this route.
>>> But this would mean that you have to do auth yourself.
>>>
>>> Another option is to use Forms Authentication, typically with user
>>> accounts stored in a database. This allows out of the box to provide
>>> your own login UI - again you have to do auth yourself.
>>>
>>> maybe this clear it up a little bit. feel free to ask.
>>>
>>> ---------------------------------------
>>> Dominick Baier - DevelopMentor
>>> http://www.leastprivilege.com
>>>> Form Authentication will serve your purpose ad this requires
>>>> Anonymous instead of Basic. Keep in mind that Basic Auth. does not
>>>> protect your system.
>>>>
>>>> John
>>>>
>>>> "mike" <> wrote in message
>>>> news:...
>>>>> Hello.
>>>>>
>>>>> I'm creating a site that has basic authentication. Is it possible
>>>>> to have a custom login page display instead of the Windows login
>>>>> page?
>>>>>
>>>>> Thanks in advance,
>>>>>
>>>>> Mike
>>>>>
>
>

Hello Mike,

well - there are some steps necessary

a) enable anonymous again
b) enable forms auth
c) validate the user against AD (e.g. using LogonUser) in your logon page
d) issue the auth cookie yourself - remember the user password somehow
d) Handle Authenticate_Request or FormsAuthentication_Authenticate (not sure
which one is better) - call LogonUser to get a token, wrap the token in a
WindowsIdentity, wrap WindowsIdentity with WindowsPrincipal, replace Context.User

that should work.

---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com

> HI, Dominick. Thanks for responding.
>
> You said that I "can get rid of the windows dialog, even with basic",
> my question is "How"?
>
> Thanks again,
>
> Mike
>
> "Dominick Baier [DevelopMentor]"
> <> wrote in message
> news: om...
>
>> Hello Mike,
>>
>> a) you can get rid of the windows dialog, even with basic - but that
>> means calling LogonUser to authenticate against AD, which would also
>> give you a token to construct a WindowsPrincipal for "delegation"
>>
>> b) in theory you can also use integrated and configure IE to send
>> credentials automatically (theory=users must be logged onto the
>> domain - keep alives have to be enabled between web server and
>> client)
>>
>> ---------------------------------------
>> Dominick Baier - DevelopMentor
>> http://www.leastprivilege.com
>>> Hi, Dominick.
>>>
>>> The application is intended for our salesmen, and they are domain
>>> users, and therefore I would like to use the WindowsPrincipal object
>>> instead of GenericPrinciple, for purposes of delegation.
>>>
>>> Although Basic Auth would only "natively" give me a one-hop
>>> delegate, I would still like to have IIS authenticate against Active
>>> Directory.
>>>
>>> Of course, if one of the "higher-ups" insists on a friendly-looking
>>> sign-in page, then Forms Authentication will be the way.
>>>
>>> Mike
>>>
>>> "Dominick Baier [DevelopMentor]"
>>> <> wrote in message
>>> news: om...
>>>
>>>> Hello WJ,
>>>>
>>>> what do you mean by "does not protect you system"?? can you
>>>> elaborate?
>>>>
>>>> it is all a matter of where you store your user accounts, if you
>>>> store them in some windows backed store (LSA, Domain) then you have
>>>> to resort to some IIS authentication. And basic is the one with the
>>>> broadest compatibility. Of course, keep in mind that basic auth
>>>> transmits the password in clear text, so you HAVE to layer SSL of
>>>> basic auth.
>>>>
>>>> One gotcha is, that you have to live with the window login dialog -
>>>> i can give you code to do that, if you really want to go this
>>>> route. But this would mean that you have to do auth yourself.
>>>>
>>>> Another option is to use Forms Authentication, typically with user
>>>> accounts stored in a database. This allows out of the box to
>>>> provide your own login UI - again you have to do auth yourself.
>>>>
>>>> maybe this clear it up a little bit. feel free to ask.
>>>>
>>>> ---------------------------------------
>>>> Dominick Baier - DevelopMentor
>>>> http://www.leastprivilege.com
>>>>> Form Authentication will serve your purpose ad this requires
>>>>> Anonymous instead of Basic. Keep in mind that Basic Auth. does not
>>>>> protect your system.
>>>>>
>>>>> John
>>>>>
>>>>> "mike" <> wrote in message
>>>>> news:...
>>>>>> Hello.
>>>>>>
>>>>>> I'm creating a site that has basic authentication. Is it possible
>>>>>> to have a custom login page display instead of the Windows login
>>>>>> page?
>>>>>>
>>>>>> Thanks in advance,
>>>>>>
>>>>>> Mike
>>>>>>

Hi, Dominick.

Ok, I thought you were saying that I can enable Basic in IIS and override
the window that the browser displays.

I was trying to avoid the steps that you listed, but thanks for listing
them. I'll probably wind up needing that info.

Thanks again,

Mile

"Dominick Baier [DevelopMentor]" <>
wrote in message news: om...
> Hello Mike,
>
> well - there are some steps necessary
>
> a) enable anonymous again
> b) enable forms auth
> c) validate the user against AD (e.g. using LogonUser) in your logon page
> d) issue the auth cookie yourself - remember the user password somehow
> d) Handle Authenticate_Request or FormsAuthentication_Authenticate (not
> sure which one is better) - call LogonUser to get a token, wrap the token
> in a WindowsIdentity, wrap WindowsIdentity with WindowsPrincipal, replace
> Context.User
>
> that should work.
>
> ---------------------------------------
> Dominick Baier - DevelopMentor
> http://www.leastprivilege.com
>
>> HI, Dominick. Thanks for responding.
>>
>> You said that I "can get rid of the windows dialog, even with basic",
>> my question is "How"?
>>
>> Thanks again,
>>
>> Mike
>>
>> "Dominick Baier [DevelopMentor]"
>> <> wrote in message
>> news: om...
>>
>>> Hello Mike,
>>>
>>> a) you can get rid of the windows dialog, even with basic - but that
>>> means calling LogonUser to authenticate against AD, which would also
>>> give you a token to construct a WindowsPrincipal for "delegation"
>>>
>>> b) in theory you can also use integrated and configure IE to send
>>> credentials automatically (theory=users must be logged onto the
>>> domain - keep alives have to be enabled between web server and
>>> client)
>>>
>>> ---------------------------------------
>>> Dominick Baier - DevelopMentor
>>> http://www.leastprivilege.com
>>>> Hi, Dominick.
>>>>
>>>> The application is intended for our salesmen, and they are domain
>>>> users, and therefore I would like to use the WindowsPrincipal object
>>>> instead of GenericPrinciple, for purposes of delegation.
>>>>
>>>> Although Basic Auth would only "natively" give me a one-hop
>>>> delegate, I would still like to have IIS authenticate against Active
>>>> Directory.
>>>>
>>>> Of course, if one of the "higher-ups" insists on a friendly-looking
>>>> sign-in page, then Forms Authentication will be the way.
>>>>
>>>> Mike
>>>>
>>>> "Dominick Baier [DevelopMentor]"
>>>> <> wrote in message
>>>> news: om...
>>>>
>>>>> Hello WJ,
>>>>>
>>>>> what do you mean by "does not protect you system"?? can you
>>>>> elaborate?
>>>>>
>>>>> it is all a matter of where you store your user accounts, if you
>>>>> store them in some windows backed store (LSA, Domain) then you have
>>>>> to resort to some IIS authentication. And basic is the one with the
>>>>> broadest compatibility. Of course, keep in mind that basic auth
>>>>> transmits the password in clear text, so you HAVE to layer SSL of
>>>>> basic auth.
>>>>>
>>>>> One gotcha is, that you have to live with the window login dialog -
>>>>> i can give you code to do that, if you really want to go this
>>>>> route. But this would mean that you have to do auth yourself.
>>>>>
>>>>> Another option is to use Forms Authentication, typically with user
>>>>> accounts stored in a database. This allows out of the box to
>>>>> provide your own login UI - again you have to do auth yourself.
>>>>>
>>>>> maybe this clear it up a little bit. feel free to ask.
>>>>>
>>>>> ---------------------------------------
>>>>> Dominick Baier - DevelopMentor
>>>>> http://www.leastprivilege.com
>>>>>> Form Authentication will serve your purpose ad this requires
>>>>>> Anonymous instead of Basic. Keep in mind that Basic Auth. does not
>>>>>> protect your system.
>>>>>>
>>>>>> John
>>>>>>
>>>>>> "mike" <> wrote in message
>>>>>> news:...
>>>>>>> Hello.
>>>>>>>
>>>>>>> I'm creating a site that has basic authentication. Is it possible
>>>>>>> to have a custom login page display instead of the Windows login
>>>>>>> page?
>>>>>>>
>>>>>>> Thanks in advance,
>>>>>>>
>>>>>>> Mike
>>>>>>>
>
>

Hello WJ,

so FormsAuth needs SSL too - does that mean it does not protect my system
??

btw - Basic Auth is probably supported on every browser on this planet

---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com

> "mike" <> wrote in message
> news:%...
>
>> So I guess the answer is "No"?
>>
> Right. As these are Windows only. You do not want to implement Basic
> because it is vulnerable unless it is SSL enabled.
>
> FormAuth is the appropriate way. It also can run on multiple platforms
> and or Browsers.
>
> John
>