«

Hi,
I'm working on an intranet asp.net app and at some point a user - other
than the currently authenticated user - needs to authorise an action,
like creating a purchase order.
All usernames/passwords must be authenticated against Active Directory.
This already works fine for the overall application security as
specified in IIS (no anonymous access, use Windows integrated security,
etc).

My solution is to prompt via a modal browser window for the
authenticating user's username & password, and then to attempt to
verify that usn/pwd pair against AD. How on earth do I pass a usn/pwd
pair to AD and have it verified as valid? I don't need to do anything
else with this info, i.e. I'm not trying to log this user in or change
the current security context for the running web application.

Any advice appreciated.

Tian

There are a could of different ways you might do this. The preferred method
from Microsoft is to use SSPI to verify the credentials. This should be
doable using the NegotiateStream class in .NET 2.0, but is still a little
convoluted in my opinion. I believe Dominick has a sample on his blog
somewhere (www.leastprivilege.org) and probably covers it in his book (I
just got it over the holidays but haven't actually read it yet ).

Another way to do this is with the Win32 LogonUser API. It actually uses
SSPI under the hood and gives you a real logon token back that you can then
use for impersonation as well if need. The user may need rights to log on
locally, depending on how the function is called, and you will be limited to
operating systems of XP or higher unless your app runs with SYSTEM
privileges (not a good idea).

The other way to do this is with LDAP using an LDAP bind to AD. In .NET you
can do LDAP with System.DirectoryServices or
System.DirectoryServices.Protocols if you use .NET 2.0 or higher. If you
are doing pure authentication, I'd suggest using S.DS.Protocols, as it has
the potential to scale better and makes the actual bind call more explicit.

Ch 12 of my book covers LDAP auth (an the other approaches for that matter)
and has some sample code. You can grab the sample code from the website at
the link below in VB.NET or C#.

HTH,

Joe K.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
"Boesman" <> wrote in message
news: oups.com...
> Hi,
> I'm working on an intranet asp.net app and at some point a user - other
> than the currently authenticated user - needs to authorise an action,
> like creating a purchase order.
> All usernames/passwords must be authenticated against Active Directory.
> This already works fine for the overall application security as
> specified in IIS (no anonymous access, use Windows integrated security,
> etc).
>
> My solution is to prompt via a modal browser window for the
> authenticating user's username & password, and then to attempt to
> verify that usn/pwd pair against AD. How on earth do I pass a usn/pwd
> pair to AD and have it verified as valid? I don't need to do anything
> else with this info, i.e. I'm not trying to log this user in or change
> the current security context for the running web application.
>
> Any advice appreciated.
>
> Tian
>