Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Programming > ASP .Net > ASP .Net Security > authenticating username/password against Active Directory

Reply
Thread Tools

authenticating username/password against Active Directory

 
 
Boesman
Guest
Posts: n/a
 
      01-08-2007
Hi,
I'm working on an intranet asp.net app and at some point a user - other
than the currently authenticated user - needs to authorise an action,
like creating a purchase order.
All usernames/passwords must be authenticated against Active Directory.
This already works fine for the overall application security as
specified in IIS (no anonymous access, use Windows integrated security,
etc).

My solution is to prompt via a modal browser window for the
authenticating user's username & password, and then to attempt to
verify that usn/pwd pair against AD. How on earth do I pass a usn/pwd
pair to AD and have it verified as valid? I don't need to do anything
else with this info, i.e. I'm not trying to log this user in or change
the current security context for the running web application.

Any advice appreciated.

Tian

 
Reply With Quote
 
 
 
 
Joe Kaplan
Guest
Posts: n/a
 
      01-08-2007
There are a could of different ways you might do this. The preferred method
from Microsoft is to use SSPI to verify the credentials. This should be
doable using the NegotiateStream class in .NET 2.0, but is still a little
convoluted in my opinion. I believe Dominick has a sample on his blog
somewhere (www.leastprivilege.org) and probably covers it in his book (I
just got it over the holidays but haven't actually read it yet ).

Another way to do this is with the Win32 LogonUser API. It actually uses
SSPI under the hood and gives you a real logon token back that you can then
use for impersonation as well if need. The user may need rights to log on
locally, depending on how the function is called, and you will be limited to
operating systems of XP or higher unless your app runs with SYSTEM
privileges (not a good idea).

The other way to do this is with LDAP using an LDAP bind to AD. In .NET you
can do LDAP with System.DirectoryServices or
System.DirectoryServices.Protocols if you use .NET 2.0 or higher. If you
are doing pure authentication, I'd suggest using S.DS.Protocols, as it has
the potential to scale better and makes the actual bind call more explicit.

Ch 12 of my book covers LDAP auth (an the other approaches for that matter)
and has some sample code. You can grab the sample code from the website at
the link below in VB.NET or C#.

HTH,

Joe K.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
"Boesman" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed) oups.com...
> Hi,
> I'm working on an intranet asp.net app and at some point a user - other
> than the currently authenticated user - needs to authorise an action,
> like creating a purchase order.
> All usernames/passwords must be authenticated against Active Directory.
> This already works fine for the overall application security as
> specified in IIS (no anonymous access, use Windows integrated security,
> etc).
>
> My solution is to prompt via a modal browser window for the
> authenticating user's username & password, and then to attempt to
> verify that usn/pwd pair against AD. How on earth do I pass a usn/pwd
> pair to AD and have it verified as valid? I don't need to do anything
> else with this info, i.e. I'm not trying to log this user in or change
> the current security context for the running web application.
>
> Any advice appreciated.
>
> Tian
>



 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Problem authenticating against renamed Active Directory account Alan Lambert ASP .Net 3 02-11-2009 11:13 AM
Problem authenticating against renamed Active Directory account Alan Lambert ASP .Net Security 2 02-11-2009 11:13 AM
OT ISA 2000 not authenticating proxy clients with active directory Rick MCSE 2 07-06-2004 04:47 PM
Problems when authenticating against the Active Directory using Forms Authentication and Visual Basic .NET Paul East ASP .Net Security 3 03-02-2004 12:08 AM
How do you figure out the LDAP://? ("Error authenticating. Error authenticating user. The specified domain either does not exist or could not be contacted") mrwoopey ASP .Net 3 06-30-2003 10:11 PM



Advertisments