Hey all,
Is there a way that I can capture the windows login so that my users
don't have to login to their computer AND login to the intranet site?
This Question has been solved and asker verified All Experts Exchange premium technology solutions are available to subscription members.
Experts Exchange has been collecting answers to technology questions since 1996…3 million and counting! If you have a question, chances are we already have your answer.
If you can't find the exact answer you're looking for, ask our exclusive community of 50,000 experts. You’ll get a personalized answer from a trusted professional.
Thousands of free tech tips, tricks, how-to’s and tutorials are available in our peer reviewed articles section. See for yourself how smart our experts are, no login required.
Save solutions to your questions, answers you’ve discovered through searching plus helpful articles in your personal knowledgebase for easy future access.
Access the answers to your technology questions today.
30-day free trial. Register in 60 seconds.
Members of the expert community talk about why the experience at Experts Exchange is different than what you will find anywhere else.
Try it out and discover for yourself.
30-day free trial. Register in 60 seconds.
Join the community of experts here and help other tech pros by answering question in your area of expertise. You can earn FREE access to all Experts Exchange's premium features and resources.
You need to turn of ANONYMOUS access within IIS (if Apache you need to use some modules that mimic IIS functions)
Once thats done you can access the cgi.auth_user variable.
It only works for your users if they access your site like so http://MACHINE_NAME (or anything without a dot in it, or add the site to your intranet settings in IE)
Once there is a dot in the name it will prompt the user for the username and password again.
In IIS, change the authentication method from anonymous to digest and basic and make sure the integrated windows authentication box is checked.
ColdFusion recognizes the NT login as #REMOTE_USER#
It will include the domain also so you may want to do something like this to strip that away so you can just work with the actual NT login:
<cfset strUserNT = #REMOTE_USER#>
<cfset strUserNT = lcase(ReplaceNoCase(strUse
Hope that makes sense. This is my first time actually trying to answer a question :)
-Makila
I have no clue what cgi.auth_user is. I don't use cgi in any of my web pages.
I'm able to do the windows authentication in ColdFusion just by changing the IIS authentication settings and using the reserved #REMOTE_USER# variable....
Based on the code in my previous comment:
<cfoutput>#REMOTE_USER#</c
<cfoutput>#strUserNT#</cfo
"wireless" is my domain; "makila" is my NT login
You cannot get the windows password without the user re-entering it. But once you ask the user to logon to the Intranet, you can save the password in a cookie or in a DB so that the user only has to login to the Intranet once.
After you save it to a cookie, just check for the cookie and read it next time they come to the Intranet.
How are you validating users to your Intranet? Using LDAP to query the Active Directory will allow you to use their current username/password and will always keep their Intranet login identical to their NT logon.
Regarding CGI, you don't have to be "using" CGI to get the variables. Cold Fusion makes them available automatically. If you are using IIS, under the web site properties under Directory Security, enable basic authentication and once a user successfully logs on, you can use the variable #cgi.auth_user#. That is not a good method though as it sends the password in plain text and makes the password available to anyone who can access your cf code or cf administrator.
Sorry guys I don't think you know what your talking about.
1. Both of you are basically repeating what I already stated about IIS.
2. REMOTE_USER is a CGI variable, even though he does not prefix it with the scope, it is a variable available from the CGI variables.
3. If we are talking about an Intranet, and the user is alreayd logged on to their machine, ie. they entered their username and password, WHY would they need to enter the password again when they access the site? All you need to know is who is this user at that stage...
I'm using an Intranet now where I use the NT username/password for authentication. So to say I don't know what I'm talking about is wrong, not to mention rude.
I expanded on what you said about IIS and the auth_user variable and explained how that is probably not a good solution.
To answer your question tacobell777, in order to know who the user is, the user has to logon. You could just ask the user to enter their username but if you have any security needs in the intranet (ie this department sees xxx and other's don't) then asking for their username and password and verifying it is essential.
I have found the best solution in this situation is to use LDAP to query the active directory and verify users. There are some examples out there. Search the web for "coldfusion ldap active directory".
Agreed, maybe I was a bit to hard, but I still think you don't get it.
Why do you need the password from a user when the already provided that password when they logged in to their machine?? Why should they provide it again, only that ONE user (from that domain) can log in into that machine and no else!.... So all you need is the username to authenticate the user on an intranet.
you need the password because:
you can't get the username without the user providing it. If you ask the user forjust their username, there is no security - any user on the domain could enter in any user name.
Unless you require and verify the password, you can't be sure the user is who they say they are.
Now if you have static IP's and want to assume a given ip is a given user, you could go that route. But that requires static IP's and an assumption that no one other than the specified user ever logs on to that machine.
What in godsname do you mean you can't get the username without the user providing it?
Disable "anonymous access" in the site within IIS and it will pass the username and odmain name to you in a variable (cgi.auht_user) like I said before.
And trust me the user will not need to provide anything, I have made intranet applications for the government and they work this way. And once again I stress, this only works on an Intranet, if it's not an intranet then the user will be prompted for a username and password. I might have been harsh saying you don't know what your talking about, but it is the truth in this matter.
To get back to the initial question, which is:
Is there a way that I can capture the windows login so that my users
don't have to login to their computer AND login to the intranet site?
he does not want the user to log again to the iste, because he knows the user is already logged in to the computer, all he wants is the login credientials, and the username and domain is enough, because only one person can log into the domain with the username.
What happens when one follows your advice and disables anonymous access? Guess what, the user is prompted for their username and password (unless you disable all access to the site). That is what in 'godsname' I meant by asking for the username and password.
Where do you think the cgi variable values come from? They come from the values the user inputs into the logon window that are then passed into the header. That is what I mean by saying you can't get the username unless you ask for it (or can associate it with an ip).
Intranet or Internet, works the same. You said, "disable anonmyous access and 'trust me the user will not need to provide anything.'" Go try that on IIS and you will see you are wrong.
Completely wrong dude..
If you are so sure of yourself, then why don't you give it a go?
And I stressed out that this only works for an Intranet!
Disable Anonymous Access, then access the site either by machine name ie. http://machineName/site
or make sure you add the site to the Intranet settings when the first part of the url has a dot in it.
Internet Explorer does not see a domain name with a dot in as a Intranet ie.
http://machinename (no dot) it sees as intranet, and will not prompt you for your username
http://www.intranet.com/ it will not see as intranet because it has a dot in it, you need to add those to your intranet sites under IE security.
http://otherdnsname with no dot in it, it will also see as intranet.
If you follows these instructions you will see how wrong you are and we will not hear form you again ;-))
You say go try it on IIS, mate I have developed many intranet sites, for banks and government bodies, and I have did it this way, and it all worked like I stated above, you just never tried it the right way... Give it a go and we can talk again....
I tested in IIS per our discussion and if I disable anonymous access and enable any other authentication method, the user is prompted for a username/password. But...since taco was so sure I did some research and according to Microsft, there are scenarios where what taco said is correct.
One scenario is if Certificate Authentication is enabled and the client has a certificate. Username and password are sent automatically.
The other is if:
-Windows Integrated authentication is enabled.
-Both the client and the Web server are on the same domain or trusted domain
-User is using IE
-the url is an 'intranet' (as taco described) or is listed in the "intranet zone"
-Internet Explorer's Intranet zone security setting is set to' Automatic logon only in Intranet zone'
-the user has appropriate file system (NTFS) permissions to the Web page as well as all of the objects referenced in the Web page
So taco must have been using one of those 2 scenarios and I stand corrected in saying there is no way to get the logon without asking for it. None of my scenarios met the above so my tests never automatically passed the info. Thanks for persisting taco, I learned something new.
Business Accounts
Answer for Membership
by: MausePosted on 2003-11-26 at 13:13:23ID: 9827755
Hi there,
I know You can use CGI.AUTH_USER to get the username of the person who loged in
Mause