Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Web NTLogin with ASP (not via the NT Login Box)

Posted on 1999-07-16
10
Medium Priority
?
211 Views
Last Modified: 2013-12-25
I want to do a NT-Login on a Web-Page (-> the Username / Password isn't from a DB, it's directly from the NT-User Account). I don't want (I'm not allowed :)) to use the common NT-Login-Dialog Box. I want to do it directly via a asp login page. The login should not only check if the user could login... it should do a "real" login -> if I ask for the ServerVariable Request.ServerVariables("LOGON_USER") it should give me the name of user loged who just has loged on.
I've already tried the AspUser component... but I doesn't work somehow :( seems like it executes just the AspUser components in the security context of new user.
btw: Inet server is IIS 4

Anybody can help? or needs some more infos?
regards
Joel Gautschi
0
Comment
Question by:gautschi
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
  • 2
  • +1
10 Comments
 
LVL 11

Expert Comment

by:mouatts
ID: 1864118
Exactly what you want to do can't be done. The LOGON_USER can't be set by your ASP program it must be set by the server.

Secondly I'm nit sure how you would force an actual login but anything that you do within you ASP program is running under the user listed in the configuration. Login in will not effect the rights of you ASP program.

More to the point because you have not gone through proper authentication the web server will not offer any additional protection for the particular user.

I would suggest that if whoever won't allow you to use the NT Login box as you call it (actually it's nothing do do with NT it is the standard HTTP authentication dialog) you ask them why as if you require login to the box what better than to use authentication which will be more secure than anything that you can do,

Steve
0
 
LVL 18

Expert Comment

by:mgfranz
ID: 1864119
Perl has a few modules that allow user variables to be passed from the server, I assume though that since you are requesting an ASP answer you do not have perl or cgi capabilities...  If so, check out the Win32::Admin module.

Mark
0
 
LVL 11

Expert Comment

by:mouatts
ID: 1864120
mgfranz: It isn't an issue of what ASP can do but of what a server can do.
0
Tutorials alone can't teach real engineering

So we built better training tools.

-Hands-on Labs
-Instructor Mentoring
-Scenario-Based Tests
-Dedicated Cloud Servers

All at your fingertips. What are you waiting for?

 

Author Comment

by:gautschi
ID: 1864121
mouatts: ok. just tell me how I have to do it.
0
 
LVL 11

Expert Comment

by:mouatts
ID: 1864122
There are two basic ways.

The first is that you turn authentication on the web server on. This will mean that when the user connects to the site the login popup will appear. If they enter a user name and password that is valid on the NT box then they will be granted access.

The environment variable REMOTE_USER will contain the username that they entered which you can then use from other ASP pages and CGIs.

If you want to retrict the files that a user can see you must set up NTFS so that the files have the appropriate permissions.

The second way is to have your own login screen where by you validate the username and password yourself from some other source (ASP can't get to the NT username/password system but there maybe a compoent that can).

Then for this person you can store the username within a session variable. The downside of this approach is that any additional restrictions you want to impose will need to be controlled by ASP rather than NTFS. In addition the username will not be available to any CGI.

HTH
Steve
0
 

Author Comment

by:gautschi
ID: 1864123
steve: guess you are right. I have to do it with ASP and not NTFS if I'm not allowed to use a NT-Login box :((

Joel
0
 
LVL 18

Expert Comment

by:mgfranz
ID: 1864124
Steve,

As I mentioned in my original post, Perl has modules that will authenticate against NT accounts.  As Joel stated he CAN'T USE NT basic authentication methods...

As far as I know there are no components or ActiveX objects that does what is requested, but I haven't done a bunch of digging...

You may want to look into the Request.ServerVariables object...  It may be what your'e looking for...
0
 
LVL 18

Accepted Solution

by:
mgfranz earned 750 total points
ID: 1864125
Speaking of ServerVariables...  Try this:


There is a simple alternative to NT authenication is to cheat. Here's a "no NT involved" version of security.inc; just put

<!--#INCLUDE FILE="security.inc"-->

at the top of each ASP page you want to protect, and put this in security.inc:


 <%
'does the session know the user?
UserID=Session("UserID")
Rejected=False

      If IsEmpty(UserID) Or IsNull(UserID) Or UserID="" Then
     Attempted=False

'Figure out who we are, for later
URL=Request.ServerVariables("QUERY_STRING")

      If IsEmpty(URL) Or URL="" Then
      URL=""  ' just in case
      Else
      URL="?" & URL
      End If

URL=Request.ServerVariables("SCRIPT_NAME") & URL
'check for POSTed authentication information
UserID=Request.Form("UserID")
UserPWD=Request.Form("UserPWD")

      If IsEmpty(UserID) Or IsNull(UserID) Or UserID="" Then
      Rejected=True
      Else
' insert your own checking here -- this is deliberately lame
      If UserID="Foo" AND UserPWD="Foo" Then
     'wahoo!
'set the session variable
Session("UserID")=UserID
Rejected=False
Else
Attempted=True
Rejected=True
End If
End If
End If
        If Rejected Then
                 If Attempted Then
                Title="Authentication Failure"
                Else
                Title="Please Authenticate"
                End If
%>

<!--#INCLUDE FILE="authentication_form.htm"-->
<%
Response.End 'stop processing before it gets back to your page
End If
' ... otherwise, on with your normal page.
%>

The authentication page (authentication_form.htm) could look like this:
<html><head><title><%=Title%></title></head>
<h1><%=Title%></h1>

<form action="<%=URL%>" method="POST">
Username: <input type="text" name="UserID" size="20"><br>
Password: <input type="password" name="UserPWD" size="20"><br>
<input type="submit">
</form>
</html>

You could just as easily paste this HTML in where the INCLUDE is, but it makes it a little harder to edit using FrontPage. Note that anyone trying to hit authentication_form.htm is going to find it a little... well, useless. I'll leave it as an exercise to the reader how to get around this.

How does security.inc work?

If the user has authenticated already, security.inc notices that the UserID session variable is set and passes control back to your page. If they haven't, it sends them a form which asks for their username and password. When they submit that information, security.inc checks it and either gives them the form again or passes control back to your page.

The extra code is there to tweak the form if the user failed authentication (as opposed to simply not having authenticated yet), and to preserve any query information in the URL.

Note that if the user doesn't accept the ASP cookie (or is using a non-cookie-aware browser), the session variable won't be preserved and they'll be continuously asked to re-authenticate.  You should modify the authentication page so that it warns users of this.
0
 
LVL 11

Expert Comment

by:mouatts
ID: 1864126
mgfranz:

I you read all my last comment you will see that I mention two ways, one with authentication and one using session variables just like your answer!
0
 
LVL 12

Expert Comment

by:Trygve
ID: 1864127
Mentioning is not the same as posting (hopefully) working code...
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Because your company can’t afford for you to make SEO mistakes, you’ll want to ensure you’re taking the right steps each and every time you post a new piece of content. This list of optimization do’s and don’ts can help you become an SEO wizard.
Although a lot of people devote their energy toward marketing for specific industries, there are some basic principles that can be applied to any sector imaginable. We’ll look at four steps to take and examine how those steps were put into action fo…
The viewer will learn how to look for a specific file type in a local or remote server directory using PHP.
The viewer will get a basic understanding of what section 508 compliance can entail, learn about skip navigation links, alt text, transcripts, and font size controls.
Suggested Courses

715 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question