Determining (verifying) a users logon name and password from Windows NT

I am doing our Intranet and I want to prompt users to enter their network name and password and verify them against their actual NT accounts (for an expense reporting app) and I don't know how to do it.  I am using VBScript in my ASP but I am not an advanced programmer at all.  Someone told me you have to make an API Call to get that information but I have no idea what that means.  Can someone help?  200 PTS available.

Who is Participating?
mtoftConnect With a Mentor Commented:
What you should do (What Microsoft does in their sample site, "Fitch And Mather") is setup your IIS 4.0 webserver to require Windows NT authentication. Do this by removing "Allow Anonymous Access", and by setting "Windows NT Challenge/Response" (I think someone mentioned this before me).

In the site where you set the "Windows NT Challenge/Response" you have a page, ex.: "Default.asp" with the following content:

--------------- Default.asp:
<%@ Language=VBScript %>
<META NAME="GENERATOR" Content="Microsoft Visual Studio 6.0">
      ' Retrieve the Windows NT username
      sNTUsername = Trim(Request.ServerVariables("LOGON_USER"))
      If sNTUsername="" Then
            %>Access denied...<%
            %>Your expenses, <%=sNTUsername%>.<BR><%

            ' Open link to database using ADO
            Set cnData = Server.CreateObject("ADODB.Connection")
            cnData.ConnectionString = "DSN=Expense"
            ' Open recordset filled with records for this user
            Set rsData = cnData.Execute("SELECT * FROM Expense WHERE (UserName='" & sNTUsername & "');")
            Do While Not rsData.Eof
                  Response.Write rsData("ExpenseDate") & " - " & rsData("Expense") & "<BR>"
            ' Close recordset
            Set rsData=Nothing
            ' Close database connection
            Set cnData=Nothing
      End If



The idea is that you by querying the "Request" object for "LOGON_USER" will receive a validated Windows NT user, OR if the current user is not a validated Windows NT user it will return an empty string - In which case you deny the user access to the page.


dgwestAuthor Commented:
Oh and I'm using FrontPage 2000 and IE 4.
Hi, to get the username you need to call this function:

Declare Function GetUserName& Lib "advapi32.dll" Alias "GetUserNameA" (ByVal _
lpBuffer As String, nSize As Long)

specify nsize as a higher number than the max length of the user name, somthing like this:

Dim s$, cnt&, dl&
cnt& = 199
s$ = String$(2ØØ, Ø)
dl& = GetUserName(s$, cnt)
msgbox s$

I don't think you'll be able to retrieve the password, I'll try to find you another means of verifying it though.

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

If you are using IIS4 or IIS5 then yould simply change the "Directory Security"/"Anonymous Access Control" in web-site properties. Remove checkmarks in "Allow anonymous access", and set checkmark in Windows NT challenge.

Have fun!
I would recon that the users must be logged in to be working on the workstation anyway, so the user ought not to log in again. Use BeedleGuis suggestion to get the user's name and compare this to our own app's user list.

On entering the network ask the user for the id and password and do the validation with the database you have.
dgwestAuthor Commented:
Let me clarify a little bit because all the answers vary.  We run an NT network and IIS 4.0.  When someone logs on to the network and loads IE 4 to get on the Intranet I don't want them to log in AGAIN because login names change every 30 days and I can't possibly keep a stand alone Access database up to date with current passwords.  Let's say that on the Intranet there is a link to expense reports where users can fill in and view their history of reports.  This could be done a variety of ways but let's say I set up a database with fields for date, expense, logon name, etc... I need a way to verify the user when he/she clicks the link to expense reports.  Instead of verifying them with a username and password screen, I want to verify them against their logins because they will be on the Network and no other password should be required.  So I could have a database with a field for logon names and (here is the problem) grab the users login name from NT and display the appropriate records from the database.  So how do I get the NT login name from NT (and store it in a variable)?  Any help would be great.

dgwestAuthor Commented:
Works like a charm, mtoft, but before I accept your answer I want to strip the domain name from the logon.  Right now it returns Domain\username and I just want username.  How do I strip the domain name. Also, I know I'm getting annoying, can I retrieve the actual name of the user for personalization.  For example, now I can return derekw but what about derek west.  That would be kinda neat...

Thanks to everyone for the help,
dgwestAuthor Commented:
Figured out how to trim the domain name but still would like to grab the user full name.

There is no easy way to get a users fullname using ASP. You will probably have to create an ActiveX control that does the job and that can be called from ASP.

Microsoft has an excellent article on how this is done, see: Q151774 in their Knowledge base.

Or I can send you an ActiveX component that lets you retrieve a users full name on some PDC. If you want it, just leave your email here...


dgwestAuthor Commented:
I'd love something like that.
dgwestAuthor Commented:
Adjusted points to 225
Its in your mailbox...
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.