Solved

Using NT to authenticate users

Posted on 2002-04-28
19
238 Views
Last Modified: 2010-04-04
Hi People,

With our current application, we store a list of profiles for users within a database.  If that user doesn't exist, the application terminates.  What we want to do is replicate that but using NT Authentication.

If someone is logged into the domain, then our application uses that person's NT account.  If the account doesn't exist, we want to present them with a login dialog so they can connect to the domain and then proceed as normal.

Is this possible to do?

Cheers,

Stu
0
Comment
Question by:SJohnson
  • 7
  • 5
  • 4
  • +3
19 Comments
 
LVL 17

Expert Comment

by:inthe
Comment Utility
hi stu,
you can use the api Logonuser() ,you need
Act As Part Of The Operating System privileges to call it .

i dont have a domain to give a working example but there should be plenty about,goes something like:

var
 aToken : THandle;

 if LogonUser ('name', Nil, 'password', LOGON32_LOGON_INTERACTIVE,
LOGON32_PROVIDER_DEFAULT, aToken) then ..


also you could use the newer SSPI (Security Support Provider Interface)Colin wilson translated the ms example to delphi and posted it in borlands code central.i tryto find the link.
0
 
LVL 17

Expert Comment

by:inthe
Comment Utility
here is the sspi links;
first one is newer ,colins is second one but the comments mention problems with it

http://codecentral.borland.com/codecentral/ccweb.exe/listing?id=17597

http://codecentral.borland.com/codecentral/ccweb.exe/listing?id=16213
0
 
LVL 1

Author Comment

by:SJohnson
Comment Utility
Hi Barry,

Thanks for the quick response.

I've tried out the code you posted above, and I think I may have something wrong.

My username is StuartJ, our domain is PAG.  Even providing my correct password results in a failed connection.  This is the code I'm using:

  if LogonUser ('StuartJ', 'PAG', '***', LOGON32_LOGON_INTERACTIVE,
    LOGON32_PROVIDER_DEFAULT, aToken) then
    ShowMessage('Yep')
  else
    ShowMessage('Nope');

Is there anything that I need to do before hand to ensure it connects?

Thanks again,

Stu
0
 
LVL 1

Author Comment

by:SJohnson
Comment Utility
Barry,

Sorry, another comment to add.  I noticed that this function passes the password as clear text.  Is there away I can do this like a challenge and response login?

Stu
0
 
LVL 17

Expert Comment

by:inthe
Comment Utility
hi stu,
i just tested it on win2k leaving domain as nil and it passes all passswords i try as good(even bad ones), i dont see why (im passsing pchars).i had a look on google and the samples i found were pretty much the same as above for general usage.
here is how its used in jedicodelibrary JclMiscel.pas in CreateProcessAsUser function:
if not LogonUser(PChar(UserName), PChar(UserDomain), PChar(Password),
    LOGON32_LOGON_INTERACTIVE, LOGON32_PROVIDER_DEFAULT, hUserToken) then..

challenge response ..
im guessing this is how sspi works though as above i havent tried it before.
for more info about sspi see:
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/security/Security/security_packages.asp

i couldnt tell on first glance if you can do challenge respose with it but i would guess someone here should know.
0
 
LVL 17

Expert Comment

by:inthe
Comment Utility
it is a few meg but if you download the win32 api library from:
http://www.delphi-jedi.org/Jedi:APILIBRARY:46353
jwaNtSecApi.pas does challenge response authuentication.
0
 
LVL 1

Author Comment

by:SJohnson
Comment Utility
Hi Barry,

Mmm. Well, I don't know what I'm doing wrong.  I can get a connection regardless of what I enter in those parameters.  I'm not logged into the domain at all, so it's not like it's getting a cached connection (I dunno if that's what it's called or not, but it sounds good!).

I'll download the Jedi stuff and give that a go.

Thanks heaps,

Stu
0
 
LVL 1

Author Comment

by:SJohnson
Comment Utility
Hi Barry,

I sorta stuffed up a tad :)  I didn't read the code properly and missed the if NOT bit at the begining of the function.  So, it's still not working, but I can't get a connection regardless of what I enter.

Stu
0
 
LVL 12

Expert Comment

by:Lee_Nover
Comment Utility
interesting, will need this in the future so I'm monitoring this topic :)
0
Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

 
LVL 9

Expert Comment

by:ginsonic
Comment Utility
listening,too.
0
 
LVL 6

Expert Comment

by:zebada
Comment Utility
This is C code that I have successfully used to authenticate clients in an n-tier app on NT.
It may help, it may not :)

  HANDLE  phToken;
  char    *lpMsgBuf = "";
  // Check logon name and password with OS security
  if (!LogonUser(OSuser, NULL, OSpassword,
                 LOGON32_LOGON_NETWORK,
                 LOGON32_PROVIDER_DEFAULT,
                 &phToken)) {
      FormatMessage(FORMAT_MESSAGE_ALLOCATE_BUFFER|FORMAT_MESSAGE_FROM_SYSTEM,
                    NULL,
                    errnum=GetLastError(),
                    MAKELANGID(LANG_NEUTRAL,SUBLANG_DEFAULT),
                    (LPTSTR)&lpMsgBuf,
                    0,NULL);
      userlog("Logon FAILURE for user '%s',%d - %s[%s]",OSuser,errnum,lpMsgBuf,OSpassword);
      LocalFree(lpMsgBuf);

      // Slow down password guessing attacks
      Sleep(1000);
      CloseHandle(phToken);
      return -1;
  }
  CloseHandle(phToken);
  return 0;
0
 
LVL 17

Expert Comment

by:inthe
Comment Utility
hi stu,
did you have any luck with any method?
i tried logonuser at work where there is a domain and i i get oposite to you ,it just excepts anything as good?,i tried it using vc code and got same results.

if you do get it working can you let us know how!  :)

0
 
LVL 7

Expert Comment

by:God_Ares
Comment Utility
you are lacking the SE_TCB_NAME privilede.

how to get it, i don't know
0
 
LVL 7

Expert Comment

by:God_Ares
Comment Utility
0
 
LVL 7

Accepted Solution

by:
God_Ares earned 200 total points
Comment Utility

function SetPrivilege(aPrivilegeName : string;
                     aEnabled : boolean ): boolean;
var
 TPPrev,
 TP         : TTokenPrivileges;
 Token      : THandle;
 dwRetLen   : DWord;
begin
 Result := False;
 OpenProcessToken(GetCurrentProcess,TOKEN_ADJUST_PRIVILEGES
                  or TOKEN_QUERY, Token );

 TP.PrivilegeCount := 1;
 if( LookupPrivilegeValue(nil, PChar( aPrivilegeName ),
                          TP.Privileges[ 0 ].LUID ) ) then
 begin
   if( aEnabled )then
     TP.Privileges[0].Attributes:= SE_PRIVILEGE_ENABLED
   else
     TP.Privileges[0].Attributes:= 0;

   dwRetLen := 0;
   Result := AdjustTokenPrivileges(Token,False,TP,
                                   SizeOf( TPPrev ),
                                   TPPrev,dwRetLen );
 end;

 CloseHandle( Token );
end;


you cant add stuf you don't have. :( + :) = :|
0
 
LVL 1

Author Comment

by:SJohnson
Comment Utility
HI Folks,

Sorry for how long it's taken for me to write back in here again.  It's been almost a 3 months!  How slack of me.

OK, this is still an issue, and to answer all your questions, no I haven't got this going.

I'm still interested in getting help on this if you're still willing to provide it.

I think the reason I haven't been back is because I haven't got any notifications on this message.  It maybe because my email address is invalid.  I'll check it out.

Sorry about this.

Stu
0
 
LVL 7

Expert Comment

by:God_Ares
Comment Utility
did u tried all examples, in my case i seem to be lacking the SE_TCB_NAME privilede.
0
 
LVL 1

Author Comment

by:SJohnson
Comment Utility
Hi,

I still haven't got this going, still haven't got email notifications EVER from EE about any of my questions.

I'm sorry about how long it's taken to get back to this.  I hardly use EE anymore.  It's pointless when I don't get notified of new posts.

I don't know what to do with this any more.  It's still more or less relevant to me, but no longer a priority.  I might just grade the question and ask about it later when I need to get it going.

Cheers,

Stu.
0
 
LVL 1

Author Comment

by:SJohnson
Comment Utility
Although this still doesn't really work, I'm going to give you the points just to clear up the question.

Cheers,

Stu.
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Introduction The parallel port is a very commonly known port, it was widely used to connect a printer to the PC, if you look at the back of your computer, for those who don't have newer computers, there will be a port with 25 pins and a small print…
Hello everybody This Article will show you how to validate number with TEdit control, What's the TEdit control? TEdit is a standard Windows edit control on a form, it allows to user to write, read and copy/paste single line of text. Usua…
In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now