Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 257
  • Last Modified:

Using NT to authenticate users

Hi People,

With our current application, we store a list of profiles for users within a database.  If that user doesn't exist, the application terminates.  What we want to do is replicate that but using NT Authentication.

If someone is logged into the domain, then our application uses that person's NT account.  If the account doesn't exist, we want to present them with a login dialog so they can connect to the domain and then proceed as normal.

Is this possible to do?

Cheers,

Stu
0
SJohnson
Asked:
SJohnson
  • 7
  • 5
  • 4
  • +3
1 Solution
 
intheCommented:
hi stu,
you can use the api Logonuser() ,you need
Act As Part Of The Operating System privileges to call it .

i dont have a domain to give a working example but there should be plenty about,goes something like:

var
 aToken : THandle;

 if LogonUser ('name', Nil, 'password', LOGON32_LOGON_INTERACTIVE,
LOGON32_PROVIDER_DEFAULT, aToken) then ..


also you could use the newer SSPI (Security Support Provider Interface)Colin wilson translated the ms example to delphi and posted it in borlands code central.i tryto find the link.
0
 
intheCommented:
here is the sspi links;
first one is newer ,colins is second one but the comments mention problems with it

http://codecentral.borland.com/codecentral/ccweb.exe/listing?id=17597

http://codecentral.borland.com/codecentral/ccweb.exe/listing?id=16213
0
 
SJohnsonAuthor Commented:
Hi Barry,

Thanks for the quick response.

I've tried out the code you posted above, and I think I may have something wrong.

My username is StuartJ, our domain is PAG.  Even providing my correct password results in a failed connection.  This is the code I'm using:

  if LogonUser ('StuartJ', 'PAG', '***', LOGON32_LOGON_INTERACTIVE,
    LOGON32_PROVIDER_DEFAULT, aToken) then
    ShowMessage('Yep')
  else
    ShowMessage('Nope');

Is there anything that I need to do before hand to ensure it connects?

Thanks again,

Stu
0
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

 
SJohnsonAuthor Commented:
Barry,

Sorry, another comment to add.  I noticed that this function passes the password as clear text.  Is there away I can do this like a challenge and response login?

Stu
0
 
intheCommented:
hi stu,
i just tested it on win2k leaving domain as nil and it passes all passswords i try as good(even bad ones), i dont see why (im passsing pchars).i had a look on google and the samples i found were pretty much the same as above for general usage.
here is how its used in jedicodelibrary JclMiscel.pas in CreateProcessAsUser function:
if not LogonUser(PChar(UserName), PChar(UserDomain), PChar(Password),
    LOGON32_LOGON_INTERACTIVE, LOGON32_PROVIDER_DEFAULT, hUserToken) then..

challenge response ..
im guessing this is how sspi works though as above i havent tried it before.
for more info about sspi see:
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/security/Security/security_packages.asp

i couldnt tell on first glance if you can do challenge respose with it but i would guess someone here should know.
0
 
intheCommented:
it is a few meg but if you download the win32 api library from:
http://www.delphi-jedi.org/Jedi:APILIBRARY:46353
jwaNtSecApi.pas does challenge response authuentication.
0
 
SJohnsonAuthor Commented:
Hi Barry,

Mmm. Well, I don't know what I'm doing wrong.  I can get a connection regardless of what I enter in those parameters.  I'm not logged into the domain at all, so it's not like it's getting a cached connection (I dunno if that's what it's called or not, but it sounds good!).

I'll download the Jedi stuff and give that a go.

Thanks heaps,

Stu
0
 
SJohnsonAuthor Commented:
Hi Barry,

I sorta stuffed up a tad :)  I didn't read the code properly and missed the if NOT bit at the begining of the function.  So, it's still not working, but I can't get a connection regardless of what I enter.

Stu
0
 
Lee_NoverCommented:
interesting, will need this in the future so I'm monitoring this topic :)
0
 
ginsonicCommented:
listening,too.
0
 
zebadaCommented:
This is C code that I have successfully used to authenticate clients in an n-tier app on NT.
It may help, it may not :)

  HANDLE  phToken;
  char    *lpMsgBuf = "";
  // Check logon name and password with OS security
  if (!LogonUser(OSuser, NULL, OSpassword,
                 LOGON32_LOGON_NETWORK,
                 LOGON32_PROVIDER_DEFAULT,
                 &phToken)) {
      FormatMessage(FORMAT_MESSAGE_ALLOCATE_BUFFER|FORMAT_MESSAGE_FROM_SYSTEM,
                    NULL,
                    errnum=GetLastError(),
                    MAKELANGID(LANG_NEUTRAL,SUBLANG_DEFAULT),
                    (LPTSTR)&lpMsgBuf,
                    0,NULL);
      userlog("Logon FAILURE for user '%s',%d - %s[%s]",OSuser,errnum,lpMsgBuf,OSpassword);
      LocalFree(lpMsgBuf);

      // Slow down password guessing attacks
      Sleep(1000);
      CloseHandle(phToken);
      return -1;
  }
  CloseHandle(phToken);
  return 0;
0
 
intheCommented:
hi stu,
did you have any luck with any method?
i tried logonuser at work where there is a domain and i i get oposite to you ,it just excepts anything as good?,i tried it using vc code and got same results.

if you do get it working can you let us know how!  :)

0
 
God_AresCommented:
you are lacking the SE_TCB_NAME privilede.

how to get it, i don't know
0
 
God_AresCommented:

function SetPrivilege(aPrivilegeName : string;
                     aEnabled : boolean ): boolean;
var
 TPPrev,
 TP         : TTokenPrivileges;
 Token      : THandle;
 dwRetLen   : DWord;
begin
 Result := False;
 OpenProcessToken(GetCurrentProcess,TOKEN_ADJUST_PRIVILEGES
                  or TOKEN_QUERY, Token );

 TP.PrivilegeCount := 1;
 if( LookupPrivilegeValue(nil, PChar( aPrivilegeName ),
                          TP.Privileges[ 0 ].LUID ) ) then
 begin
   if( aEnabled )then
     TP.Privileges[0].Attributes:= SE_PRIVILEGE_ENABLED
   else
     TP.Privileges[0].Attributes:= 0;

   dwRetLen := 0;
   Result := AdjustTokenPrivileges(Token,False,TP,
                                   SizeOf( TPPrev ),
                                   TPPrev,dwRetLen );
 end;

 CloseHandle( Token );
end;


you cant add stuf you don't have. :( + :) = :|
0
 
SJohnsonAuthor Commented:
HI Folks,

Sorry for how long it's taken for me to write back in here again.  It's been almost a 3 months!  How slack of me.

OK, this is still an issue, and to answer all your questions, no I haven't got this going.

I'm still interested in getting help on this if you're still willing to provide it.

I think the reason I haven't been back is because I haven't got any notifications on this message.  It maybe because my email address is invalid.  I'll check it out.

Sorry about this.

Stu
0
 
God_AresCommented:
did u tried all examples, in my case i seem to be lacking the SE_TCB_NAME privilede.
0
 
SJohnsonAuthor Commented:
Hi,

I still haven't got this going, still haven't got email notifications EVER from EE about any of my questions.

I'm sorry about how long it's taken to get back to this.  I hardly use EE anymore.  It's pointless when I don't get notified of new posts.

I don't know what to do with this any more.  It's still more or less relevant to me, but no longer a priority.  I might just grade the question and ask about it later when I need to get it going.

Cheers,

Stu.
0
 
SJohnsonAuthor Commented:
Although this still doesn't really work, I'm going to give you the points just to clear up the question.

Cheers,

Stu.
0

Featured Post

Get your problem seen by more experts

Be seen. Boost your question’s priority for more expert views and faster solutions

  • 7
  • 5
  • 4
  • +3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now