Solved

Using NT to authenticate users

Posted on 2002-04-28
19
240 Views
Last Modified: 2010-04-04
Hi People,

With our current application, we store a list of profiles for users within a database.  If that user doesn't exist, the application terminates.  What we want to do is replicate that but using NT Authentication.

If someone is logged into the domain, then our application uses that person's NT account.  If the account doesn't exist, we want to present them with a login dialog so they can connect to the domain and then proceed as normal.

Is this possible to do?

Cheers,

Stu
0
Comment
Question by:SJohnson
  • 7
  • 5
  • 4
  • +3
19 Comments
 
LVL 17

Expert Comment

by:inthe
ID: 6975975
hi stu,
you can use the api Logonuser() ,you need
Act As Part Of The Operating System privileges to call it .

i dont have a domain to give a working example but there should be plenty about,goes something like:

var
 aToken : THandle;

 if LogonUser ('name', Nil, 'password', LOGON32_LOGON_INTERACTIVE,
LOGON32_PROVIDER_DEFAULT, aToken) then ..


also you could use the newer SSPI (Security Support Provider Interface)Colin wilson translated the ms example to delphi and posted it in borlands code central.i tryto find the link.
0
 
LVL 17

Expert Comment

by:inthe
ID: 6976007
here is the sspi links;
first one is newer ,colins is second one but the comments mention problems with it

http://codecentral.borland.com/codecentral/ccweb.exe/listing?id=17597

http://codecentral.borland.com/codecentral/ccweb.exe/listing?id=16213
0
 
LVL 1

Author Comment

by:SJohnson
ID: 6976013
Hi Barry,

Thanks for the quick response.

I've tried out the code you posted above, and I think I may have something wrong.

My username is StuartJ, our domain is PAG.  Even providing my correct password results in a failed connection.  This is the code I'm using:

  if LogonUser ('StuartJ', 'PAG', '***', LOGON32_LOGON_INTERACTIVE,
    LOGON32_PROVIDER_DEFAULT, aToken) then
    ShowMessage('Yep')
  else
    ShowMessage('Nope');

Is there anything that I need to do before hand to ensure it connects?

Thanks again,

Stu
0
 
LVL 1

Author Comment

by:SJohnson
ID: 6976020
Barry,

Sorry, another comment to add.  I noticed that this function passes the password as clear text.  Is there away I can do this like a challenge and response login?

Stu
0
 
LVL 17

Expert Comment

by:inthe
ID: 6976145
hi stu,
i just tested it on win2k leaving domain as nil and it passes all passswords i try as good(even bad ones), i dont see why (im passsing pchars).i had a look on google and the samples i found were pretty much the same as above for general usage.
here is how its used in jedicodelibrary JclMiscel.pas in CreateProcessAsUser function:
if not LogonUser(PChar(UserName), PChar(UserDomain), PChar(Password),
    LOGON32_LOGON_INTERACTIVE, LOGON32_PROVIDER_DEFAULT, hUserToken) then..

challenge response ..
im guessing this is how sspi works though as above i havent tried it before.
for more info about sspi see:
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/security/Security/security_packages.asp

i couldnt tell on first glance if you can do challenge respose with it but i would guess someone here should know.
0
 
LVL 17

Expert Comment

by:inthe
ID: 6976160
it is a few meg but if you download the win32 api library from:
http://www.delphi-jedi.org/Jedi:APILIBRARY:46353
jwaNtSecApi.pas does challenge response authuentication.
0
 
LVL 1

Author Comment

by:SJohnson
ID: 6976176
Hi Barry,

Mmm. Well, I don't know what I'm doing wrong.  I can get a connection regardless of what I enter in those parameters.  I'm not logged into the domain at all, so it's not like it's getting a cached connection (I dunno if that's what it's called or not, but it sounds good!).

I'll download the Jedi stuff and give that a go.

Thanks heaps,

Stu
0
 
LVL 1

Author Comment

by:SJohnson
ID: 6976183
Hi Barry,

I sorta stuffed up a tad :)  I didn't read the code properly and missed the if NOT bit at the begining of the function.  So, it's still not working, but I can't get a connection regardless of what I enter.

Stu
0
 
LVL 12

Expert Comment

by:Lee_Nover
ID: 6976268
interesting, will need this in the future so I'm monitoring this topic :)
0
Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

 
LVL 9

Expert Comment

by:ginsonic
ID: 6976290
listening,too.
0
 
LVL 6

Expert Comment

by:zebada
ID: 6976797
This is C code that I have successfully used to authenticate clients in an n-tier app on NT.
It may help, it may not :)

  HANDLE  phToken;
  char    *lpMsgBuf = "";
  // Check logon name and password with OS security
  if (!LogonUser(OSuser, NULL, OSpassword,
                 LOGON32_LOGON_NETWORK,
                 LOGON32_PROVIDER_DEFAULT,
                 &phToken)) {
      FormatMessage(FORMAT_MESSAGE_ALLOCATE_BUFFER|FORMAT_MESSAGE_FROM_SYSTEM,
                    NULL,
                    errnum=GetLastError(),
                    MAKELANGID(LANG_NEUTRAL,SUBLANG_DEFAULT),
                    (LPTSTR)&lpMsgBuf,
                    0,NULL);
      userlog("Logon FAILURE for user '%s',%d - %s[%s]",OSuser,errnum,lpMsgBuf,OSpassword);
      LocalFree(lpMsgBuf);

      // Slow down password guessing attacks
      Sleep(1000);
      CloseHandle(phToken);
      return -1;
  }
  CloseHandle(phToken);
  return 0;
0
 
LVL 17

Expert Comment

by:inthe
ID: 6982844
hi stu,
did you have any luck with any method?
i tried logonuser at work where there is a domain and i i get oposite to you ,it just excepts anything as good?,i tried it using vc code and got same results.

if you do get it working can you let us know how!  :)

0
 
LVL 7

Expert Comment

by:God_Ares
ID: 6988243
you are lacking the SE_TCB_NAME privilede.

how to get it, i don't know
0
 
LVL 7

Expert Comment

by:God_Ares
ID: 6988348
0
 
LVL 7

Accepted Solution

by:
God_Ares earned 200 total points
ID: 6990951

function SetPrivilege(aPrivilegeName : string;
                     aEnabled : boolean ): boolean;
var
 TPPrev,
 TP         : TTokenPrivileges;
 Token      : THandle;
 dwRetLen   : DWord;
begin
 Result := False;
 OpenProcessToken(GetCurrentProcess,TOKEN_ADJUST_PRIVILEGES
                  or TOKEN_QUERY, Token );

 TP.PrivilegeCount := 1;
 if( LookupPrivilegeValue(nil, PChar( aPrivilegeName ),
                          TP.Privileges[ 0 ].LUID ) ) then
 begin
   if( aEnabled )then
     TP.Privileges[0].Attributes:= SE_PRIVILEGE_ENABLED
   else
     TP.Privileges[0].Attributes:= 0;

   dwRetLen := 0;
   Result := AdjustTokenPrivileges(Token,False,TP,
                                   SizeOf( TPPrev ),
                                   TPPrev,dwRetLen );
 end;

 CloseHandle( Token );
end;


you cant add stuf you don't have. :( + :) = :|
0
 
LVL 1

Author Comment

by:SJohnson
ID: 7168621
HI Folks,

Sorry for how long it's taken for me to write back in here again.  It's been almost a 3 months!  How slack of me.

OK, this is still an issue, and to answer all your questions, no I haven't got this going.

I'm still interested in getting help on this if you're still willing to provide it.

I think the reason I haven't been back is because I haven't got any notifications on this message.  It maybe because my email address is invalid.  I'll check it out.

Sorry about this.

Stu
0
 
LVL 7

Expert Comment

by:God_Ares
ID: 7169129
did u tried all examples, in my case i seem to be lacking the SE_TCB_NAME privilede.
0
 
LVL 1

Author Comment

by:SJohnson
ID: 8062465
Hi,

I still haven't got this going, still haven't got email notifications EVER from EE about any of my questions.

I'm sorry about how long it's taken to get back to this.  I hardly use EE anymore.  It's pointless when I don't get notified of new posts.

I don't know what to do with this any more.  It's still more or less relevant to me, but no longer a priority.  I might just grade the question and ask about it later when I need to get it going.

Cheers,

Stu.
0
 
LVL 1

Author Comment

by:SJohnson
ID: 8062466
Although this still doesn't really work, I'm going to give you the points just to clear up the question.

Cheers,

Stu.
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

This article explains how to create forms/units independent of other forms/units object names in a delphi project. Have you ever created a form for user input in a Delphi project and then had the need to have that same form in a other Delphi proj…
In this tutorial I will show you how to use the Windows Speech API in Delphi. I will only cover basic functions such as text to speech and controlling the speed of the speech. SAPI Installation First you need to install the SAPI type library, th…
Migrating to Microsoft Office 365 is becoming increasingly popular for organizations both large and small. If you have made the leap to Microsoft’s cloud platform, you know that you will need to create a corporate email signature for your Office 365…
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…

863 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now