Solved

Request NTLM username/password from ASP

Posted on 2002-06-28
4
410 Views
Last Modified: 2008-03-17
I want to be able to request a user's credentials at a certain point in a web intranet application.

I don't actually need to know the username/password, just that they have entered it into a dialog box correctly.

Unfortunately I am not allowed to use Basic authentication on the web servers. (Only NTLM authentication). So by default, the user is automatically authenticated by IIS using NTLM...

The reason behind this, is I have a requirement to ensure it is actually the user (who we have picked up using AUTH_USER) who is accessing the application. I need them to re-key their password in, as it will be used almost like a signature. (So I know it was actually them, and not someone who had just sat down at an unattended machine)

I hope this is clear, but if it is vague at all, please ask any clarifying questions.

I'm happy to embed activeX controls if required... But it should be deliverable by ASP...

Good luck.
Dave.
0
Comment
Question by:davebeer
  • 2
4 Comments
 

Expert Comment

by:MisConFit8
ID: 7117717
You have quite a few options, this is just one:

Have them enter the user's credentials on one page, pass the values to an "action" page that only performs functionality (this way no one will be able to view source to get the users passwords). In this action page, you can compare that value (entered as their signature) to the value in Request.ServerVariables("AUTH_PASSWORD").  If the 2 sets of values are equal, then it's good!  
Hope that helps.
Mis
0
 

Author Comment

by:davebeer
ID: 7118202
That would work using Basic authentication. But under NTLM authentication the AUTH_PASSWORD variable is blank, so I don't think that would work.

Unless there is a Win32 call I could call from a COM component to check the user credentials I have collected using an ASP form against the domain account?

Perhaps another one of those options you were mentioning might be more suitable.
0
 
LVL 25

Accepted Solution

by:
clockwatcher earned 250 total points
ID: 7119369
Check the results of the LoginUser Win32 API function call.

The call requires a couple of permissions to get it to work.  The process making the call requires the SE_TCB_NAME privilege.  Since it's being called from within IIS or from within a process that inherits its permission token from IIS, it should be fine.  The second requirement is that the user account making the call has been granted the Act as Part of the Operating System privilege.  If your ASP app is in-process, then you'll be calling it as System which should be fine.  If your ASP app is out-of-process (pooled or isolated), it's running as IWAM_computername by default (or whoever you set up your app/pooled app to run as within MTS).  If that's the case, you'd have to grant Act as OS to that account from within User Manager.  

Fortunately, MS put together an article on it.  See the following:

  http://support.microsoft.com/default.aspx?scid=kb;en-us;Q248187

In your case, you don't have to actually impersonate the user (as the article shows).  You can ignore the portions dealing with ImpersonateUser and RevertToSelf.  You just need to check the result of the call to LoginUser and make sure it returns non-zero.  If it does, then it was a successful username/password combination.  

Here's the sample from the above article modified a bit:

---------------------------------


Standard Module -- LoginAPIs.bas

  Public Declare Function LogonUser Lib "advapi32.dll" _
Alias "LogonUserA" (ByVal lpszUsername As String, _
                 ByVal lpszDomain As String, ByVal lpszPassword As String, _
                 ByVal dwLogonType As Long, ByVal dwLogonProvider As Long, _
                 phToken As Long) As Long

  Public Declare Function CloseHandle Lib "kernel32" Alias "CloseHandle" (ByVal hObject As Long) As Long

  Public Const LOGON32_PROVIDER_DEFAULT = 0
  Public Const LOGON32_LOGON_NETWORK = 3


---------------------------------

Class Module -- PasswordValidate.cls

   Public Function CheckLogon(ByVal strUser As String, ByVal strPass As String, ByVal strDomain As String)

     Dim lngTokenHandle As long, lngLogonType as long, lngLogonProvider As Long
     Dim blnResult As Boolean
     
     lngLogonType = LOGON32_LOGON_NETWORK  'don't need/want an interactive login
     lngLogonProvider = LOGON32_PROVIDER_DEFAULT
     
     blnResult = LogonUser(strUser, strDomain, strPass, lngLogonType, lngLogonProvider, lngTokenHandle)
   
     if blnResult then CloseHandle(lngTokenHandle)

     CheckLogon = blnResult

   End Sub
0
 

Author Comment

by:davebeer
ID: 7119743
Bloody brilliant. I tried searching for a solution like this from Microsoft, but found it difficult. (too many non-applicable results no matter what keywords I tried.)

Thanks clockwatcher... that is a huge help.
0

Featured Post

What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
Aspnet membership web admin site not connecting 1 29
Current Date/Time SQL Azure 12 96
ASP VB... 7 93
ASP Syntax for IF statement 21 51
Hello, all! I just recently started using Microsoft's IIS 7.5 within Windows 7, as I just downloaded and installed the 90 day trial of Windows 7. (Got to love Microsoft for allowing 90 days) The main reason for downloading and testing Windows 7 is t…
I was asked about the differences between classic ASP and ASP.NET, so let me put them down here, for reference: Let's make the introductions... Classic ASP was launched by Microsoft in 1998 and dynamically generate web pages upon user interact…
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now