Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 437
  • Last Modified:

Request NTLM username/password from ASP

I want to be able to request a user's credentials at a certain point in a web intranet application.

I don't actually need to know the username/password, just that they have entered it into a dialog box correctly.

Unfortunately I am not allowed to use Basic authentication on the web servers. (Only NTLM authentication). So by default, the user is automatically authenticated by IIS using NTLM...

The reason behind this, is I have a requirement to ensure it is actually the user (who we have picked up using AUTH_USER) who is accessing the application. I need them to re-key their password in, as it will be used almost like a signature. (So I know it was actually them, and not someone who had just sat down at an unattended machine)

I hope this is clear, but if it is vague at all, please ask any clarifying questions.

I'm happy to embed activeX controls if required... But it should be deliverable by ASP...

Good luck.
Dave.
0
davebeer
Asked:
davebeer
  • 2
1 Solution
 
MisConFit8Commented:
You have quite a few options, this is just one:

Have them enter the user's credentials on one page, pass the values to an "action" page that only performs functionality (this way no one will be able to view source to get the users passwords). In this action page, you can compare that value (entered as their signature) to the value in Request.ServerVariables("AUTH_PASSWORD").  If the 2 sets of values are equal, then it's good!  
Hope that helps.
Mis
0
 
davebeerAuthor Commented:
That would work using Basic authentication. But under NTLM authentication the AUTH_PASSWORD variable is blank, so I don't think that would work.

Unless there is a Win32 call I could call from a COM component to check the user credentials I have collected using an ASP form against the domain account?

Perhaps another one of those options you were mentioning might be more suitable.
0
 
clockwatcherCommented:
Check the results of the LoginUser Win32 API function call.

The call requires a couple of permissions to get it to work.  The process making the call requires the SE_TCB_NAME privilege.  Since it's being called from within IIS or from within a process that inherits its permission token from IIS, it should be fine.  The second requirement is that the user account making the call has been granted the Act as Part of the Operating System privilege.  If your ASP app is in-process, then you'll be calling it as System which should be fine.  If your ASP app is out-of-process (pooled or isolated), it's running as IWAM_computername by default (or whoever you set up your app/pooled app to run as within MTS).  If that's the case, you'd have to grant Act as OS to that account from within User Manager.  

Fortunately, MS put together an article on it.  See the following:

  http://support.microsoft.com/default.aspx?scid=kb;en-us;Q248187

In your case, you don't have to actually impersonate the user (as the article shows).  You can ignore the portions dealing with ImpersonateUser and RevertToSelf.  You just need to check the result of the call to LoginUser and make sure it returns non-zero.  If it does, then it was a successful username/password combination.  

Here's the sample from the above article modified a bit:

---------------------------------


Standard Module -- LoginAPIs.bas

  Public Declare Function LogonUser Lib "advapi32.dll" _
Alias "LogonUserA" (ByVal lpszUsername As String, _
                 ByVal lpszDomain As String, ByVal lpszPassword As String, _
                 ByVal dwLogonType As Long, ByVal dwLogonProvider As Long, _
                 phToken As Long) As Long

  Public Declare Function CloseHandle Lib "kernel32" Alias "CloseHandle" (ByVal hObject As Long) As Long

  Public Const LOGON32_PROVIDER_DEFAULT = 0
  Public Const LOGON32_LOGON_NETWORK = 3


---------------------------------

Class Module -- PasswordValidate.cls

   Public Function CheckLogon(ByVal strUser As String, ByVal strPass As String, ByVal strDomain As String)

     Dim lngTokenHandle As long, lngLogonType as long, lngLogonProvider As Long
     Dim blnResult As Boolean
     
     lngLogonType = LOGON32_LOGON_NETWORK  'don't need/want an interactive login
     lngLogonProvider = LOGON32_PROVIDER_DEFAULT
     
     blnResult = LogonUser(strUser, strDomain, strPass, lngLogonType, lngLogonProvider, lngTokenHandle)
   
     if blnResult then CloseHandle(lngTokenHandle)

     CheckLogon = blnResult

   End Sub
0
 
davebeerAuthor Commented:
Bloody brilliant. I tried searching for a solution like this from Microsoft, but found it difficult. (too many non-applicable results no matter what keywords I tried.)

Thanks clockwatcher... that is a huge help.
0

Featured Post

Hire Technology Freelancers with Gigs

Work with freelancers specializing in everything from database administration to programming, who have proven themselves as experts in their field. Hire the best, collaborate easily, pay securely, and get projects done right.

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now