Solved

Request NTLM username/password from ASP

Posted on 2002-06-28
4
423 Views
Last Modified: 2008-03-17
I want to be able to request a user's credentials at a certain point in a web intranet application.

I don't actually need to know the username/password, just that they have entered it into a dialog box correctly.

Unfortunately I am not allowed to use Basic authentication on the web servers. (Only NTLM authentication). So by default, the user is automatically authenticated by IIS using NTLM...

The reason behind this, is I have a requirement to ensure it is actually the user (who we have picked up using AUTH_USER) who is accessing the application. I need them to re-key their password in, as it will be used almost like a signature. (So I know it was actually them, and not someone who had just sat down at an unattended machine)

I hope this is clear, but if it is vague at all, please ask any clarifying questions.

I'm happy to embed activeX controls if required... But it should be deliverable by ASP...

Good luck.
Dave.
0
Comment
Question by:davebeer
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
4 Comments
 

Expert Comment

by:MisConFit8
ID: 7117717
You have quite a few options, this is just one:

Have them enter the user's credentials on one page, pass the values to an "action" page that only performs functionality (this way no one will be able to view source to get the users passwords). In this action page, you can compare that value (entered as their signature) to the value in Request.ServerVariables("AUTH_PASSWORD").  If the 2 sets of values are equal, then it's good!  
Hope that helps.
Mis
0
 

Author Comment

by:davebeer
ID: 7118202
That would work using Basic authentication. But under NTLM authentication the AUTH_PASSWORD variable is blank, so I don't think that would work.

Unless there is a Win32 call I could call from a COM component to check the user credentials I have collected using an ASP form against the domain account?

Perhaps another one of those options you were mentioning might be more suitable.
0
 
LVL 25

Accepted Solution

by:
clockwatcher earned 250 total points
ID: 7119369
Check the results of the LoginUser Win32 API function call.

The call requires a couple of permissions to get it to work.  The process making the call requires the SE_TCB_NAME privilege.  Since it's being called from within IIS or from within a process that inherits its permission token from IIS, it should be fine.  The second requirement is that the user account making the call has been granted the Act as Part of the Operating System privilege.  If your ASP app is in-process, then you'll be calling it as System which should be fine.  If your ASP app is out-of-process (pooled or isolated), it's running as IWAM_computername by default (or whoever you set up your app/pooled app to run as within MTS).  If that's the case, you'd have to grant Act as OS to that account from within User Manager.  

Fortunately, MS put together an article on it.  See the following:

  http://support.microsoft.com/default.aspx?scid=kb;en-us;Q248187

In your case, you don't have to actually impersonate the user (as the article shows).  You can ignore the portions dealing with ImpersonateUser and RevertToSelf.  You just need to check the result of the call to LoginUser and make sure it returns non-zero.  If it does, then it was a successful username/password combination.  

Here's the sample from the above article modified a bit:

---------------------------------


Standard Module -- LoginAPIs.bas

  Public Declare Function LogonUser Lib "advapi32.dll" _
Alias "LogonUserA" (ByVal lpszUsername As String, _
                 ByVal lpszDomain As String, ByVal lpszPassword As String, _
                 ByVal dwLogonType As Long, ByVal dwLogonProvider As Long, _
                 phToken As Long) As Long

  Public Declare Function CloseHandle Lib "kernel32" Alias "CloseHandle" (ByVal hObject As Long) As Long

  Public Const LOGON32_PROVIDER_DEFAULT = 0
  Public Const LOGON32_LOGON_NETWORK = 3


---------------------------------

Class Module -- PasswordValidate.cls

   Public Function CheckLogon(ByVal strUser As String, ByVal strPass As String, ByVal strDomain As String)

     Dim lngTokenHandle As long, lngLogonType as long, lngLogonProvider As Long
     Dim blnResult As Boolean
     
     lngLogonType = LOGON32_LOGON_NETWORK  'don't need/want an interactive login
     lngLogonProvider = LOGON32_PROVIDER_DEFAULT
     
     blnResult = LogonUser(strUser, strDomain, strPass, lngLogonType, lngLogonProvider, lngTokenHandle)
   
     if blnResult then CloseHandle(lngTokenHandle)

     CheckLogon = blnResult

   End Sub
0
 

Author Comment

by:davebeer
ID: 7119743
Bloody brilliant. I tried searching for a solution like this from Microsoft, but found it difficult. (too many non-applicable results no matter what keywords I tried.)

Thanks clockwatcher... that is a huge help.
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I recently decide that I needed a way to make my pages scream on the net.   While searching around how I can accomplish this I stumbled across a great article that stated "minimize the server requests." I got to thinking, hey, I use more than one…
I was asked about the differences between classic ASP and ASP.NET, so let me put them down here, for reference: Let's make the introductions... Classic ASP was launched by Microsoft in 1998 and dynamically generate web pages upon user interact…
There's a multitude of different network monitoring solutions out there, and you're probably wondering what makes NetCrunch so special. It's completely agentless, but does let you create an agent, if you desire. It offers powerful scalability …
Do you want to know how to make a graph with Microsoft Access? First, create a query with the data for the chart. Then make a blank form and add a chart control. This video also shows how to change what data is displayed on the graph as well as form…

728 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question