Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win


Using ID from Windows Login.

Posted on 2003-11-26
Medium Priority
Last Modified: 2013-12-24
Hey all,

Is there a way that I can capture the windows login so that my users
don't have to login to their computer AND login to the intranet site?

Question by:rodnice
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 7
  • 5
  • 2
  • +3
LVL 10

Expert Comment

ID: 9827755
Hi there,

I know You can use CGI.AUTH_USER to get the username of the person who loged in

LVL 25

Expert Comment

by:James Rodgers
ID: 9827773
if you could it would be a huge security hole'

web pages cannot access the system files, unless teh user has it set up to allow access through file system objects and even then i don't think you could access the users profile
LVL 17

Expert Comment

ID: 9828267
You need to turn of ANONYMOUS access within IIS (if Apache you need to use some modules that mimic IIS functions)
Once thats done you can access the cgi.auth_user variable.

It only works for your users if they access your site like so http://MACHINE_NAME (or anything without a dot in it, or add the site to your intranet settings in IE)

Once there is a dot in the name it will prompt the user for the username and password again.
Plesk WordPress Toolkit

Plesk's WordPress Toolkit allows server administrators, resellers and customers to manage their WordPress instances, enabling a variety of development workflows for WordPress admins of all skill levels, from beginners to pros.

See why 2/3 of Plesk servers use it.


Assisted Solution

makila earned 100 total points
ID: 9840132
In IIS, change the authentication method from anonymous to digest and basic and make sure the integrated windows authentication box is checked.

ColdFusion recognizes the NT login as #REMOTE_USER#

It will include the domain also so you may want to do something like this to strip that away so you can just work with the actual NT login:

<cfset strUserNT = #REMOTE_USER#>
<cfset strUserNT = lcase(ReplaceNoCase(strUserNT, 'WIRELESS\', ''))>

Hope that makes sense. This is my first time actually trying to answer a question :)

LVL 17

Accepted Solution

Tacobell777 earned 300 total points
ID: 9840251
Mate its more like listLast(cgi.auth_user, "\") which is the username and listFirst(cgi.auth_user, "\") which is the domain

<cfset request.username = listLast(cgi.auth_user, "\")>
<cfset request.domainName = listFirst(cgi.auth_user, "\")>

would do the trick...

Expert Comment

ID: 9840312
I have no clue what cgi.auth_user is. I don't use cgi in any of my web pages.

I'm able to do the windows authentication in ColdFusion just by changing the IIS authentication settings and using the reserved #REMOTE_USER# variable....

Based on the code in my previous comment:
<cfoutput>#REMOTE_USER#</cfoutput> will give me "wireless\makila"
<cfoutput>#strUserNT#</cfoutput> will give me "makila"
"wireless" is my domain; "makila" is my NT login

Assisted Solution

highwaysjammed earned 100 total points
ID: 9841012
You cannot get the windows password without the user re-entering it. But once you ask the user to logon to the Intranet, you can save the password in a cookie or in a DB so that the user only has to login to the Intranet once.

After you save it to a cookie, just check for the cookie and read it next time they come to the Intranet.

How are you validating users to your Intranet? Using LDAP to query the Active Directory will allow you to use their current username/password and will always keep their Intranet login identical to their NT logon.

Regarding CGI, you don't have to be "using" CGI to get the variables. Cold Fusion makes them available automatically. If you are using IIS, under the web site properties under Directory Security, enable basic authentication and once a user successfully logs on, you can use the variable #cgi.auth_user#. That is not a good method though as it sends the password in plain text and makes the password available to anyone who can access your cf code or cf administrator.
LVL 17

Expert Comment

ID: 9841405
Sorry guys I don't think you know what your talking about.

1. Both of you are basically repeating what I already stated about IIS.
2. REMOTE_USER is a CGI variable, even though he does not prefix it with the scope, it is a variable available from the CGI variables.
3. If we are talking about an Intranet, and the user is alreayd logged on to their machine, ie. they entered their username and password, WHY would they need to enter the password again when they access the site? All you need to know is who is this user at that stage...

Expert Comment

ID: 9842343
I'm using an Intranet now where I use the NT username/password for authentication. So to say  I don't know what I'm talking about is wrong, not to mention rude.

I expanded on what you said about IIS and the auth_user variable and explained how that is probably not a good solution.

To answer your question tacobell777, in order to know who the user is, the user has to logon. You could just ask the user to enter their username but if you have any security needs in the intranet (ie this department sees xxx and other's don't) then asking for their username and password and verifying it is essential.

I have found the best solution in this situation is to use LDAP to query the active directory and verify users. There are some examples out there. Search the web for "coldfusion ldap active directory".
LVL 17

Expert Comment

ID: 9843325
Agreed, maybe I was a bit to hard, but I still think you don't get it.

Why do you need the password from a user when the already provided that password when they logged in to their machine?? Why should they provide it again, only that ONE user (from that domain) can log in into that machine and no else!.... So all you need is the username to authenticate the user on an intranet.

Expert Comment

ID: 9843555
you need the password because:
you can't get the username without the user providing it. If you ask the user forjust their username, there is no security - any user on the domain could enter in any user name.

Unless you require and verify the password, you can't be sure the user is who they say they are.

Now if you have static IP's and want to assume a given ip is a given user, you could go that route. But that requires static IP's and an assumption that no one other than the specified user ever logs on to that machine.
LVL 17

Expert Comment

ID: 9843913
What in godsname do you mean you can't get the username without the user providing it?

Disable "anonymous access" in the site within IIS and it will pass the username and odmain name to you in a variable (cgi.auht_user) like I said before.
And trust me the user will not need to provide anything, I have made intranet applications for the government and they work this way. And once again I stress, this only works on an Intranet, if it's not an intranet then the user will be prompted for a username and password. I might have been harsh saying you don't know what your talking about, but it is the truth in this matter.

To get back to the initial question, which is:
Is there a way that I can capture the windows login so that my users
don't have to login to their computer AND login to the intranet site?

he does not want the user to log again to the iste, because he knows the user is already logged in to the computer, all he wants is the login credientials, and the username and domain is enough, because only one person can log into the domain with the username.

Expert Comment

ID: 9844202
What happens when one follows your advice and disables anonymous access? Guess what, the user is prompted for their username and password (unless you disable all access to the site). That is what in 'godsname' I meant by asking for the username and password.

Where do you think the cgi variable values come from? They come from the values the user inputs into the logon window that are then passed into the header. That is what I mean by saying you can't get the username unless you ask for it (or can associate it with an ip).

Intranet or Internet, works the same. You said, "disable anonmyous access and 'trust me the user will not need to provide anything.'" Go try that on IIS and you will see you are wrong.
LVL 17

Expert Comment

ID: 9844254
Completely wrong dude..
If you are so sure of yourself, then why don't you give it a go?

And I stressed out that this only works for an Intranet!

Disable Anonymous Access, then access the site either by machine name ie. http://machineName/site
or make sure you add the site to the Intranet settings when the first part of the url has a dot in it.
Internet Explorer does not see a domain name with a dot in as a Intranet ie.

http://machinename (no dot) it sees as intranet, and will not prompt you for your username
http://www.intranet.com/ it will not see as intranet because it has a dot in it, you need to add those to your intranet sites under IE security.
http://otherdnsname with no dot in it, it will also see as intranet.

If you follows these instructions you will see how wrong you are and we will not hear form you again ;-))

You say go try it on IIS, mate I have developed many intranet sites, for banks and government bodies, and I have did it this way, and it all worked like I stated above, you just never tried it the right way... Give it a go and we can talk again....
LVL 17

Expert Comment

ID: 9846353
Any news?

Author Comment

ID: 9866312
TacoBell777 made much sense.  Once they've logged onto the machine,
all you really need is their username.

I haven't implemented it yet but thanx you guys for all your help.

Expert Comment

ID: 9871218
I tested in IIS per our discussion and if I disable anonymous access and enable any other authentication method, the user is prompted for a username/password. But...since taco was so sure I did some research and according to Microsft, there are scenarios where what taco said is correct.

One scenario is if Certificate Authentication is enabled and the client has a certificate. Username and password are sent automatically.

The other is if:
-Windows Integrated authentication is enabled.
-Both the client and the Web server are on the same domain or trusted domain
-User is using IE
-the url is an 'intranet' (as taco described) or is listed in the "intranet zone"
-Internet Explorer's Intranet zone security setting is set to' Automatic logon only in Intranet zone'
-the user has appropriate file system (NTFS) permissions to the Web page as well as all of the objects referenced in the Web page

So taco must have been using one of those 2 scenarios and I stand corrected in saying there is no way to get the logon without asking for it. None of my scenarios met the above so my tests never automatically passed the info. Thanks for persisting taco, I learned something new.

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Introduction This article explores the design of a cache system that can improve the performance of a web site or web application.  The assumption is that the web site has many more “read” operations than “write” operations (this is commonly the ca…
Lease-to-own eliminates the expenditure of hardware replacement and allows you to pay off the server over time. Usually, this is much cheaper than leasing servers. Think of lease-to-own as credit without interest.
Video by: ITPro.TV
In this episode Don builds upon the troubleshooting techniques by demonstrating how to properly monitor a vSphere deployment to detect problems before they occur. He begins the show using tools found within the vSphere suite as ends the show demonst…
In this video, Percona Solution Engineer Dimitri Vanoverbeke discusses why you want to use at least three nodes in a database cluster. To discuss how Percona Consulting can help with your design and architecture needs for your database and infras…

618 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question