[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1055
  • Last Modified:

Using ID from Windows Login.

Hey all,

Is there a way that I can capture the windows login so that my users
don't have to login to their computer AND login to the intranet site?

0
rodnice
Asked:
rodnice
  • 7
  • 5
  • 2
  • +3
3 Solutions
 
MauseCommented:
Hi there,

I know You can use CGI.AUTH_USER to get the username of the person who loged in

Mause
0
 
James RodgersWeb Applications DeveloperCommented:
if you could it would be a huge security hole'

web pages cannot access the system files, unless teh user has it set up to allow access through file system objects and even then i don't think you could access the users profile
0
 
Tacobell777Commented:
You need to turn of ANONYMOUS access within IIS (if Apache you need to use some modules that mimic IIS functions)
Once thats done you can access the cgi.auth_user variable.

It only works for your users if they access your site like so http://MACHINE_NAME (or anything without a dot in it, or add the site to your intranet settings in IE)

Once there is a dot in the name it will prompt the user for the username and password again.
0
Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

 
makilaCommented:
In IIS, change the authentication method from anonymous to digest and basic and make sure the integrated windows authentication box is checked.

ColdFusion recognizes the NT login as #REMOTE_USER#

It will include the domain also so you may want to do something like this to strip that away so you can just work with the actual NT login:

<cfset strUserNT = #REMOTE_USER#>
<cfset strUserNT = lcase(ReplaceNoCase(strUserNT, 'WIRELESS\', ''))>

Hope that makes sense. This is my first time actually trying to answer a question :)

-Makila
0
 
Tacobell777Commented:
Mate its more like listLast(cgi.auth_user, "\") which is the username and listFirst(cgi.auth_user, "\") which is the domain

so
<cfset request.username = listLast(cgi.auth_user, "\")>
<cfset request.domainName = listFirst(cgi.auth_user, "\")>

would do the trick...
0
 
makilaCommented:
I have no clue what cgi.auth_user is. I don't use cgi in any of my web pages.

I'm able to do the windows authentication in ColdFusion just by changing the IIS authentication settings and using the reserved #REMOTE_USER# variable....

Based on the code in my previous comment:
<cfoutput>#REMOTE_USER#</cfoutput> will give me "wireless\makila"
<cfoutput>#strUserNT#</cfoutput> will give me "makila"
"wireless" is my domain; "makila" is my NT login
0
 
highwaysjammedCommented:
You cannot get the windows password without the user re-entering it. But once you ask the user to logon to the Intranet, you can save the password in a cookie or in a DB so that the user only has to login to the Intranet once.

After you save it to a cookie, just check for the cookie and read it next time they come to the Intranet.

How are you validating users to your Intranet? Using LDAP to query the Active Directory will allow you to use their current username/password and will always keep their Intranet login identical to their NT logon.

Regarding CGI, you don't have to be "using" CGI to get the variables. Cold Fusion makes them available automatically. If you are using IIS, under the web site properties under Directory Security, enable basic authentication and once a user successfully logs on, you can use the variable #cgi.auth_user#. That is not a good method though as it sends the password in plain text and makes the password available to anyone who can access your cf code or cf administrator.
0
 
Tacobell777Commented:
Sorry guys I don't think you know what your talking about.

1. Both of you are basically repeating what I already stated about IIS.
2. REMOTE_USER is a CGI variable, even though he does not prefix it with the scope, it is a variable available from the CGI variables.
3. If we are talking about an Intranet, and the user is alreayd logged on to their machine, ie. they entered their username and password, WHY would they need to enter the password again when they access the site? All you need to know is who is this user at that stage...
0
 
highwaysjammedCommented:
I'm using an Intranet now where I use the NT username/password for authentication. So to say  I don't know what I'm talking about is wrong, not to mention rude.

I expanded on what you said about IIS and the auth_user variable and explained how that is probably not a good solution.

To answer your question tacobell777, in order to know who the user is, the user has to logon. You could just ask the user to enter their username but if you have any security needs in the intranet (ie this department sees xxx and other's don't) then asking for their username and password and verifying it is essential.

I have found the best solution in this situation is to use LDAP to query the active directory and verify users. There are some examples out there. Search the web for "coldfusion ldap active directory".
0
 
Tacobell777Commented:
Agreed, maybe I was a bit to hard, but I still think you don't get it.

Why do you need the password from a user when the already provided that password when they logged in to their machine?? Why should they provide it again, only that ONE user (from that domain) can log in into that machine and no else!.... So all you need is the username to authenticate the user on an intranet.
0
 
highwaysjammedCommented:
you need the password because:
you can't get the username without the user providing it. If you ask the user forjust their username, there is no security - any user on the domain could enter in any user name.

Unless you require and verify the password, you can't be sure the user is who they say they are.

Now if you have static IP's and want to assume a given ip is a given user, you could go that route. But that requires static IP's and an assumption that no one other than the specified user ever logs on to that machine.
0
 
Tacobell777Commented:
What in godsname do you mean you can't get the username without the user providing it?

Disable "anonymous access" in the site within IIS and it will pass the username and odmain name to you in a variable (cgi.auht_user) like I said before.
And trust me the user will not need to provide anything, I have made intranet applications for the government and they work this way. And once again I stress, this only works on an Intranet, if it's not an intranet then the user will be prompted for a username and password. I might have been harsh saying you don't know what your talking about, but it is the truth in this matter.

To get back to the initial question, which is:
Is there a way that I can capture the windows login so that my users
don't have to login to their computer AND login to the intranet site?

he does not want the user to log again to the iste, because he knows the user is already logged in to the computer, all he wants is the login credientials, and the username and domain is enough, because only one person can log into the domain with the username.
0
 
highwaysjammedCommented:
What happens when one follows your advice and disables anonymous access? Guess what, the user is prompted for their username and password (unless you disable all access to the site). That is what in 'godsname' I meant by asking for the username and password.

Where do you think the cgi variable values come from? They come from the values the user inputs into the logon window that are then passed into the header. That is what I mean by saying you can't get the username unless you ask for it (or can associate it with an ip).

Intranet or Internet, works the same. You said, "disable anonmyous access and 'trust me the user will not need to provide anything.'" Go try that on IIS and you will see you are wrong.
0
 
Tacobell777Commented:
Completely wrong dude..
If you are so sure of yourself, then why don't you give it a go?

And I stressed out that this only works for an Intranet!

Disable Anonymous Access, then access the site either by machine name ie. http://machineName/site
or make sure you add the site to the Intranet settings when the first part of the url has a dot in it.
Internet Explorer does not see a domain name with a dot in as a Intranet ie.

http://machinename (no dot) it sees as intranet, and will not prompt you for your username
http://www.intranet.com/ it will not see as intranet because it has a dot in it, you need to add those to your intranet sites under IE security.
http://otherdnsname with no dot in it, it will also see as intranet.

If you follows these instructions you will see how wrong you are and we will not hear form you again ;-))

You say go try it on IIS, mate I have developed many intranet sites, for banks and government bodies, and I have did it this way, and it all worked like I stated above, you just never tried it the right way... Give it a go and we can talk again....
0
 
Tacobell777Commented:
Any news?
0
 
rodniceAuthor Commented:
TacoBell777 made much sense.  Once they've logged onto the machine,
all you really need is their username.

I haven't implemented it yet but thanx you guys for all your help.
0
 
highwaysjammedCommented:
I tested in IIS per our discussion and if I disable anonymous access and enable any other authentication method, the user is prompted for a username/password. But...since taco was so sure I did some research and according to Microsft, there are scenarios where what taco said is correct.

One scenario is if Certificate Authentication is enabled and the client has a certificate. Username and password are sent automatically.

The other is if:
-Windows Integrated authentication is enabled.
-Both the client and the Web server are on the same domain or trusted domain
-User is using IE
-the url is an 'intranet' (as taco described) or is listed in the "intranet zone"
-Internet Explorer's Intranet zone security setting is set to' Automatic logon only in Intranet zone'
-the user has appropriate file system (NTFS) permissions to the Web page as well as all of the objects referenced in the Web page

So taco must have been using one of those 2 scenarios and I stand corrected in saying there is no way to get the logon without asking for it. None of my scenarios met the above so my tests never automatically passed the info. Thanks for persisting taco, I learned something new.
0

Featured Post

Important Lessons on Recovering from Petya

In their most recent webinar, Skyport Systems explores ways to isolate and protect critical databases to keep the core of your company safe from harm.

  • 7
  • 5
  • 2
  • +3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now