Using ID from Windows Login.

Posted on 2003-11-26
Last Modified: 2013-12-24
Hey all,

Is there a way that I can capture the windows login so that my users
don't have to login to their computer AND login to the intranet site?

Question by:rodnice
  • 7
  • 5
  • 2
  • +3
LVL 10

Expert Comment

ID: 9827755
Hi there,

I know You can use CGI.AUTH_USER to get the username of the person who loged in

LVL 25

Expert Comment

by:James Rodgers
ID: 9827773
if you could it would be a huge security hole'

web pages cannot access the system files, unless teh user has it set up to allow access through file system objects and even then i don't think you could access the users profile
LVL 17

Expert Comment

ID: 9828267
You need to turn of ANONYMOUS access within IIS (if Apache you need to use some modules that mimic IIS functions)
Once thats done you can access the cgi.auth_user variable.

It only works for your users if they access your site like so http://MACHINE_NAME (or anything without a dot in it, or add the site to your intranet settings in IE)

Once there is a dot in the name it will prompt the user for the username and password again.

Assisted Solution

makila earned 25 total points
ID: 9840132
In IIS, change the authentication method from anonymous to digest and basic and make sure the integrated windows authentication box is checked.

ColdFusion recognizes the NT login as #REMOTE_USER#

It will include the domain also so you may want to do something like this to strip that away so you can just work with the actual NT login:

<cfset strUserNT = #REMOTE_USER#>
<cfset strUserNT = lcase(ReplaceNoCase(strUserNT, 'WIRELESS\', ''))>

Hope that makes sense. This is my first time actually trying to answer a question :)

LVL 17

Accepted Solution

Tacobell777 earned 75 total points
ID: 9840251
Mate its more like listLast(cgi.auth_user, "\") which is the username and listFirst(cgi.auth_user, "\") which is the domain

<cfset request.username = listLast(cgi.auth_user, "\")>
<cfset request.domainName = listFirst(cgi.auth_user, "\")>

would do the trick...

Expert Comment

ID: 9840312
I have no clue what cgi.auth_user is. I don't use cgi in any of my web pages.

I'm able to do the windows authentication in ColdFusion just by changing the IIS authentication settings and using the reserved #REMOTE_USER# variable....

Based on the code in my previous comment:
<cfoutput>#REMOTE_USER#</cfoutput> will give me "wireless\makila"
<cfoutput>#strUserNT#</cfoutput> will give me "makila"
"wireless" is my domain; "makila" is my NT login

Assisted Solution

highwaysjammed earned 25 total points
ID: 9841012
You cannot get the windows password without the user re-entering it. But once you ask the user to logon to the Intranet, you can save the password in a cookie or in a DB so that the user only has to login to the Intranet once.

After you save it to a cookie, just check for the cookie and read it next time they come to the Intranet.

How are you validating users to your Intranet? Using LDAP to query the Active Directory will allow you to use their current username/password and will always keep their Intranet login identical to their NT logon.

Regarding CGI, you don't have to be "using" CGI to get the variables. Cold Fusion makes them available automatically. If you are using IIS, under the web site properties under Directory Security, enable basic authentication and once a user successfully logs on, you can use the variable #cgi.auth_user#. That is not a good method though as it sends the password in plain text and makes the password available to anyone who can access your cf code or cf administrator.
LVL 17

Expert Comment

ID: 9841405
Sorry guys I don't think you know what your talking about.

1. Both of you are basically repeating what I already stated about IIS.
2. REMOTE_USER is a CGI variable, even though he does not prefix it with the scope, it is a variable available from the CGI variables.
3. If we are talking about an Intranet, and the user is alreayd logged on to their machine, ie. they entered their username and password, WHY would they need to enter the password again when they access the site? All you need to know is who is this user at that stage...
Complete VMware vSphere® ESX(i) & Hyper-V Backup

Capture your entire system, including the host, with patented disk imaging integrated with VMware VADP / Microsoft VSS and RCT. RTOs is as low as 15 seconds with Acronis Active Restore™. You can enjoy unlimited P2V/V2V migrations from any source (even from a different hypervisor)


Expert Comment

ID: 9842343
I'm using an Intranet now where I use the NT username/password for authentication. So to say  I don't know what I'm talking about is wrong, not to mention rude.

I expanded on what you said about IIS and the auth_user variable and explained how that is probably not a good solution.

To answer your question tacobell777, in order to know who the user is, the user has to logon. You could just ask the user to enter their username but if you have any security needs in the intranet (ie this department sees xxx and other's don't) then asking for their username and password and verifying it is essential.

I have found the best solution in this situation is to use LDAP to query the active directory and verify users. There are some examples out there. Search the web for "coldfusion ldap active directory".
LVL 17

Expert Comment

ID: 9843325
Agreed, maybe I was a bit to hard, but I still think you don't get it.

Why do you need the password from a user when the already provided that password when they logged in to their machine?? Why should they provide it again, only that ONE user (from that domain) can log in into that machine and no else!.... So all you need is the username to authenticate the user on an intranet.

Expert Comment

ID: 9843555
you need the password because:
you can't get the username without the user providing it. If you ask the user forjust their username, there is no security - any user on the domain could enter in any user name.

Unless you require and verify the password, you can't be sure the user is who they say they are.

Now if you have static IP's and want to assume a given ip is a given user, you could go that route. But that requires static IP's and an assumption that no one other than the specified user ever logs on to that machine.
LVL 17

Expert Comment

ID: 9843913
What in godsname do you mean you can't get the username without the user providing it?

Disable "anonymous access" in the site within IIS and it will pass the username and odmain name to you in a variable (cgi.auht_user) like I said before.
And trust me the user will not need to provide anything, I have made intranet applications for the government and they work this way. And once again I stress, this only works on an Intranet, if it's not an intranet then the user will be prompted for a username and password. I might have been harsh saying you don't know what your talking about, but it is the truth in this matter.

To get back to the initial question, which is:
Is there a way that I can capture the windows login so that my users
don't have to login to their computer AND login to the intranet site?

he does not want the user to log again to the iste, because he knows the user is already logged in to the computer, all he wants is the login credientials, and the username and domain is enough, because only one person can log into the domain with the username.

Expert Comment

ID: 9844202
What happens when one follows your advice and disables anonymous access? Guess what, the user is prompted for their username and password (unless you disable all access to the site). That is what in 'godsname' I meant by asking for the username and password.

Where do you think the cgi variable values come from? They come from the values the user inputs into the logon window that are then passed into the header. That is what I mean by saying you can't get the username unless you ask for it (or can associate it with an ip).

Intranet or Internet, works the same. You said, "disable anonmyous access and 'trust me the user will not need to provide anything.'" Go try that on IIS and you will see you are wrong.
LVL 17

Expert Comment

ID: 9844254
Completely wrong dude..
If you are so sure of yourself, then why don't you give it a go?

And I stressed out that this only works for an Intranet!

Disable Anonymous Access, then access the site either by machine name ie. http://machineName/site
or make sure you add the site to the Intranet settings when the first part of the url has a dot in it.
Internet Explorer does not see a domain name with a dot in as a Intranet ie.

http://machinename (no dot) it sees as intranet, and will not prompt you for your username it will not see as intranet because it has a dot in it, you need to add those to your intranet sites under IE security.
http://otherdnsname with no dot in it, it will also see as intranet.

If you follows these instructions you will see how wrong you are and we will not hear form you again ;-))

You say go try it on IIS, mate I have developed many intranet sites, for banks and government bodies, and I have did it this way, and it all worked like I stated above, you just never tried it the right way... Give it a go and we can talk again....
LVL 17

Expert Comment

ID: 9846353
Any news?

Author Comment

ID: 9866312
TacoBell777 made much sense.  Once they've logged onto the machine,
all you really need is their username.

I haven't implemented it yet but thanx you guys for all your help.

Expert Comment

ID: 9871218
I tested in IIS per our discussion and if I disable anonymous access and enable any other authentication method, the user is prompted for a username/password. But...since taco was so sure I did some research and according to Microsft, there are scenarios where what taco said is correct.

One scenario is if Certificate Authentication is enabled and the client has a certificate. Username and password are sent automatically.

The other is if:
-Windows Integrated authentication is enabled.
-Both the client and the Web server are on the same domain or trusted domain
-User is using IE
-the url is an 'intranet' (as taco described) or is listed in the "intranet zone"
-Internet Explorer's Intranet zone security setting is set to' Automatic logon only in Intranet zone'
-the user has appropriate file system (NTFS) permissions to the Web page as well as all of the objects referenced in the Web page

So taco must have been using one of those 2 scenarios and I stand corrected in saying there is no way to get the logon without asking for it. None of my scenarios met the above so my tests never automatically passed the info. Thanks for persisting taco, I learned something new.

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

This is a guide to setting up a new WHM/cPanel Server to be used for web hosting accounts. It is intended for web hosting company administrators and dedicated server owners. For under $99 per month (considering normal rate of Big Data Cetnters like …
When it comes to showing a 404 error page to your visitors, you do not want that generic page to show, and you especially do not want your hosting provider’s ad error page to show either. In this article, I will show you how to enable the custom 40…
Illustrator's Shape Builder tool will let you combine shapes visually and interactively. This video shows the Mac version, but the tool works the same way in Windows. To follow along with this video, you can draw your own shapes or download the file…
This video demonstrates how to create an example email signature rule for a department in a company using CodeTwo Exchange Rules. The signature will be inserted beneath users' latest emails in conversations and will be displayed in users' Sent Items…

706 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now