Using ID from Windows Login.

Hey all,

Is there a way that I can capture the windows login so that my users
don't have to login to their computer AND login to the intranet site?

Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Hi there,

I know You can use CGI.AUTH_USER to get the username of the person who loged in

James RodgersWeb Applications DeveloperCommented:
if you could it would be a huge security hole'

web pages cannot access the system files, unless teh user has it set up to allow access through file system objects and even then i don't think you could access the users profile
You need to turn of ANONYMOUS access within IIS (if Apache you need to use some modules that mimic IIS functions)
Once thats done you can access the cgi.auth_user variable.

It only works for your users if they access your site like so http://MACHINE_NAME (or anything without a dot in it, or add the site to your intranet settings in IE)

Once there is a dot in the name it will prompt the user for the username and password again.
Protecting & Securing Your Critical Data

Considering 93 percent of companies file for bankruptcy within 12 months of a disaster that blocked access to their data for 10 days or more, planning for the worst is just smart business. Learn how Acronis Backup integrates security at every stage

In IIS, change the authentication method from anonymous to digest and basic and make sure the integrated windows authentication box is checked.

ColdFusion recognizes the NT login as #REMOTE_USER#

It will include the domain also so you may want to do something like this to strip that away so you can just work with the actual NT login:

<cfset strUserNT = #REMOTE_USER#>
<cfset strUserNT = lcase(ReplaceNoCase(strUserNT, 'WIRELESS\', ''))>

Hope that makes sense. This is my first time actually trying to answer a question :)

Mate its more like listLast(cgi.auth_user, "\") which is the username and listFirst(cgi.auth_user, "\") which is the domain

<cfset request.username = listLast(cgi.auth_user, "\")>
<cfset request.domainName = listFirst(cgi.auth_user, "\")>

would do the trick...

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
I have no clue what cgi.auth_user is. I don't use cgi in any of my web pages.

I'm able to do the windows authentication in ColdFusion just by changing the IIS authentication settings and using the reserved #REMOTE_USER# variable....

Based on the code in my previous comment:
<cfoutput>#REMOTE_USER#</cfoutput> will give me "wireless\makila"
<cfoutput>#strUserNT#</cfoutput> will give me "makila"
"wireless" is my domain; "makila" is my NT login
You cannot get the windows password without the user re-entering it. But once you ask the user to logon to the Intranet, you can save the password in a cookie or in a DB so that the user only has to login to the Intranet once.

After you save it to a cookie, just check for the cookie and read it next time they come to the Intranet.

How are you validating users to your Intranet? Using LDAP to query the Active Directory will allow you to use their current username/password and will always keep their Intranet login identical to their NT logon.

Regarding CGI, you don't have to be "using" CGI to get the variables. Cold Fusion makes them available automatically. If you are using IIS, under the web site properties under Directory Security, enable basic authentication and once a user successfully logs on, you can use the variable #cgi.auth_user#. That is not a good method though as it sends the password in plain text and makes the password available to anyone who can access your cf code or cf administrator.
Sorry guys I don't think you know what your talking about.

1. Both of you are basically repeating what I already stated about IIS.
2. REMOTE_USER is a CGI variable, even though he does not prefix it with the scope, it is a variable available from the CGI variables.
3. If we are talking about an Intranet, and the user is alreayd logged on to their machine, ie. they entered their username and password, WHY would they need to enter the password again when they access the site? All you need to know is who is this user at that stage...
I'm using an Intranet now where I use the NT username/password for authentication. So to say  I don't know what I'm talking about is wrong, not to mention rude.

I expanded on what you said about IIS and the auth_user variable and explained how that is probably not a good solution.

To answer your question tacobell777, in order to know who the user is, the user has to logon. You could just ask the user to enter their username but if you have any security needs in the intranet (ie this department sees xxx and other's don't) then asking for their username and password and verifying it is essential.

I have found the best solution in this situation is to use LDAP to query the active directory and verify users. There are some examples out there. Search the web for "coldfusion ldap active directory".
Agreed, maybe I was a bit to hard, but I still think you don't get it.

Why do you need the password from a user when the already provided that password when they logged in to their machine?? Why should they provide it again, only that ONE user (from that domain) can log in into that machine and no else!.... So all you need is the username to authenticate the user on an intranet.
you need the password because:
you can't get the username without the user providing it. If you ask the user forjust their username, there is no security - any user on the domain could enter in any user name.

Unless you require and verify the password, you can't be sure the user is who they say they are.

Now if you have static IP's and want to assume a given ip is a given user, you could go that route. But that requires static IP's and an assumption that no one other than the specified user ever logs on to that machine.
What in godsname do you mean you can't get the username without the user providing it?

Disable "anonymous access" in the site within IIS and it will pass the username and odmain name to you in a variable (cgi.auht_user) like I said before.
And trust me the user will not need to provide anything, I have made intranet applications for the government and they work this way. And once again I stress, this only works on an Intranet, if it's not an intranet then the user will be prompted for a username and password. I might have been harsh saying you don't know what your talking about, but it is the truth in this matter.

To get back to the initial question, which is:
Is there a way that I can capture the windows login so that my users
don't have to login to their computer AND login to the intranet site?

he does not want the user to log again to the iste, because he knows the user is already logged in to the computer, all he wants is the login credientials, and the username and domain is enough, because only one person can log into the domain with the username.
What happens when one follows your advice and disables anonymous access? Guess what, the user is prompted for their username and password (unless you disable all access to the site). That is what in 'godsname' I meant by asking for the username and password.

Where do you think the cgi variable values come from? They come from the values the user inputs into the logon window that are then passed into the header. That is what I mean by saying you can't get the username unless you ask for it (or can associate it with an ip).

Intranet or Internet, works the same. You said, "disable anonmyous access and 'trust me the user will not need to provide anything.'" Go try that on IIS and you will see you are wrong.
Completely wrong dude..
If you are so sure of yourself, then why don't you give it a go?

And I stressed out that this only works for an Intranet!

Disable Anonymous Access, then access the site either by machine name ie. http://machineName/site
or make sure you add the site to the Intranet settings when the first part of the url has a dot in it.
Internet Explorer does not see a domain name with a dot in as a Intranet ie.

http://machinename (no dot) it sees as intranet, and will not prompt you for your username it will not see as intranet because it has a dot in it, you need to add those to your intranet sites under IE security.
http://otherdnsname with no dot in it, it will also see as intranet.

If you follows these instructions you will see how wrong you are and we will not hear form you again ;-))

You say go try it on IIS, mate I have developed many intranet sites, for banks and government bodies, and I have did it this way, and it all worked like I stated above, you just never tried it the right way... Give it a go and we can talk again....
Any news?
rodniceAuthor Commented:
TacoBell777 made much sense.  Once they've logged onto the machine,
all you really need is their username.

I haven't implemented it yet but thanx you guys for all your help.
I tested in IIS per our discussion and if I disable anonymous access and enable any other authentication method, the user is prompted for a username/password. But...since taco was so sure I did some research and according to Microsft, there are scenarios where what taco said is correct.

One scenario is if Certificate Authentication is enabled and the client has a certificate. Username and password are sent automatically.

The other is if:
-Windows Integrated authentication is enabled.
-Both the client and the Web server are on the same domain or trusted domain
-User is using IE
-the url is an 'intranet' (as taco described) or is listed in the "intranet zone"
-Internet Explorer's Intranet zone security setting is set to' Automatic logon only in Intranet zone'
-the user has appropriate file system (NTFS) permissions to the Web page as well as all of the objects referenced in the Web page

So taco must have been using one of those 2 scenarios and I stand corrected in saying there is no way to get the logon without asking for it. None of my scenarios met the above so my tests never automatically passed the info. Thanks for persisting taco, I learned something new.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Web Servers

From novice to tech pro — start learning today.