Solved

Mixing forms and windows authentication

Posted on 2004-10-04
17
516 Views
Last Modified: 2008-01-09
I am writing a support call logging app. Clients have a user name and password to log in over the web, and this is stored in a database, so I use forms authentication. The support and development staff need to look at these calls and it seems to make sense to use Windows authentication, so that I don't have to maintain the password lists etc.

How can I mix the two? Or how can I detect that someone is on the LAN, and authenticate them automatically?
0
Comment
Question by:crescendo
  • 9
  • 6
  • 2
17 Comments
 
LVL 28

Expert Comment

by:mmarinov
ID: 12215681
Hi,

the answer is here : http://www.codeproject.com/aspnet/ExtFrmsAuth.asp

Regards,
B..M
0
 
LVL 9

Author Comment

by:crescendo
ID: 12230066
Thanks for that, but it was a bit above my head. I understood the bit you have to do in web.config, but when it talked about implementing IUserAuthenticator interfaces, my eyes glazed over.

I may have to resort to using the client browser's IP address to see if they are on the LAN, but that's not very helpful if I want to be more specific about who can do what.

Is it possible to detect the Windows user name of a client?
0
 
LVL 3

Expert Comment

by:dabitbol
ID: 12231013
I had the same problem. I decided to use Forms Authentication. In my Authentication Method, I first check in the DataBase for the username then check in the Active Directory. You of course have to be sure you don't have duplicates.

If you need mode details, don't hesitate.
0
 
LVL 3

Expert Comment

by:dabitbol
ID: 12231081
Here's a link on how to authenticate on the Active Directory, understand it and Add code to authenticate on your DB.

Good Luck
0
 
LVL 9

Author Comment

by:crescendo
ID: 12231104
Yes, I could do that (except I don't know how to check the Active Directory!) but I was hoping to avoid having local staff enter any passwords or usernames at all, since it should be possible to tell exactly who they are. It's a support logging application, so when a remote client logs a call I want the support staff to be able to respond quickly, not spend ages logging in. If it's easy, they'll look at the call straight away out of curiosity. If they have to mess around logging in they'll "just finish what they were doing"...

0
 
LVL 9

Author Comment

by:crescendo
ID: 12231113
Where's the link? ;-)
0
 
LVL 3

Expert Comment

by:dabitbol
ID: 12231141
Sorry...

http://www.ondotnet.com/pub/a/dotnet/2003/01/20/formsauthp2.html

You could create a cookie or get there username from Environment.UserName

Sorry Again!
0
 
LVL 3

Expert Comment

by:dabitbol
ID: 12231148
Or get the domain name:

Environment.UserDomainName;
0
Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

 
LVL 3

Expert Comment

by:dabitbol
ID: 12231155
Sorry, but that won't work on the client side. Let me find my code and get back to you
0
 
LVL 3

Expert Comment

by:dabitbol
ID: 12231283
Unless you ue those methods and according to my research, the only you can get without busting the security model is the IP Adress and DNS Name of the machine. I think my way is the easiest but if you don't want to use cookies or a login form, use mmarinov's way.

Good Luck!
0
 
LVL 9

Author Comment

by:crescendo
ID: 12231348
The link you gave seems to do what I want. Except it's in C#, it is a good article. I'll try to "convert" it.
0
 
LVL 3

Expert Comment

by:dabitbol
ID: 12231448
Sorry about that, but good luck!
0
 
LVL 9

Author Comment

by:crescendo
ID: 12231559
In the process of converting it I realised that it expects the user to type in a user name and password, which is not what I want.

Surely there is a way of telling whether the client has already authenticated against the domain, and what his group membership is?
0
 
LVL 3

Expert Comment

by:dabitbol
ID: 12231635
No, don't forget one thing:

ASP.Net pages don't have access to the client's machine or resources even if it resides on the same domain unless you use impersonation. With that process, the user runs tha application under his username thus abling you to retrieve his info.

But this complicates things, I would not get into it.

Basically, there is no simple way!

 
0
 
LVL 9

Author Comment

by:crescendo
ID: 12231683
But there must be some way of telling who the user is or the Basic and Windows authentication methods wouldn't work?
0
 
LVL 3

Expert Comment

by:dabitbol
ID: 12231692
In that case, if the user is not Authenticated (Outside of your Intranet), a login window will be displayed prompting for a username and password
0
 
LVL 28

Accepted Solution

by:
mmarinov earned 250 total points
ID: 12234484
Here is the Microsoft tutorial of how to mix windows and web security logon
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnaspp/html/mixedsecurity.asp

Regarsd
B..M
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article discusses the ASP.NET AJAX ModalPopupExtender control. In this article we will show how to use the ModalPopupExtender control, how to display/show/call the ASP.NET AJAX ModalPopupExtender control from javascript, how to show/display/cal…
International Data Corporation (IDC) prognosticates that before the current the year gets over disbursing on IT framework products to be sent in cloud environs will be $37.1B.
This is used to tweak the memory usage for your computer, it is used for servers more so than workstations but just be careful editing registry settings as it may cause irreversible results. I hold no responsibility for anything you do to the regist…
With the power of JIRA, there's an unlimited number of ways you can customize it, use it and benefit from it. With that in mind, there's bound to be things that I wasn't able to cover in this course. With this summary we'll look at some places to go…

910 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now