• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 275
  • Last Modified:

Bypass the Windows Logon Screen with My Own

We have a number of customers accessing our private website, and we keep getting calls because they cannot remember to enter the domain name in front of their username (Domain\Username). Anonymous access is not an option. How can I collect the login information myself and pass it to Windows?

I also have the problem that some pages pull data from a different server, and that prompts the user for login credentials. Ideally I'd like to the log the user into all required servers at once.

I have tried searching for an answer, but I am really not sure what I am looking for. Therefore, 500 points for setting in the right direction.
0
jawhitmoyer
Asked:
jawhitmoyer
  • 5
  • 2
1 Solution
 
raterusCommented:
This is very possible, but if you're looking for a quick fix I'm probably just bringing bad news...

First, you'll have to use forms authentication for your site, they'll enter their login details, and you will authenticate against Active directory to see if they are a valid user or not.  This isn't too bad.  Described here: http://msdn.microsoft.com/library/default.asp?url=/library/en-us/sds/sds/active_directory_authentication_from_asp__net.asp

The not so pretty part is when you have to use these credentials to connect to an external resource (like connecting to SQL Server using their credentials, writing a file, etc.)  You will have to "impersonate a specific user in code", demonstrated in this article, http://support.microsoft.com/default.aspx?scid=kb;en-us;306158

The shared logins between two servers isn't a problem, there is configuration you will need to use for that as well too, using forms authentication.
http://winfx.msdn.microsoft.com/library/default.asp?url=/library/en-us/dv_aspnetcon/html/99e2f9e8-5b97-4a4d-a4ed-5f93276053b7.asp

Hope this gets you started,
--Michael


0
 
jawhitmoyerAuthor Commented:
Thanks!!! Like I wrote, I didn't know where to start (but I knew it had to possible).
0
 
ihenryCommented:
Unfortunately, implementing active directory authentication yourself isn't as simple as described in the article. There're more things to check than just validating the user name and password. User account expire, password expire, password history, user must change password..etc..not to mention other security issues like what Michael has pointed out...and there will be more ugly error messages to be seen for sure. You can ignore those issues unless you do need to know what might causes authentication to fail.

Your AD is running on windows 2k or 2k3?
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 
jawhitmoyerAuthor Commented:
Sadly, still on 2000.

I pretty much don't care about that other stuff, as we just delete old users from AD. As long as they show up, we're good to go.
0
 
ihenryCommented:
>> I pretty much don't care about that other stuff..
Just want to be a little more clearer, when you authenticate a user account that violates any of these options: account/password expire, password history, etc.. you would see some obscure error messages that doesn't exactly tell you about the nature of the error. So I presume, you don't need to tell your user anything that causes their authentication to fail or even provide a form to let them to change password if their password has expired.

If your web server is also running on Win2K that means to have the impersonation to work at certain level, your code need to run under a user account with higher privilege (actually needs a quite permission right). And since this user account is impersonating external users who accessing your private website from outside, it might open an attack surface. So just make sure you're aware of all these security issues.
0
 
jawhitmoyerAuthor Commented:
The webserver is 2003 (Sharepoint Portal Server). All of my users are set to No Expire, Cannot Change.

I will start testing to see if this something we should implement.

I posted my other question, and I am anxiously awaiting your reply. HEre's the link:

http://www.experts-exchange.com/Programming/Programming_Languages/Dot_Net/VB_DOT_NET/Q_21401461.html

Thanks,
Jim
0
 
jawhitmoyerAuthor Commented:
For anyone who stumbles across this issue, my desire to do forms authenication is not possible with Sharepoint Server. Oh well.
0
 
jawhitmoyerAuthor Commented:
Sorry about that. I meant to clear this one out, but I have been swamped.

Thanks,
Jim
0

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 5
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now