Winsmarts.com

Microsoft MVP

MVP Logo

Awarded the Microsoft MVP Award.

» link

Posts By Category

Vanilla .NET
Non Techie
Sharepoint
Bak2Basics
Books Authored
Books Reviewed
Articles Written
Speaking
WPF
WCF
The Economy

Hosted By

blah!bLaH!BLOG!!

Authenticate (forms based) against an NT Domain in ASP.NET - Without using Kerberos!!

.. because the active directory authentication provider in .NET 2.0 is too picky about the rights it needs !!

Posted on 7/4/2006 @ 6:31 PM in #Vanilla .NET | 2 comments | 1294 views

Okay I'm not talking about turning off Anonymous user (IUSR_<<MachineName>>) and giving rights to a specific user on the directory.

I am talking about giving the user two text boxes, one for Password and one for username, and authenticate them against a known domain (which you could accept as a textbox too). Somewhat like in a forms based environment. Here is a ConsoleApp below, but the code is easily copy-paste-able in ASP.NET.

using System;
using System.Collections.Generic;
using System.Text;
using System.Runtime.InteropServices;

namespace NetworkAuth
{
    class Program
    {
        [DllImport("advapi32.dll", SetLastError = true)]
        public static extern bool LogonUser(
            string lpszUsername,
            string lpszDomain,
            string lpszPassword,
            int dwLogonType,
            int dwLogonProvider,
            out IntPtr phToken
            );

        public enum LogonType : int
        {
            LOGON32_LOGON_INTERACTIVE = 2,
            LOGON32_LOGON_NETWORK = 3,
            LOGON32_LOGON_BATCH = 4,
            LOGON32_LOGON_SERVICE = 5,
            LOGON32_LOGON_UNLOCK = 7,
            LOGON32_LOGON_NETWORK_CLEARTEXT = 8,
            LOGON32_LOGON_NEW_CREDENTIALS = 9
        }

        const int LOGON32_PROVIDER_DEFAULT = 0;

        static void Main(string[] args)
        {
            IntPtr hToken;
            string username;
            string password;
            Console.Write("Enter your username without domain (example smalik):");
            username = Console.ReadLine();
            Console.Write(
               "\nEnter your password (btw password will be shown as cleartext, so make sure no one is looking):");
            password = Console.ReadLine();
            if (LogonUser(username,
                 "domainAsString", password,
                 (int)LogonType.LOGON32_LOGON_INTERACTIVE, LOGON32_PROVIDER_DEFAULT, out hToken))
            {
                Console.WriteLine("Success");
            }
            else
            {
                Console.WriteLine("Failure");
            }
            Console.Read();
        }
    }
}

You can also use the hToken to switch the current running WindowsIdentity to access a resource using the remote browser user's credentials :-). Can anyone say "Integrated Authentication with SQL Server without using Kerberos" ;-).

For the security minded of you, I know you are dying to let this out (like gas when on a first date), so let me speak it before you pull your hair in angst and frustration -  I must point out that since this doesn't use Kerberos tickets, it is technically not as secure as Kerberos, and the easy easy way to get around that is secure http (https). That way, it's "secure enough" ;-).

On 7/4/2006 8:08:57 PM John Wood said ..

I don't get when you'd use this though. In an Internet scenario I can't imagine you'd have an NT account for every user on the site. In an intranet scenario, why not just use windows integrated authentication and have it dealt with securely and transparently?


On 7/4/2006 8:21:50 PM Sahil Malik said ..

John -

You'd use this when you need something "done" without bothering the infrastructure monkeys. I'm sure you've run into that. :), usually happens in big organizations. If you try getting the in-built ADAM working, you need special rights on the network - which of course the infrastructure monkeys will ask gazillion questions before letting you have that access. They may or may not understand what you're trying to get done, but they hold the keys to the kingdom, or so they think ;).

SM

Please post your comments:


Your feedback will be submitted for moderation, and will appear after it is approved.

Name:  
Email (optional): Your email address will not be posted.
URL (optional):
Comments: HTML will be ignored, URLs will be converted to hyperlinks  
Enter the text you see in the box:
 

Site designed and maintained by Sahil Malik | All Rights Reserved. ©2007 WinSmarts.com.