Authenticate (forms based) against an NT Domain in ASP.NET - Without using Kerberos!!

Posted on 7/4/2006 @ 6:31 PM in #Vanilla .NET by | Feedback | 2395 views

Okay I'm not talking about turning off Anonymous user (IUSR_<<MachineName>>) and giving rights to a specific user on the directory.

I am talking about giving the user two text boxes, one for Password and one for username, and authenticate them against a known domain (which you could accept as a textbox too). Somewhat like in a forms based environment. Here is a ConsoleApp below, but the code is easily copy-paste-able in ASP.NET.

using System;
using System.Collections.Generic;
using System.Text;
using System.Runtime.InteropServices;

namespace NetworkAuth
{
    class Program
    {
        [DllImport("advapi32.dll", SetLastError = true)]
        public static extern bool LogonUser(
            string lpszUsername,
            string lpszDomain,
            string lpszPassword,
            int dwLogonType,
            int dwLogonProvider,
            out IntPtr phToken
            );

        public enum LogonType : int
        {
            LOGON32_LOGON_INTERACTIVE = 2,
            LOGON32_LOGON_NETWORK = 3,
            LOGON32_LOGON_BATCH = 4,
            LOGON32_LOGON_SERVICE = 5,
            LOGON32_LOGON_UNLOCK = 7,
            LOGON32_LOGON_NETWORK_CLEARTEXT = 8,
            LOGON32_LOGON_NEW_CREDENTIALS = 9
        }

        const int LOGON32_PROVIDER_DEFAULT = 0;

        static void Main(string[] args)
        {
            IntPtr hToken;
            string username;
            string password;
            Console.Write("Enter your username without domain (example smalik):");
            username = Console.ReadLine();
            Console.Write(
               "\nEnter your password (btw password will be shown as cleartext, so make sure no one is looking):");
            password = Console.ReadLine();
            if (LogonUser(username,
                 "domainAsString", password,
                 (int)LogonType.LOGON32_LOGON_INTERACTIVE, LOGON32_PROVIDER_DEFAULT, out hToken))
            {
                Console.WriteLine("Success");
            }
            else
            {
                Console.WriteLine("Failure");
            }
            Console.Read();
        }
    }
}

You can also use the hToken to switch the current running WindowsIdentity to access a resource using the remote browser user's credentials :-). Can anyone say "Integrated Authentication with SQL Server without using Kerberos" ;-).

For the security minded of you, I know you are dying to let this out (like gas when on a first date), so let me speak it before you pull your hair in angst and frustration -  I must point out that since this doesn't use Kerberos tickets, it is technically not as secure as Kerberos, and the easy easy way to get around that is secure http (https). That way, it's "secure enough" ;-).

Sound off but keep it civil:

Older comments..


On 7/4/2006 8:08:57 PM John Wood said ..
I don't get when you'd use this though. In an Internet scenario I can't imagine you'd have an NT account for every user on the site. In an intranet scenario, why not just use windows integrated authentication and have it dealt with securely and transparently?


On 7/4/2006 8:21:50 PM Sahil Malik said ..
John -

You'd use this when you need something "done" without bothering the infrastructure monkeys. I'm sure you've run into that. :), usually happens in big organizations. If you try getting the in-built ADAM working, you need special rights on the network - which of course the infrastructure monkeys will ask gazillion questions before letting you have that access. They may or may not understand what you're trying to get done, but they hold the keys to the kingdom, or so they think ;).

SM


On 12/2/2008 9:44:51 AM Neal said ..
You would also use this if you're authenticating against AD and regular users just *don't* get having to prefix the domain before their username (as in DOMAIN\username) -- since there are some scenarios where setting the default domain within IIS doesn't do that trick either.


On 10/15/2009 4:54:40 PM auck said ..
will this method allow you to have a webpage with Login, Password, Submit similar to the Forms based authentication. im having issues getting local file shares to search with non windows accounts. looks like it will only search if your sharepoint Web Application is set up to authenticate via Windows. your method sounds like it may work for this scenario. i need it to not pop up the basic authentication or integrated windows prompt. i want it to use a webpage. can you please provide more details on how to set this up. just to let you know, im very basic when it comes to .NET.