ASP.net & Win32 API (LogonUser) question...

R

Rich

I am running IIS6 on a Win2k3 server.

I have an ASP.Net app (C#) that a user logs into and then I use
LogonUser to validate them and log them onto the server. I have
Windows Authentication ONLY checked on the site in IIS.

My problem is that eventhough I am using LogonUser to log on to the
server as the user, I am still getting the Windows Authentication
Challenge (login window).

There are groups/users setup on the server for this app, so I don't
want to turn windows auth off because I am afraid my LogonUser usage
is only seeing if they have access to the server not to that
particular file.

Am I missing something? I was hoping LogonUser would act as if the
user had entered their own info into the windows challenge login
window.

I plan use forms auth to keep track of session later on, so right now
I have my web.config setup as:
<authentication mode="Forms">
<forms name="frmLogin" loginUrl="login.aspx"></forms>
</authentication>
<identity impersonate="True"/>

Here is most of my C# code:
[DllImport("advapi32.dll", CharSet=CharSet.Auto)]
public static extern int LogonUser(String lpszUserName,
String lpszDomain,
String lpszPassword,
int dwLogonType,
int dwLogonProvider,
ref IntPtr phToken);

[DllImport("ADVAPI32.DLL")]
public static extern int RevertToSelf();

[DllImport("ADVAPI32.DLL")]
public static extern int ImpersonateLoggedOnUser(IntPtr phToken);
IntPtr tok = IntPtr.Zero;

private void btnLogin_Click(object sender, System.EventArgs e)
{
if(impersonateValidUser (txtUser.Text
, "cgi.securenet01.com",
txtPassword.Text))
{ Response.Redirect("reportLogin.aspx");
undoImpersonation();
}
else { lblError.Text="Login Failed"; }
}
public void undoImpersonation()
{ RevertToSelf(); }
public Boolean impersonateValidUser(String name
, String domain, String
passwd)
{
const int LOGON32_LOGON_INTERACTIVE = 2;
const int LOGON32_PROVIDER_DEFAULT = 0;
int result = LogonUser(name, domain, passwd,
LOGON32_LOGON_INTERACTIVE,
LOGON32_PROVIDER_DEFAULT,
ref tok);
if(result!= 0)
{ int result1 = ImpersonateLoggedOnUser(tok);
if(result1 != 0) { return true; }
else { return false; }
}
else { return false; }
}

Any help is appreciated....
 
S

Scott Allen

Hi Rich:

I'm a little confused. You want to use Windows authentication but you
have the web.config setup for Forms authentication? Forms auth will
always force the browser to prompt the user to login. This setting in
web.config will trump the IIS setting.

I think you want to change the web.config to Windows authentication
only and deny anonymous access. Once you do this there is no need to
use LogonUser, you can have the impersonate="True" in the web config
and the request will access local resources using the client's
identity. If the client is not in a group allowed to see a particular
file the server will deny authorization.

Tracking the user's session is a different issue and independent of
how the app authenticates and authorizes the user. You can still have
session state without forms authentication.

Making sense?

--
Scott
http://www.OdeToCode.com/blogs/scott/

I am running IIS6 on a Win2k3 server.

I have an ASP.Net app (C#) that a user logs into and then I use
LogonUser to validate them and log them onto the server. I have
Windows Authentication ONLY checked on the site in IIS.

My problem is that eventhough I am using LogonUser to log on to the
server as the user, I am still getting the Windows Authentication
Challenge (login window).

There are groups/users setup on the server for this app, so I don't
want to turn windows auth off because I am afraid my LogonUser usage
is only seeing if they have access to the server not to that
particular file.

Am I missing something? I was hoping LogonUser would act as if the
user had entered their own info into the windows challenge login
window.

I plan use forms auth to keep track of session later on, so right now
I have my web.config setup as:
<authentication mode="Forms">
<forms name="frmLogin" loginUrl="login.aspx"></forms>
</authentication>
<identity impersonate="True"/>

Here is most of my C# code:
[DllImport("advapi32.dll", CharSet=CharSet.Auto)]
public static extern int LogonUser(String lpszUserName,
String lpszDomain,
String lpszPassword,
int dwLogonType,
int dwLogonProvider,
ref IntPtr phToken);

[DllImport("ADVAPI32.DLL")]
public static extern int RevertToSelf();

[DllImport("ADVAPI32.DLL")]
public static extern int ImpersonateLoggedOnUser(IntPtr phToken);
IntPtr tok = IntPtr.Zero;

private void btnLogin_Click(object sender, System.EventArgs e)
{
if(impersonateValidUser (txtUser.Text
, "cgi.securenet01.com",
txtPassword.Text))
{ Response.Redirect("reportLogin.aspx");
undoImpersonation();
}
else { lblError.Text="Login Failed"; }
}
public void undoImpersonation()
{ RevertToSelf(); }
public Boolean impersonateValidUser(String name
, String domain, String
passwd)
{
const int LOGON32_LOGON_INTERACTIVE = 2;
const int LOGON32_PROVIDER_DEFAULT = 0;
int result = LogonUser(name, domain, passwd,
LOGON32_LOGON_INTERACTIVE,
LOGON32_PROVIDER_DEFAULT,
ref tok);
if(result!= 0)
{ int result1 = ImpersonateLoggedOnUser(tok);
if(result1 != 0) { return true; }
else { return false; }
}
else { return false; }
}

Any help is appreciated....
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Top