Authentication question

[Nikolay Petrov]

Can I authenticate users of my ASP .NET apps, using their windows
credentials, but using a SQL db.
Let me explain a little more.
I have an Windows XP station where i run my ASP .NET apps. I wish users to
authenticate them using their current windows usernames and passwords.
I have stored my users login names and passwords in SQL database, because I
don't wish store an account for every user in my network at my XP machine.
So is it posible to pass windows credential for verification against SQL
database? Or maybe the right question is, can I extract the username and
password as clear text from the passed credentials.
I am not quite shure are there any possibilities.

TIA

 

[Cirrosi]

You cannot extract the password.
For extract username you must enable ONLY windows autentication from iis en
obtain username from HttpContext.current.user.identity.name.

 

[Nikolay Petrov]

That's what I thought, but wan's quite sure.
Thanks

 

[Nikolay Petrov]

Second question.
When a user connects to my ASP .NET app and provides it Windows credentials
the authentication will fail, because my machine does not know anything
about it's username and password, right?
That is the point that I need to authenticato to SQL database, not to
Windows account. Any ideas how to accomplish this?

 

[Ken Tucker [MVP]]

Hi,

You can get the user name from the windowsidentity class.
http://msdn.microsoft.com/library/d...ityprincipalwindowsidentityclassnametopic.asp

http://msdn.microsoft.com/library/d...tml/cpconthewindowsauthenticationprovider.asp

Ken
-----------------------
Can I authenticate users of my ASP .NET apps, using their windows
credentials, but using a SQL db.
Let me explain a little more.
I have an Windows XP station where i run my ASP .NET apps. I wish users to
authenticate them using their current windows usernames and passwords.
I have stored my users login names and passwords in SQL database, because I
don't wish store an account for every user in my network at my XP machine.
So is it posible to pass windows credential for verification against SQL
database? Or maybe the right question is, can I extract the username and
password as clear text from the passed credentials.
I am not quite shure are there any possibilities.

TIA

 

[David Wang [Msft]]

I have an Windows XP station where i run my ASP .NET apps. I wish users

to authenticate them using their current windows usernames and passwords.
I have stored my users login names and passwords in SQL database, because
I don't wish store an account for every user in my network at my XP

machine.

Turn on Integrated Windows Authentication on the web server running ASP.NET
applications. Users will automatically authenticate using their current
windows usernames/passwords, and your ASP.NET application will run with that
credential.

I do not know why you store user login names/passwords in a separate SQL
database that can be out-of-sync with the actual remote user's
name/password.

If you want to use custom authentication where you store username/password
in your own user database, then that has nothing to with windows
username/password because the browser won't understand your custom
authentication scheme. You will have to cook up your own mechanism (why not
use ASP.NET Forms Authentication ??? ).

--
//David
IIS
This posting is provided "AS IS" with no warranties, and confers no rights.
//
Can I authenticate users of my ASP .NET apps, using their windows
credentials, but using a SQL db.
Let me explain a little more.
I have an Windows XP station where i run my ASP .NET apps. I wish users to
authenticate them using their current windows usernames and passwords.
I have stored my users login names and passwords in SQL database, because I
don't wish store an account for every user in my network at my XP machine.
So is it posible to pass windows credential for verification against SQL
database? Or maybe the right question is, can I extract the username and
password as clear text from the passed credentials.
I am not quite shure are there any possibilities.

TIA

 

[richlm]

Need more information about your infrastructure to provide a sensible
answer. Here are some 'leading' questions to make sure we're on the same
track:
- are you looking for single-sign-on?
- when you are talking windows credentials does that imply AD & domain user
accounts - or is this network a workgroup with just local machine accounts?

Also a couple of pointers/ideas:
- Generally you don't store passwords - you only ever store a hash of the
password. After the hash of the password is verified, the password itself is
discarded.
If you do store passwords this is a BIG security risk.
- Have you considerd ADAM (Active Directory Application Mode) as a possible
alternative to SQL server?
see
http://www.microsoft.com/downloads/...B9-1034-4EF6-A3E5-2A2A57B5C8E4&displaylang=en

 

[MP]

Thank you,
We have no intention of using a single logon to our application. We are
aiming at domain accounts, AD.

So far I can prompt the user to enter a user id, domain name and
password. The I validate these using LogonUser and then
I start our application using the user's information, the application is
started under the user's identity.... like runas will do.

This works fine, but now we have 2 clients, one that uses smart-cards
and the other one that uses a fingerprint reader to authenticate the users
at logon. Is there a standard API I can use? or will I have to write a
custom module for each client?

Thank you!