Basic authentication without browser login window

[Diego Embon \(personal mail\)]

Hello,

I have a problem with basic windows authentication in IIS6. As a developer
I'm requested to implement windows authentication on my web application
(asp.net), but to avoid the browser login window. I have all the users in
Active Directory and this is not an intranet system. I've tried a few
techniques to achieve my goal:

1. ISAPI filter is the most flexible option, but I'm looking for something
simpler.
2. Impersonation fails in maintaining the credentials between different
requests. I can impersonate to the user using the token return by the logon
function, but when redirecting to the next page, the user credentials are
not kept.
3. I tried using [url]http://username:passowrd@server/site/page.ext[/url]. This works
fine (secured only when implementing SSL) but Microsoft is dropping this
method, and IE6 does not support it in its new versions (support can be
activated by a key in the registry but I have no access to the clients
stations).

After I logon to AD using the user credentials entered in my custom asp.net
login form, I have the user's token. The only missing part is how to pass
this token to the browser token cache.

Does anyone have any suggestion?

Thanks!

Diego.

[Paul Clement]

On Tue, 5 Oct 2004 23:42:42 +0200, "Diego Embon \(personal mail\)" <embon@bezeqint.net> wrote:

¤ Hello,
¤
¤ I have a problem with basic windows authentication in IIS6. As a developer
¤ I'm requested to implement windows authentication on my web application
¤ (asp.net), but to avoid the browser login window. I have all the users in
¤ Active Directory and this is not an intranet system. I've tried a few
¤ techniques to achieve my goal:
¤
¤ 1. ISAPI filter is the most flexible option, but I'm looking for something
¤ simpler.
¤ 2. Impersonation fails in maintaining the credentials between different
¤ requests. I can impersonate to the user using the token return by the logon
¤ function, but when redirecting to the next page, the user credentials are
¤ not kept.
¤ 3. I tried using [url]http://username:passowrd@server/site/page.ext[/url]. This works
¤ fine (secured only when implementing SSL) but Microsoft is dropping this
¤ method, and IE6 does not support it in its new versions (support can be
¤ activated by a key in the registry but I have no access to the clients
¤ stations).
¤
¤ After I logon to AD using the user credentials entered in my custom asp.net
¤ login form, I have the user's token. The only missing part is how to pass
¤ this token to the browser token cache.
¤
¤ Does anyone have any suggestion?
¤

Have you looked at Forms Authentication using Active Directory?

[url]http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/html/SecNetHT02.asp[/url]


Paul ~~~ [email]pclement@ameritech.net[/email]
Microsoft MVP (Visual Basic)