Ask a Question related to ASP.NET Security, Design and Development.
-
Gabriel #1
LogonUser API Help
Hello,
I am trying to authenticate a windows user using
LogonUser API on our website. I am able to authenticate
and impersonate the user just fine but I need to validate
these credentials to our SQL Server connections as well.
I'm using a DSN on my server with WindowsNT
authentication using network login ID. Is it possible to
pass on the credentials to an ODBC datasource using the
LogonUser API. I have to log into our SQL Server using
the windows account I used with the LogonUser API. I
know I could use a standard SQL Server Authentication to
pass the credentials using a DSN-less string but that is
not an option for me right now. I'm trying to log into
our website using windows authentication and I want to
omit the network username and password dialog box all
together and use a form to supply the windows
credentials. So far the LogonUser API has done the trick
but it doesn't seem to be authenticating throughout the
network. Any help would be appreciated.
Gabriel Guest
-
LogonUser from ASP.NET
Hello everybody, this is rather complicated, but intriguing problem that I have been having. What I want to do is: after user connects to my... -
problem with impersonation using LogonUser
Hello All This is what I am tring to do: I have some folders shared for specific users on network. Now from my web appl I have to access them.... -
Framework v1.1 & LogonUser workaround
Greetings I am working on a project that can be configured to use Windows or Forms authentication. Occasionally the process may need to impersonate... -
Impersonation in ASPNET and LogonUser
Have you taken a look at the asp.net security best practices paper? It discusses some of the pitfalls and issues when using impersonation.... -
Can't get logonuser
I would like to get user logon from server by USERLog = Request.ServerVariables("LOGON_USER") but it isn't see. i don't know what the... -
Andrea D'Onofrio [MSFT] #2 Re: LogonUser API Help
Hi Gabriel,
fisrt of all I suppose that IIS and SQL server are in separate machines in
the same domain.
If I have understood well, in your scenario probably the best solution is to
use the basic authentication in IIS (this will prompt the username and
password dialog box) via HTTPS, set the impersonate=true in web.config file
and then simply connect to SQL server using "Windows NT integrated
security". i.e. the connection string could be:
Provider=SQLOLEDB.1;Integrated Security=SSPI;Persist Security
Info=False;Initial Catalog=dbname;Data Source=sqlservername
But if you want to omit the network username and password dialog box, you
must enable Anonymous authentication in IIS, set the form authentication in
the web.config file, impersonate via code (LogonUser API) the domain
credential inserted in a custom authentication form and then simply connect
to SQL server using "Windows NT integrated security".
In these scenarios, the users must be flagged for delegate because of the
double hop (the IIS server must use the client credential for another
authentication on SQL server).
In these articles you will find more details:
283201 HOWTO: Use Delegation in Windows 2000 with COM+
[url]http://support.microsoft.com/?id=283201[/url]
287537 Using Basic Authentication to Generate Kerberos Tokens
[url]http://support.microsoft.com/?id=287537[/url]
HtH,
Andrea
--
This posting is provided "AS IS" with no warranties, and confers no rights.
"Gabriel" <gabrielr@robinsonsteel.com> wrote in message
news:01d301c3cf1a$f1dce1f0$a501280a@phx.gbl...> Hello,
>
> I am trying to authenticate a windows user using
> LogonUser API on our website. I am able to authenticate
> and impersonate the user just fine but I need to validate
> these credentials to our SQL Server connections as well.
> I'm using a DSN on my server with WindowsNT
> authentication using network login ID. Is it possible to
> pass on the credentials to an ODBC datasource using the
> LogonUser API. I have to log into our SQL Server using
> the windows account I used with the LogonUser API. I
> know I could use a standard SQL Server Authentication to
> pass the credentials using a DSN-less string but that is
> not an option for me right now. I'm trying to log into
> our website using windows authentication and I want to
> omit the network username and password dialog box all
> together and use a form to supply the windows
> credentials. So far the LogonUser API has done the trick
> but it doesn't seem to be authenticating throughout the
> network. Any help would be appreciated.
Andrea D'Onofrio [MSFT] Guest
-
Gabriel #3 Re: LogonUser API Help
After using the LogonUser API, I'm able to see that it
impersonates the user, I display the current principal
windows identity (VB.NET), and it impersonates as it
should, but I redirect to another page and it reverts
back to the Anonymous user. I want to keep that
impersonated windows login throughout the session. Is
there something I'm doing wrong or something I'm
missing? Or is this how impersonation supposed to work?
Thanks,
Gabriel
separate machines in>-----Original Message-----
>Hi Gabriel,
>fisrt of all I suppose that IIS and SQL server are inbest solution is to>the same domain.
>If I have understood well, in your scenario probably thethe username and>use the basic authentication in IIS (this will promptin web.config file>password dialog box) via HTTPS, set the impersonate=trueintegrated>and then simply connect to SQL server using "Windows NTSecurity>security". i.e. the connection string could be:
>Provider=SQLOLEDB.1;Integrated Security=SSPI;PersistSource=sqlservername>Info=False;Initial Catalog=dbname;Datapassword dialog box, you>
>But if you want to omit the network username andform authentication in>must enable Anonymous authentication in IIS, set theAPI) the domain>the web.config file, impersonate via code (LogonUserthen simply connect>credential inserted in a custom authentication form anddelegate because of the>to SQL server using "Windows NT integrated security".
>
>In these scenarios, the users must be flagged forcredential for another>double hop (the IIS server must use the clientTokens>authentication on SQL server).
>
>In these articles you will find more details:
>283201 HOWTO: Use Delegation in Windows 2000 with COM+
>[url]http://support.microsoft.com/?id=283201[/url]
>
>287537 Using Basic Authentication to Generate Kerberosconfers no rights.>[url]http://support.microsoft.com/?id=287537[/url]
>
>HtH,
>Andrea
>
>--
>This posting is provided "AS IS" with no warranties, andauthenticate>
>
>"Gabriel" <gabrielr@robinsonsteel.com> wrote in message
>news:01d301c3cf1a$f1dce1f0$a501280a@phx.gbl...>> Hello,
>>
>> I am trying to authenticate a windows user using
>> LogonUser API on our website. I am able tovalidate>> and impersonate the user just fine but I need towell.>> these credentials to our SQL Server connections asto>> I'm using a DSN on my server with WindowsNT
>> authentication using network login ID. Is it possibleto>> pass on the credentials to an ODBC datasource using the
>> LogonUser API. I have to log into our SQL Server using
>> the windows account I used with the LogonUser API. I
>> know I could use a standard SQL Server Authenticationis>> pass the credentials using a DSN-less string but thattrick>> not an option for me right now. I'm trying to log into
>> our website using windows authentication and I want to
>> omit the network username and password dialog box all
>> together and use a form to supply the windows
>> credentials. So far the LogonUser API has done the>>> but it doesn't seem to be authenticating throughout the
>> network. Any help would be appreciated.
>
>.
>Gabriel Guest
Reply With QuoteSimilar Questions and Discussions
Posting Permissions
- You may not post new threads
- You may post replies
- You may not post attachments
- You may not edit your posts
