Problems with 'Request.ServerVariables("LOGON_USER")

[Bob Barrows]

Michael Bender wrote:

> Hi everyone,
>
> we developed an Intranet-application in ASP. As this application runs
> only in one company, user from all over europe accesses over the
> intranet. To avoid multiple-logons for the user we collect the
> logon-information over the NT-account by using
> 'Request.ServerVariables("LOGON_USER")', compare this data to a
> user-table in a database and grant access (or not). Usually this
> works fine. In the last days we encountered the problem that certain
> users are logged on under another user. If we tell the user to logon
> again, everything is correct.
>
> Does anybody else had problems like this and can possibly help us?
>
> Thx for your support

How did you find out that the users were logged in using a different ID?

Was this done with the knowledge of the users' whose login id was being
used? If not, set all passwords to expire periodically and force the users
to set a new password. If they are freely passing passwords around to each
other, then there is not much you can do. Using Basic Authentication is
frowned on because:

1. The whole idea behind using Windows Authentication is to avoid forcing
people to log in again to run your application
2. If they're passing around their network login passwords, what's to keep
them from passing around their website passwords.

If they have a legitimate need to login as another user, then perhaps you
can trust them to answer honestly when prompted for their real name ...

Bob Barrows

[Michael Bender]

Hi Bob,

thx for your answer. Maybe I wasn't able to make myself clear. Sorry for
that, but I'm not a native speaker (writer).

What happens is, that somebody, let's say from sweden with the logon
"lsvenska" on the domain "europe" gets into the application as "mdanish"
from danmark on the same domain, as this is the same all over europe in
this company. It is very unlikely that these users logon to their local
computer as somebody else. Furthermore, if they logon again, they are
logged on according to their "real" NT-Account. We only get knowledge of
this happening, if the users call us.




*** Sent via Developersdex [url]http://www.developersdex.com[/url] ***
Don't just participate in USENET...get rewarded for it!

[Bob Barrows]

I'm still not sure what the problem is: does the user have two different
login id's? If so, why not add both logins to your security system?

Bob

Michael Bender wrote:

> Hi Bob,
>
> thx for your answer. Maybe I wasn't able to make myself clear. Sorry
> for that, but I'm not a native speaker (writer).
>
> What happens is, that somebody, let's say from sweden with the logon
> "lsvenska" on the domain "europe" gets into the application as
> "mdanish" from danmark on the same domain, as this is the same all
> over europe in this company. It is very unlikely that these users
> logon to their local computer as somebody else. Furthermore, if they
> logon again, they are logged on according to their "real" NT-Account.
> We only get knowledge of this happening, if the users call us.
>
> "Bob Barrows" <reb_01501@yahoo.com> schrieb im Newsbeitrag
> news:%231sb%23D2VDHA.1680@tk2msftngp13.phx.gbl...

>> Michael Bender wrote:

>>> Hi everyone,
>>>
>>> we developed an Intranet-application in ASP. As this application
>>> runs only in one company, user from all over europe accesses over
>>> the intranet. To avoid multiple-logons for the user we collect the
>>> logon-information over the NT-account by using
>>> 'Request.ServerVariables("LOGON_USER")', compare this data to a
>>> user-table in a database and grant access (or not). Usually this
>>> works fine. In the last days we encountered the problem that certain
>>> users are logged on under another user. If we tell the user to logon
>>> again, everything is correct.
>>>
>>> Does anybody else had problems like this and can possibly help us?
>>>
>>> Thx for your support

>>
>> How did you find out that the users were logged in using a different
>> ID?
>>
>> Was this done with the knowledge of the users' whose login id was
>> being used? If not, set all passwords to expire periodically and
>> force the users to set a new password. If they are freely passing
>> passwords around to each other, then there is not much you can do.
>> Using Basic Authentication is frowned on because:
>>
>> 1. The whole idea behind using Windows Authentication is to avoid
>> forcing people to log in again to run your application
>> 2. If they're passing around their network login passwords, what's
>> to keep them from passing around their website passwords.
>>
>> If they have a legitimate need to login as another user, then
>> perhaps you can trust them to answer honestly when prompted for
>> their real name ...
>>
>> Bob Barrows

[Michael Bender]

No, the user does not have to different login id's. Suspiciously the user
that logged on as another user logged on only minutes after the "original"
user.


"Bob Barrows" <reb_01501@yahoo.com> schrieb im Newsbeitrag
news:uLoklk2VDHA.1204@TK2MSFTNGP12.phx.gbl...

> I'm still not sure what the problem is: does the user have two different
> login id's? If so, why not add both logins to your security system?
>
> Bob
>
> Michael Bender wrote:

> > Hi Bob,
> >
> > thx for your answer. Maybe I wasn't able to make myself clear. Sorry
> > for that, but I'm not a native speaker (writer).
> >
> > What happens is, that somebody, let's say from sweden with the logon
> > "lsvenska" on the domain "europe" gets into the application as
> > "mdanish" from danmark on the same domain, as this is the same all
> > over europe in this company. It is very unlikely that these users
> > logon to their local computer as somebody else. Furthermore, if they
> > logon again, they are logged on according to their "real" NT-Account.
> > We only get knowledge of this happening, if the users call us.
> >
> > "Bob Barrows" <reb_01501@yahoo.com> schrieb im Newsbeitrag
> > news:%231sb%23D2VDHA.1680@tk2msftngp13.phx.gbl...

> >> Michael Bender wrote:
> >>> Hi everyone,
> >>>
> >>> we developed an Intranet-application in ASP. As this application
> >>> runs only in one company, user from all over europe accesses over
> >>> the intranet. To avoid multiple-logons for the user we collect the
> >>> logon-information over the NT-account by using
> >>> 'Request.ServerVariables("LOGON_USER")', compare this data to a
> >>> user-table in a database and grant access (or not). Usually this
> >>> works fine. In the last days we encountered the problem that certain
> >>> users are logged on under another user. If we tell the user to logon
> >>> again, everything is correct.
> >>>
> >>> Does anybody else had problems like this and can possibly help us?
> >>>
> >>> Thx for your support
> >>
> >> How did you find out that the users were logged in using a different
> >> ID?
> >>
> >> Was this done with the knowledge of the users' whose login id was
> >> being used? If not, set all passwords to expire periodically and
> >> force the users to set a new password. If they are freely passing
> >> passwords around to each other, then there is not much you can do.
> >> Using Basic Authentication is frowned on because:
> >>
> >> 1. The whole idea behind using Windows Authentication is to avoid
> >> forcing people to log in again to run your application
> >> 2. If they're passing around their network login passwords, what's
> >> to keep them from passing around their website passwords.
> >>
> >> If they have a legitimate need to login as another user, then
> >> perhaps you can trust them to answer honestly when prompted for
> >> their real name ...
> >>
> >> Bob Barrows

>
>
>

[Bob Barrows]

Now I'm even more confused: how could UserA log in as UserB without knowing
UserB's password?

Bottom line, If I understand the situation correctly, I doubt that your
application is not going to be able to detect this. What is the problem
created when UserA logs in as UserB? Is the user denied access to your
application? Isn't that what you intend?

Bob Barrows
Michael Bender wrote:

> No, the user does not have to different login id's. Suspiciously the
> user that logged on as another user logged on only minutes after the
> "original" user.
>
>
> "Bob Barrows" <reb_01501@yahoo.com> schrieb im Newsbeitrag
> news:uLoklk2VDHA.1204@TK2MSFTNGP12.phx.gbl...

>> I'm still not sure what the problem is: does the user have two
>> different login id's? If so, why not add both logins to your
>> security system?
>>
>> Bob
>>
>> Michael Bender wrote:

>>> Hi Bob,
>>>
>>> thx for your answer. Maybe I wasn't able to make myself clear. Sorry
>>> for that, but I'm not a native speaker (writer).
>>>
>>> What happens is, that somebody, let's say from sweden with the logon
>>> "lsvenska" on the domain "europe" gets into the application as
>>> "mdanish" from danmark on the same domain, as this is the same all
>>> over europe in this company. It is very unlikely that these users
>>> logon to their local computer as somebody else. Furthermore, if they
>>> logon again, they are logged on according to their "real"
>>> NT-Account. We only get knowledge of this happening, if the users
>>> call us.
>>>
>>> "Bob Barrows" <reb_01501@yahoo.com> schrieb im Newsbeitrag
>>> news:%231sb%23D2VDHA.1680@tk2msftngp13.phx.gbl...
>>>> Michael Bender wrote:
>>>>> Hi everyone,
>>>>>
>>>>> we developed an Intranet-application in ASP. As this application
>>>>> runs only in one company, user from all over europe accesses over
>>>>> the intranet. To avoid multiple-logons for the user we collect the
>>>>> logon-information over the NT-account by using
>>>>> 'Request.ServerVariables("LOGON_USER")', compare this data to a
>>>>> user-table in a database and grant access (or not). Usually this
>>>>> works fine. In the last days we encountered the problem that
>>>>> certain users are logged on under another user. If we tell the
>>>>> user to logon again, everything is correct.
>>>>>
>>>>> Does anybody else had problems like this and can possibly help us?
>>>>>
>>>>> Thx for your support
>>>>
>>>> How did you find out that the users were logged in using a
>>>> different ID?
>>>>
>>>> Was this done with the knowledge of the users' whose login id was
>>>> being used? If not, set all passwords to expire periodically and
>>>> force the users to set a new password. If they are freely passing
>>>> passwords around to each other, then there is not much you can do.
>>>> Using Basic Authentication is frowned on because:
>>>>
>>>> 1. The whole idea behind using Windows Authentication is to avoid
>>>> forcing people to log in again to run your application
>>>> 2. If they're passing around their network login passwords, what's
>>>> to keep them from passing around their website passwords.
>>>>
>>>> If they have a legitimate need to login as another user, then
>>>> perhaps you can trust them to answer honestly when prompted for
>>>> their real name ...
>>>>
>>>> Bob Barrows

[Michael Bender]

First of all, Bob, I'm really grateful, that you are trying to help me.

I try explaining from the start. The application we are talking about is
used by users all over europe from a certain company. In this company any
user-name is unique. Any User that wants to login to our application has to
be a domain-user of this company. We collect the user-data with the
'Request.ServerVariables' - method. We don't care about the password, as the
user-name is unique. In the database that is behind the application, there
is a user-table, where we compare the "domain-user-data" with the data we
have in this table. So if the "Request.ServerVariables("LOGON_USER") is
equal to a data-entry in the user-table, permission to enter the application
is granted. So far so good. That works fine most of the time. The problem we
have is, that someone, who has permission, enters the application under
another user, who also has permission. Of course this is very unwanted, as
every user has all kinds of do's and dont's, a swedish user should see other
data than a danish, and so on.

So the mystery is, how can this happen? Maybe caching is involved, we just
don't know.

Hope I made myself clearer.

Regards
Michael

"Bob Barrows" <reb_01501@yahoo.com> schrieb im Newsbeitrag
news:%23HUZ$oCWDHA.1580@tk2msftngp13.phx.gbl...

> Now I'm even more confused: how could UserA log in as UserB without

knowing

> UserB's password?
>
> Bottom line, If I understand the situation correctly, I doubt that your
> application is not going to be able to detect this. What is the problem
> created when UserA logs in as UserB? Is the user denied access to your
> application? Isn't that what you intend?
>
> Bob Barrows
> Michael Bender wrote:

> > No, the user does not have to different login id's. Suspiciously the
> > user that logged on as another user logged on only minutes after the
> > "original" user.
> >
> >
> > "Bob Barrows" <reb_01501@yahoo.com> schrieb im Newsbeitrag
> > news:uLoklk2VDHA.1204@TK2MSFTNGP12.phx.gbl...

> >> I'm still not sure what the problem is: does the user have two
> >> different login id's? If so, why not add both logins to your
> >> security system?
> >>
> >> Bob
> >>
> >> Michael Bender wrote:
> >>> Hi Bob,
> >>>
> >>> thx for your answer. Maybe I wasn't able to make myself clear. Sorry
> >>> for that, but I'm not a native speaker (writer).
> >>>
> >>> What happens is, that somebody, let's say from sweden with the logon
> >>> "lsvenska" on the domain "europe" gets into the application as
> >>> "mdanish" from danmark on the same domain, as this is the same all
> >>> over europe in this company. It is very unlikely that these users
> >>> logon to their local computer as somebody else. Furthermore, if they
> >>> logon again, they are logged on according to their "real"
> >>> NT-Account. We only get knowledge of this happening, if the users
> >>> call us.
> >>>
> >>> "Bob Barrows" <reb_01501@yahoo.com> schrieb im Newsbeitrag
> >>> news:%231sb%23D2VDHA.1680@tk2msftngp13.phx.gbl...
> >>>> Michael Bender wrote:
> >>>>> Hi everyone,
> >>>>>
> >>>>> we developed an Intranet-application in ASP. As this application
> >>>>> runs only in one company, user from all over europe accesses over
> >>>>> the intranet. To avoid multiple-logons for the user we collect the
> >>>>> logon-information over the NT-account by using
> >>>>> 'Request.ServerVariables("LOGON_USER")', compare this data to a
> >>>>> user-table in a database and grant access (or not). Usually this
> >>>>> works fine. In the last days we encountered the problem that
> >>>>> certain users are logged on under another user. If we tell the
> >>>>> user to logon again, everything is correct.
> >>>>>
> >>>>> Does anybody else had problems like this and can possibly help us?
> >>>>>
> >>>>> Thx for your support
> >>>>
> >>>> How did you find out that the users were logged in using a
> >>>> different ID?
> >>>>
> >>>> Was this done with the knowledge of the users' whose login id was
> >>>> being used? If not, set all passwords to expire periodically and
> >>>> force the users to set a new password. If they are freely passing
> >>>> passwords around to each other, then there is not much you can do.
> >>>> Using Basic Authentication is frowned on because:
> >>>>
> >>>> 1. The whole idea behind using Windows Authentication is to avoid
> >>>> forcing people to log in again to run your application
> >>>> 2. If they're passing around their network login passwords, what's
> >>>> to keep them from passing around their website passwords.
> >>>>
> >>>> If they have a legitimate need to login as another user, then
> >>>> perhaps you can trust them to answer honestly when prompted for
> >>>> their real name ...
> >>>>
> >>>> Bob Barrows

>
>
>

[Bob Barrows]

Michael Bender wrote:

> First of all, Bob, I'm really grateful, that you are trying to help
> me.
>
>. The problem we have
> is, that someone, who has permission, enters the application under
> another user, who also has permission.

Is this deliberate? Is UserA deliberately logging into the network as UserB?
This would require UserA to know UserB's password

Or are you saying that UserA logs in as himself, but UserB's id is contained
in the LOGON_USER variable? I have NEVER seen this happen. Could UserA have
simply started using a machine on which UserB was logged into, without
logging UserB off and logging in himself? Perhaps pcAnywhere or Terminal
Services is involved ...

Bob Barrows

[Michael Bender]

UserB logs in as himself, but in the ASP-Application he is logged in as
UserA. I find it very hard to believe, that the LOGON_Variable contains the
user-information of another user. But I wouldn't eliminate this option
completely, as the 'problem' has to be somewhere in the login-process. All
we have is the result, I described above. As I mentioned earlier, if we tell
the user to close the browser and log in again, he or she then logs in
according to his or her domain-account.

"Bob Barrows" <reb_01501@yahoo.com> schrieb im Newsbeitrag
news:%23V3lCJDWDHA.1832@TK2MSFTNGP09.phx.gbl...

> Michael Bender wrote:

> > First of all, Bob, I'm really grateful, that you are trying to help
> > me.
> >
> >. The problem we have
> > is, that someone, who has permission, enters the application under
> > another user, who also has permission.

>
> Is this deliberate? Is UserA deliberately logging into the network as

UserB?

> This would require UserA to know UserB's password
>
> Or are you saying that UserA logs in as himself, but UserB's id is

contained

> in the LOGON_USER variable? I have NEVER seen this happen. Could UserA

have

> simply started using a machine on which UserB was logged into, without
> logging UserB off and logging in himself? Perhaps pcAnywhere or Terminal
> Services is involved ...
>
> Bob Barrows
>
>
>

[Bob Barrows]

I'm grasping at straws here: is this being done on a Windows XP machine,
where multiple users can be logged on simultaneously? Perhaps the browser is
getting confused due to the multiple users ... Check the MS Knowledge Base,
perhaps you can find a bug report.

Can you reproduce this consistently? If so, you should raise a case with MS
Product Support. If they determine that it's a bug (and it certainly sounds
like one), they won't charge you for the call.

Bob Barrows

Michael Bender wrote:

> UserB logs in as himself, but in the ASP-Application he is logged in
> as UserA. I find it very hard to believe, that the LOGON_Variable
> contains the user-information of another user. But I wouldn't
> eliminate this option completely, as the 'problem' has to be
> somewhere in the login-process. All we have is the result, I
> described above. As I mentioned earlier, if we tell the user to close
> the browser and log in again, he or she then logs in according to his
> or her domain-account.
>
> "Bob Barrows" <reb_01501@yahoo.com> schrieb im Newsbeitrag
> news:%23V3lCJDWDHA.1832@TK2MSFTNGP09.phx.gbl...

>> Michael Bender wrote:

>>> First of all, Bob, I'm really grateful, that you are trying to help
>>> me.
>>>
>>> . The problem we have
>>> is, that someone, who has permission, enters the application under
>>> another user, who also has permission.

>>
>> Is this deliberate? Is UserA deliberately logging into the network
>> as UserB? This would require UserA to know UserB's password
>>
>> Or are you saying that UserA logs in as himself, but UserB's id is
>> contained in the LOGON_USER variable? I have NEVER seen this happen.
>> Could UserA have simply started using a machine on which UserB was
>> logged into, without logging UserB off and logging in himself?
>> Perhaps pcAnywhere or Terminal Services is involved ...
>>
>> Bob Barrows

[Michael Bender]

Thanks for your support Bob, I'll try my luck with MS.

Have a good weekend, as I am going to start mine right now.


"Bob Barrows" <reb_01501@yahoo.com> schrieb im Newsbeitrag
news:e9TQ2nDWDHA.1368@TK2MSFTNGP11.phx.gbl...

> I'm grasping at straws here: is this being done on a Windows XP machine,
> where multiple users can be logged on simultaneously? Perhaps the browser

is

> getting confused due to the multiple users ... Check the MS Knowledge

Base,

> perhaps you can find a bug report.
>
> Can you reproduce this consistently? If so, you should raise a case with

MS

> Product Support. If they determine that it's a bug (and it certainly

sounds

> like one), they won't charge you for the call.
>
> Bob Barrows
>
> Michael Bender wrote:

> > UserB logs in as himself, but in the ASP-Application he is logged in
> > as UserA. I find it very hard to believe, that the LOGON_Variable
> > contains the user-information of another user. But I wouldn't
> > eliminate this option completely, as the 'problem' has to be
> > somewhere in the login-process. All we have is the result, I
> > described above. As I mentioned earlier, if we tell the user to close
> > the browser and log in again, he or she then logs in according to his
> > or her domain-account.
> >
> > "Bob Barrows" <reb_01501@yahoo.com> schrieb im Newsbeitrag
> > news:%23V3lCJDWDHA.1832@TK2MSFTNGP09.phx.gbl...

> >> Michael Bender wrote:
> >>> First of all, Bob, I'm really grateful, that you are trying to help
> >>> me.
> >>>
> >>> . The problem we have
> >>> is, that someone, who has permission, enters the application under
> >>> another user, who also has permission.
> >>
> >> Is this deliberate? Is UserA deliberately logging into the network
> >> as UserB? This would require UserA to know UserB's password
> >>
> >> Or are you saying that UserA logs in as himself, but UserB's id is
> >> contained in the LOGON_USER variable? I have NEVER seen this happen.
> >> Could UserA have simply started using a machine on which UserB was
> >> logged into, without logging UserB off and logging in himself?
> >> Perhaps pcAnywhere or Terminal Services is involved ...
> >>
> >> Bob Barrows

>
>
>