windows pass through authentication\authorization....

[Ollie]

I have a requirement for a company intranet where they want to use a single
sign-on with their windows 2003 domain (AD) so I was thinking of using
windows authentication in the asp.net application so that I can control
functionality by the roles the usr is a member of.

The question I want to know is can I force the popup windows for username,
password, domain to appear by 'logging' off the user from the website. I
read some where if I return a "403" in the reponse header it will show the
dialog and the user will have to enter the information to proceed. I tried
the following but i only get the 403 error page. So how do I force the popup
window to appear?

tried this but only get error page:

Session.Abandon();
Response.Clear();
Response.StatusCode = 403;
Response.End();


Cheers in Advance

Ollie Riches

[Patrick.O.Ige]

Hi Ollie,
To force Windows POPUP ..Go to IIS under Directory Security turn off
"Anonymous Access and click integrate Windows Auth..
DO that to allow Windows Auth to validate against AD..
For more Questions POST it...
Enjoy
PAtrick



"Ollie" wrote:

> I have a requirement for a company intranet where they want to use a single
> sign-on with their windows 2003 domain (AD) so I was thinking of using
> windows authentication in the asp.net application so that I can control
> functionality by the roles the usr is a member of.
>
> The question I want to know is can I force the popup windows for username,
> password, domain to appear by 'logging' off the user from the website. I
> read some where if I return a "403" in the reponse header it will show the
> dialog and the user will have to enter the information to proceed. I tried
> the following but i only get the 403 error page. So how do I force the popup
> window to appear?
>
> tried this but only get error page:
>
> Session.Abandon();
> Response.Clear();
> Response.StatusCode = 403;
> Response.End();
>
>
> Cheers in Advance
>
> Ollie Riches
>
>
>

[Ollie]

did you actually read the question?


"Patrick.O.Ige" <PatrickOIge@discussions.microsoft.com> wrote in message
news:2ED5CE5B-FC70-47F5-BBA1-438B21A8EE85@microsoft.com...

> Hi Ollie,
> To force Windows POPUP ..Go to IIS under Directory Security turn

off

> "Anonymous Access and click integrate Windows Auth..
> DO that to allow Windows Auth to validate against AD..
> For more Questions POST it...
> Enjoy
> PAtrick
>
>
>
> "Ollie" wrote:
>

> > I have a requirement for a company intranet where they want to use a

single

> > sign-on with their windows 2003 domain (AD) so I was thinking of using
> > windows authentication in the asp.net application so that I can control
> > functionality by the roles the usr is a member of.
> >
> > The question I want to know is can I force the popup windows for

username,

> > password, domain to appear by 'logging' off the user from the website. I
> > read some where if I return a "403" in the reponse header it will show

the

> > dialog and the user will have to enter the information to proceed. I

tried

> > the following but i only get the 403 error page. So how do I force the

popup

> > window to appear?
> >
> > tried this but only get error page:
> >
> > Session.Abandon();
> > Response.Clear();
> > Response.StatusCode = 403;
> > Response.End();
> >
> >
> > Cheers in Advance
> >
> > Ollie Riches
> >
> >
> >

[Joe Kaplan \(MVP - ADSI\)]

I haven't actually tried this, but I thought I'd throw an idea at you.

What if you try sending a 401 instead and add the proper WWW-Authenticate
header to the response? The header value would depend on what kind of
authentication you are using, but that might work.

If it does, let me know as I'm curious.

Thanks,

Joe K.

"Ollie" <ollie_riches@hotmail.com> wrote in message
news:udUMLuH3EHA.4028@TK2MSFTNGP15.phx.gbl...

>I have a requirement for a company intranet where they want to use a single
> sign-on with their windows 2003 domain (AD) so I was thinking of using
> windows authentication in the asp.net application so that I can control
> functionality by the roles the usr is a member of.
>
> The question I want to know is can I force the popup windows for username,
> password, domain to appear by 'logging' off the user from the website. I
> read some where if I return a "403" in the reponse header it will show the
> dialog and the user will have to enter the information to proceed. I tried
> the following but i only get the 403 error page. So how do I force the
> popup
> window to appear?
>
> tried this but only get error page:
>
> Session.Abandon();
> Response.Clear();
> Response.StatusCode = 403;
> Response.End();
>
>
> Cheers in Advance
>
> Ollie Riches
>
>

[Ollie]

Joe

Thanks for the reply, I tried changing it to "401" and it forced the popup
login window to appear and you can enter new credentials, but it does not
clear out the credentials from the browser cache so you are still
authenticated as the previous user if you hit 'Cancel', I didn't try it with
the 'proper' WWW-Authenticate header cos i don't know what that should be -
do you know at all ?

nice to see you venture out of the AD newsgroups :)

Cheers

Ollie Riches

"Joe Kaplan (MVP - ADSI)" <joseph.e.kaplan@removethis.accenture.com> wrote
in message news:e2RbF$T3EHA.2676@TK2MSFTNGP12.phx.gbl...

>I haven't actually tried this, but I thought I'd throw an idea at you.
>
> What if you try sending a 401 instead and add the proper WWW-Authenticate
> header to the response? The header value would depend on what kind of
> authentication you are using, but that might work.
>
> If it does, let me know as I'm curious.
>
> Thanks,
>
> Joe K.
>
> "Ollie" <ollie_riches@hotmail.com> wrote in message
> news:udUMLuH3EHA.4028@TK2MSFTNGP15.phx.gbl...

>>I have a requirement for a company intranet where they want to use a
>>single
>> sign-on with their windows 2003 domain (AD) so I was thinking of using
>> windows authentication in the asp.net application so that I can control
>> functionality by the roles the usr is a member of.
>>
>> The question I want to know is can I force the popup windows for
>> username,
>> password, domain to appear by 'logging' off the user from the website. I
>> read some where if I return a "403" in the reponse header it will show
>> the
>> dialog and the user will have to enter the information to proceed. I
>> tried
>> the following but i only get the 403 error page. So how do I force the
>> popup
>> window to appear?
>>
>> tried this but only get error page:
>>
>> Session.Abandon();
>> Response.Clear();
>> Response.StatusCode = 403;
>> Response.End();
>>
>>
>> Cheers in Advance
>>
>> Ollie Riches
>>
>>

>
>

[Joe Kaplan \(MVP - ADSI\)]

The best thing to do is sniff the traffic and look at the headers that are
sent back. You can also use an http proxy debugger like Fiddler for this.

Generally, if you use Basic auth, it will be something like Basic
realm=xxxx, and IWA is Negotiate, but I can't remember the exact syntax of
either, so you should be sure.

Half of my life is actually building big ASP.NET applications and doing
security integration work, so as a result, I follow this group too.

It may not be the case that you can actually clear out the cache on the
client without running some client code though. The reprompt may be the
best you can do.

Let us know if you find more details.

Joe K.

"Ollie" <why do they need this!!!!> wrote in message
news:%23B18GxV3EHA.824@TK2MSFTNGP11.phx.gbl...

> Joe
>
> Thanks for the reply, I tried changing it to "401" and it forced the popup
> login window to appear and you can enter new credentials, but it does not
> clear out the credentials from the browser cache so you are still
> authenticated as the previous user if you hit 'Cancel', I didn't try it
> with the 'proper' WWW-Authenticate header cos i don't know what that
> should be - do you know at all ?
>
> nice to see you venture out of the AD newsgroups :)
>
> Cheers
>
> Ollie Riches
>
> "Joe Kaplan (MVP - ADSI)" <joseph.e.kaplan@removethis.accenture.com> wrote
> in message news:e2RbF$T3EHA.2676@TK2MSFTNGP12.phx.gbl...

>>I haven't actually tried this, but I thought I'd throw an idea at you.
>>
>> What if you try sending a 401 instead and add the proper WWW-Authenticate
>> header to the response? The header value would depend on what kind of
>> authentication you are using, but that might work.
>>
>> If it does, let me know as I'm curious.
>>
>> Thanks,
>>
>> Joe K.
>>
>> "Ollie" <ollie_riches@hotmail.com> wrote in message
>> news:udUMLuH3EHA.4028@TK2MSFTNGP15.phx.gbl...

>>>I have a requirement for a company intranet where they want to use a
>>>single
>>> sign-on with their windows 2003 domain (AD) so I was thinking of using
>>> windows authentication in the asp.net application so that I can control
>>> functionality by the roles the usr is a member of.
>>>
>>> The question I want to know is can I force the popup windows for
>>> username,
>>> password, domain to appear by 'logging' off the user from the website. I
>>> read some where if I return a "403" in the reponse header it will show
>>> the
>>> dialog and the user will have to enter the information to proceed. I
>>> tried
>>> the following but i only get the 403 error page. So how do I force the
>>> popup
>>> window to appear?
>>>
>>> tried this but only get error page:
>>>
>>> Session.Abandon();
>>> Response.Clear();
>>> Response.StatusCode = 403;
>>> Response.End();
>>>
>>>
>>> Cheers in Advance
>>>
>>> Ollie Riches
>>>
>>>

>>
>>

>
>

[Ollie]

thsnks Joe will have a look later today , I had considered clearing out the
client cache and I am aware you can do it with an AcitveX control and you
can also do it with IE6 SP1 (my preferred solution out of the two) and
javascript I believe.

[url]http://support.microsoft.com/kb/q195192/#kb1[/url]

[url]http://blogs.msdn.com/kclemson/archive/2003/11/17/53911.aspx[/url]

Cheers

Ollie Riches

"Joe Kaplan (MVP - ADSI)" <joseph.e.kaplan@removethis.accenture.com> wrote
in message news:%23IzMy6W3EHA.3316@tk2msftngp13.phx.gbl...

> The best thing to do is sniff the traffic and look at the headers that are
> sent back. You can also use an http proxy debugger like Fiddler for this.
>
> Generally, if you use Basic auth, it will be something like Basic
> realm=xxxx, and IWA is Negotiate, but I can't remember the exact syntax of
> either, so you should be sure.
>
> Half of my life is actually building big ASP.NET applications and doing
> security integration work, so as a result, I follow this group too.
>
> It may not be the case that you can actually clear out the cache on the
> client without running some client code though. The reprompt may be the
> best you can do.
>
> Let us know if you find more details.
>
> Joe K.
>
> "Ollie" <why do they need this!!!!> wrote in message
> news:%23B18GxV3EHA.824@TK2MSFTNGP11.phx.gbl...

> > Joe
> >
> > Thanks for the reply, I tried changing it to "401" and it forced the

popup

> > login window to appear and you can enter new credentials, but it does

not

> > clear out the credentials from the browser cache so you are still
> > authenticated as the previous user if you hit 'Cancel', I didn't try it
> > with the 'proper' WWW-Authenticate header cos i don't know what that
> > should be - do you know at all ?
> >
> > nice to see you venture out of the AD newsgroups :)
> >
> > Cheers
> >
> > Ollie Riches
> >
> > "Joe Kaplan (MVP - ADSI)" <joseph.e.kaplan@removethis.accenture.com>

wrote

> > in message news:e2RbF$T3EHA.2676@TK2MSFTNGP12.phx.gbl...

> >>I haven't actually tried this, but I thought I'd throw an idea at you.
> >>
> >> What if you try sending a 401 instead and add the proper

WWW-Authenticate

> >> header to the response? The header value would depend on what kind of
> >> authentication you are using, but that might work.
> >>
> >> If it does, let me know as I'm curious.
> >>
> >> Thanks,
> >>
> >> Joe K.
> >>
> >> "Ollie" <ollie_riches@hotmail.com> wrote in message
> >> news:udUMLuH3EHA.4028@TK2MSFTNGP15.phx.gbl...
> >>>I have a requirement for a company intranet where they want to use a
> >>>single
> >>> sign-on with their windows 2003 domain (AD) so I was thinking of using
> >>> windows authentication in the asp.net application so that I can

control

> >>> functionality by the roles the usr is a member of.
> >>>
> >>> The question I want to know is can I force the popup windows for
> >>> username,
> >>> password, domain to appear by 'logging' off the user from the website.

I

> >>> read some where if I return a "403" in the reponse header it will show
> >>> the
> >>> dialog and the user will have to enter the information to proceed. I
> >>> tried
> >>> the following but i only get the 403 error page. So how do I force the
> >>> popup
> >>> window to appear?
> >>>
> >>> tried this but only get error page:
> >>>
> >>> Session.Abandon();
> >>> Response.Clear();
> >>> Response.StatusCode = 403;
> >>> Response.End();
> >>>
> >>>
> >>> Cheers in Advance
> >>>
> >>> Ollie Riches
> >>>
> >>>
> >>
> >>

> >
> >

>
>

[Joe Kaplan \(MVP - ADSI\)]

Ah, that's a spiffy new feature. I'm going to hang on to that link.

Thanks for digging that up.

Cheers,

Joe K.

"Ollie" <ollie_riches@hotmail.com> wrote in message
news:uzeyq$c3EHA.1188@tk2msftngp13.phx.gbl...

> thsnks Joe will have a look later today , I had considered clearing out
> the
> client cache and I am aware you can do it with an AcitveX control and you
> can also do it with IE6 SP1 (my preferred solution out of the two) and
> javascript I believe.
>
> [url]http://support.microsoft.com/kb/q195192/#kb1[/url]
>
> [url]http://blogs.msdn.com/kclemson/archive/2003/11/17/53911.aspx[/url]
>
> Cheers
>
> Ollie Riches
>
> "Joe Kaplan (MVP - ADSI)" <joseph.e.kaplan@removethis.accenture.com> wrote
> in message news:%23IzMy6W3EHA.3316@tk2msftngp13.phx.gbl...

>> The best thing to do is sniff the traffic and look at the headers that
>> are
>> sent back. You can also use an http proxy debugger like Fiddler for
>> this.
>>
>> Generally, if you use Basic auth, it will be something like Basic
>> realm=xxxx, and IWA is Negotiate, but I can't remember the exact syntax
>> of
>> either, so you should be sure.
>>
>> Half of my life is actually building big ASP.NET applications and doing
>> security integration work, so as a result, I follow this group too.
>>
>> It may not be the case that you can actually clear out the cache on the
>> client without running some client code though. The reprompt may be the
>> best you can do.
>>
>> Let us know if you find more details.
>>
>> Joe K.
>>
>> "Ollie" <why do they need this!!!!> wrote in message
>> news:%23B18GxV3EHA.824@TK2MSFTNGP11.phx.gbl...

>> > Joe
>> >
>> > Thanks for the reply, I tried changing it to "401" and it forced the

> popup

>> > login window to appear and you can enter new credentials, but it does

> not

>> > clear out the credentials from the browser cache so you are still
>> > authenticated as the previous user if you hit 'Cancel', I didn't try it
>> > with the 'proper' WWW-Authenticate header cos i don't know what that
>> > should be - do you know at all ?
>> >
>> > nice to see you venture out of the AD newsgroups :)
>> >
>> > Cheers
>> >
>> > Ollie Riches
>> >
>> > "Joe Kaplan (MVP - ADSI)" <joseph.e.kaplan@removethis.accenture.com>

> wrote

>> > in message news:e2RbF$T3EHA.2676@TK2MSFTNGP12.phx.gbl...
>> >>I haven't actually tried this, but I thought I'd throw an idea at you.
>> >>
>> >> What if you try sending a 401 instead and add the proper

> WWW-Authenticate

>> >> header to the response? The header value would depend on what kind of
>> >> authentication you are using, but that might work.
>> >>
>> >> If it does, let me know as I'm curious.
>> >>
>> >> Thanks,
>> >>
>> >> Joe K.
>> >>
>> >> "Ollie" <ollie_riches@hotmail.com> wrote in message
>> >> news:udUMLuH3EHA.4028@TK2MSFTNGP15.phx.gbl...
>> >>>I have a requirement for a company intranet where they want to use a
>> >>>single
>> >>> sign-on with their windows 2003 domain (AD) so I was thinking of
>> >>> using
>> >>> windows authentication in the asp.net application so that I can

> control

>> >>> functionality by the roles the usr is a member of.
>> >>>
>> >>> The question I want to know is can I force the popup windows for
>> >>> username,
>> >>> password, domain to appear by 'logging' off the user from the
>> >>> website.

> I

>> >>> read some where if I return a "403" in the reponse header it will
>> >>> show
>> >>> the
>> >>> dialog and the user will have to enter the information to proceed. I
>> >>> tried
>> >>> the following but i only get the 403 error page. So how do I force
>> >>> the
>> >>> popup
>> >>> window to appear?
>> >>>
>> >>> tried this but only get error page:
>> >>>
>> >>> Session.Abandon();
>> >>> Response.Clear();
>> >>> Response.StatusCode = 403;
>> >>> Response.End();
>> >>>
>> >>>
>> >>> Cheers in Advance
>> >>>
>> >>> Ollie Riches
>> >>>
>> >>>
>> >>
>> >>
>> >
>> >

>>
>>

>
>