ASP.Net Forms authentication & Windows Auth combined

[Vince]

I have a situation where I would like to use forms authentication and
windows authentication combined. Basically, I would like to use a form to
get the user's ID and password, and then validate those against the domain
just like IIS does when using Windows authentication. Also at login time I
would initialize their session variables.

I've seen the FormsAuthentication class, but it says that when you call
Authenticate it validates the credentials against the configured credential
store. How do I configure it so that it validates against the Windows
domain? Or is this the wrong class to use to meet my requirement?

Thanks in advance,
Vince

 

[Joe Kaplan \(MVP - ADSI\)]

You would need to implement your own code to log the user in. That's
generally what they mean by "configured credential store". Since forms
authentication is pretty arbitrary, they leave you to write the code.

The easiest thing to do would be for you to call the LogonUser API to
authenticate the user and get a login token for them. You could also use
LDAP to authenticate them with the DirectoryEntry class or use SSPI to
authenticate them.

I think if you do some searches, you'll find implementations for all of
these approaches.

Joe K.

 

[John M Deal]

Accidentally posted this to another message. Anyway, I came across an
article a bit back on ASP Alliance that talks about doing something
similar. It may be able to point you in the right direction. Hope it helps.

http://aspalliance.com/553

Have A Better One!

John M Deal, MCP
Necessity Software

 

[Vince]

I read through the LogonUser information I found on the web, and I'm
concerned about the following statement: The user account must have Log On
Locally permission on the local computer.
Now I know that users authenticate using Windows authentication just fine,
but does that mean they have the "log on locally" permission that LogonUser
requires?

Thanks,
Vince

 

[Joe Kaplan \(MVP - ADSI\)]

Generally, they will have log on locally enabled. You don't need to grant
them interactive login. It can be set to batch (configure in local security
policy). They also don't have to have any rights to anything sensitive.

It think the bigger issue with LogonUser is if you are going to use it under
Win2K. If so, the account calling the function must have Act as part of the
operating system privilege which is normally only granted to SYSTEM. This
restriction is lifted for XP and 2003.

Joe K.

 

[Vince]

Yep, I got it working!

Thanks!
Vince

Generally, they will have log on locally enabled. You don't need to grant
them interactive login. It can be set to batch (configure in local
security policy). They also don't have to have any rights to anything
sensitive.

It think the bigger issue with LogonUser is if you are going to use it
under Win2K. If so, the account calling the function must have Act as
part of the operating system privilege which is normally only granted to
SYSTEM. This restriction is lifted for XP and 2003.

Joe K.

 

[Patrick Olurotimi Ige]

Vince 'm interested how u finally got ur Mixed Auth working and what
resources did u use..
Pls try posting this.
Thx
Patrick