Authentication

[Ming Zhang]

Hi guys,
I have couple of ASP.NET applications that only support digest windows
authentication, and credentials are managed in a central AD. When users
login to one app, they can easily navigate to other apps without reenter
UID/PWD. Everything works except it doesn't meet our security policy for new
created users. When creating a new user, it's required to have "user must
change password when first time login". In this case, the user will just get
an 401.1 access deny error without any other clue.

One solution is to write a wrapper web app that can detect this setting and
allows user to change their password through internet. This can be done by
using Form Authentication to authenticate against AD. Now the question is
after a user successfully authenticated in this wrapper app, if the user
navigate to other apps (which require windows authentication), the
authentication dialog will popup again. This is really what we hate to see.
I am stuck here. So my question is if there is a way to let IE knows that
the current connection is already authenticated, so IE doesn't need to popup
the dialog again.

Your help is greatly appreciated!

Ming

 

[John Rivers]

Hi there,

isn't it case that after they set their new password using your wrapper
application that they only have to login once using the windows
authentication
with their new password and after that everything will be automatic
again?

or is it prompting them one time for each app?

in which case I would look at getting all the apps to use the
same authentication realm, so IE only keeps one setting for all of
them.

look at the web.config file for <authentication realm="try and make
this the same across all your apps"/>

(this corresponds to the realm parameter in the www-authenticate http
header)
(this is what ie uses to make the key for storing auth credentials)

i am just brainstorming to try and help
so sorry if i am on the wrong track

John

ps cool name you have

 

[WJ]

Hi guys,
... When creating a new user, it's required to have "user must change
password when first time login". In this case, the user will just get an
401.1 access deny error without any other clue.

You may want to disable "User must change PW" policy on your domain/local
policy assume that you are using Windows 2k or 2k3.

.... if the user navigate to other apps (which require windows
authentication), the authentication dialog will popup again.
.... I am stuck here. So my question is if there is a way to let IE knows
that the current connection is already authenticated, so IE doesn't need to
popup the dialog again.

Are your users member of your domain ? If so, are they successfully
authenticated by your domain when they start-up their PC ? As this is the
only possible way to let local IE browser knows so that it does not ask for
the same login again. On top of that, you must disable "Anonymous" and
enable Windows Integrated for your website on the IIS box.

John

 

[Ming Zhang]

Hi John,
Thanks for your response.
The wrapper app has to use form authentication (can NOT use windows
authentication) because there is no way to handle cases like "must change
password the first time login" if use windows authentication. Under windows
authentication, iis just return HTTP 401.1 if "must change password the
first time login" is set to true even the user provides correct password,
hence there is no way to distinguish whether it's wrong password, or need to
change password.

My existing apps require to use windows authentication (this is just the
requirement of those apps, I can't change it). So the problem is how to pass
the credential that authenticated against AD (by form authentication) to
other apps that only support windows authentication.

I know this might be a wired problem, but this is the case I am facing.

Thanks
Ming

 

[Ming Zhang]

Thanks for reply.
First, I can't disable "user must change PW". This is the security policy of
our company.
Users are internet users, so they aren't login to the domain. We can't use
the default credential that the user used to login to their PC. We use AD to
manage their Credential simply because we need a central place to store all
credentials so that all apps can be authenticated against the AD.

Thanks
Ming

 

[WJ]

Thanks for reply.
First, I can't disable "user must change PW". This is the security policy
of our company.
Users are internet users, so they aren't login to the domain. We can't use
the default credential that the user used to login to their PC. We use AD
to manage their Credential simply because we need a central place to store
all credentials so that all apps can be authenticated against the AD.

Wow, that can fill up your AD database pretty quick. Then one way to do it
is to use custom cookie and or session state and donot let Asp.Net to manage
your login. Involves lots of coding!

John

 

[John Rivers]

here is an idea, although it may not work and its a horrible bodge:

after they have authenticated do a redirect to a url like this:

http://username:password@hostname/script.asp

the browser will take the username and password and use it to fill
in the auth box, hopefully it should never appear in the history!

i have to leave testing it to you, i can't right now
but i have used this in the past, maybe it still works now?