Authentification - Server Variables ( omg! )

[Adrian Parker]

Have two domains, which are non-trusted.. and will never be I've been told.
Users on one domain need to access a website on the other domain, but don't
want to have to enter any credentials as they've already logged into their
own domain. Their domain login user name is duplicated in a database on the
website domain, so authentication can be handled by the web app as long as
we can pass the user id across.

Oh bugger thinks I, that's a can of worms if ever I heard one.

In IIS6, they've just got Anonymous access checked, else they'd be prompted
for login details. So the only way I can think of doing this is to pick up
one of the request server variables that contains their local user.
Normally for netowrk authentication, we'd user logon_user, but due to the
anonymous access, that won't be there..

So what should I pick up instead.

And yes, I realise that security wise, this is awful, but as far as I can
tell, there's no other choice.. unless anyone knows different ?

Cheers

 

[Rob]

Adrian,

There isn't a server variable available for what you want.

But... if the users actually have user id's in the second domain then you
could run the application with windows integrated security enabled. So long
as users keep thier passwords the same then they won't be prompted for
user/password.

If the users do not have user id's in the second domain then you're likely
out of luck.

You could look into passing an encrypted user id as a query string
variable... but that might be a bit open (no password... just an encrypted
user id... that's an easy secret to steal). You could try passing an
encrypted user id as a hidden form variable in a postback... but that's
still pretty easy to steal.

But... any scheme that involves just a user id to log on will be risky. This
is why Windows Integrated Security is so nice... it's been built to be
secure (behind the scenes IE passes user id and password hash). Trying to do
the same thing on your own... well... good luck

Regards,

Rob

 

[Steven Cheng[MSFT]]

Hi Adrian,

I think Rob's analysis here is reasonable. As for IE, it will always send
an anonymous request to the remote web site first, then depend on whether
the webserver enable anonymous access or not, the following occurs:

**If allow anonymous, the first request can pass and be processed
successfully, there is no authentication info in the request/response

**If not allow anonymous, first request is rejected by 401 error, and the
IE will try sending a credential to server, here depend on whether the
credential is authenticatable on server, it will result the below behavior:

<< If the credential can be authenticatable( duplicated local account on
both client and server or a domain user account in shared domain or trusted
domain), the second request get processed.

<<If the credential not authenticatable, request fail.....

and as for those Server Variable (related to authentication info ), it will
contains the client user's value only if the request has passed the
authentication. Therefore, in your case, since the client machine can not
provide a valid account that is authenticatable on server, we really have
no luck here.

BTW, is the reason you don't want user to input username/password
credentials here specific to security consideration? If so, do you think it
is possible to use https/ssl security channel for authentication here?
This is the most common approach for passing clear/text credential over
internet. And on the server-side, the application and authenticate the
credentials against AD through ActiveDirectory membership provider... If
you think this doable for your scenario, we can provide some detailed
reference on this.

Please feel free to let me know if you have any other ideas or concerns
here.

Sincerely,

Steven Cheng

Microsoft MSDN Online Support Lead



==================================================

Get notification to my posts through email? Please refer to
http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif
ications.



Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
where an initial response from the community or a Microsoft Support
Engineer within 1 business day is acceptable. Please note that each follow
up response may take approximately 2 business days as the support
professional working with you may need further investigation to reach the
most efficient resolution. The offering is not appropriate for situations
that require urgent, real-time or phone-based interactions or complex
project analysis and dump analysis issues. Issues of this nature are best
handled working with a dedicated Microsoft Support Engineer by contacting
Microsoft Customer Support Services (CSS) at
http://msdn.microsoft.com/subscriptions/support/default.aspx.

==================================================



This posting is provided "AS IS" with no warranties, and confers no rights.

 

[Adrian Parker]

Thanks for the responses guys.

I think we've got two choices.. tell them no. or create a windows app
that will encrypt the current user and send it as a querystring to the
remote url.. ho hum..

Cheers
-Adrian

| Hi Adrian,
|
| I think Rob's analysis here is reasonable. As for IE, it will always send
| an anonymous request to the remote web site first, then depend on whether
| the webserver enable anonymous access or not, the following occurs:
|
| **If allow anonymous, the first request can pass and be processed
| successfully, there is no authentication info in the request/response
|
| **If not allow anonymous, first request is rejected by 401 error, and the
| IE will try sending a credential to server, here depend on whether the
| credential is authenticatable on server, it will result the below
behavior:
|
| << If the credential can be authenticatable( duplicated local account on
| both client and server or a domain user account in shared domain or
trusted
| domain), the second request get processed.
|
| <<If the credential not authenticatable, request fail.....
|
| and as for those Server Variable (related to authentication info ), it
will
| contains the client user's value only if the request has passed the
| authentication. Therefore, in your case, since the client machine can not
| provide a valid account that is authenticatable on server, we really have
| no luck here.
|
| BTW, is the reason you don't want user to input username/password
| credentials here specific to security consideration? If so, do you think
it
| is possible to use https/ssl security channel for authentication here?
| This is the most common approach for passing clear/text credential over
| internet. And on the server-side, the application and authenticate the
| credentials against AD through ActiveDirectory membership provider... If
| you think this doable for your scenario, we can provide some detailed
| reference on this.
|
| Please feel free to let me know if you have any other ideas or concerns
| here.
|
| Sincerely,
|
| Steven Cheng
|
| Microsoft MSDN Online Support Lead
|
|
|
| ==================================================
|
| Get notification to my posts through email? Please refer to
|
http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif
| ications.
|
|
|
| Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
| where an initial response from the community or a Microsoft Support
| Engineer within 1 business day is acceptable. Please note that each follow
| up response may take approximately 2 business days as the support
| professional working with you may need further investigation to reach the
| most efficient resolution. The offering is not appropriate for situations
| that require urgent, real-time or phone-based interactions or complex
| project analysis and dump analysis issues. Issues of this nature are best
| handled working with a dedicated Microsoft Support Engineer by contacting
| Microsoft Customer Support Services (CSS) at
| http://msdn.microsoft.com/subscriptions/support/default.aspx.
|
| ==================================================
|
|
|
| This posting is provided "AS IS" with no warranties, and confers no
rights.
|

 

[Steven Cheng[MSFT]]

Thanks for the reply Adrian,

Yes, if you're using a rich client such as winform application, you can
encrypte the request url and querystring parameters. while in browser based
scenario, this is quite limited without using https/ssl on server.

Anyway, if there is anything else we can help, please feel free to post
here.

Sincerely,

Steven Cheng

Microsoft MSDN Online Support Lead


This posting is provided "AS IS" with no warranties, and confers no rights.