windows pass through authentication\authorization....

[Ollie]

I have a requirement for a company intranet where they want to use a single
sign-on with their windows 2003 domain (AD) so I was thinking of using
windows authentication in the asp.net application so that I can control
functionality by the roles the usr is a member of.

The question I want to know is can I force the popup windows for username,
password, domain to appear by 'logging' off the user from the website. I
read some where if I return a "403" in the reponse header it will show the
dialog and the user will have to enter the information to proceed. I tried
the following but i only get the 403 error page. So how do I force the popup
window to appear?

tried this but only get error page:

Session.Abandon();
Response.Clear();
Response.StatusCode = 403;
Response.End();


Cheers in Advance

Ollie Riches

 

[Guest]

Hi Ollie,
To force Windows POPUP ..Go to IIS under Directory Security turn off
"Anonymous Access and click integrate Windows Auth..
DO that to allow Windows Auth to validate against AD..
For more Questions POST it...
Enjoy
PAtrick

 

[Ollie]

did you actually read the question?

Hi Ollie,
To force Windows POPUP ..Go to IIS under Directory Security turn off
"Anonymous Access and click integrate Windows Auth..
DO that to allow Windows Auth to validate against AD..
For more Questions POST it...
Enjoy
PAtrick

 

[Joe Kaplan \(MVP - ADSI\)]

I haven't actually tried this, but I thought I'd throw an idea at you.

What if you try sending a 401 instead and add the proper WWW-Authenticate
header to the response? The header value would depend on what kind of
authentication you are using, but that might work.

If it does, let me know as I'm curious.

Thanks,

Joe K.

 

[Ollie]

Joe

Thanks for the reply, I tried changing it to "401" and it forced the popup
login window to appear and you can enter new credentials, but it does not
clear out the credentials from the browser cache so you are still
authenticated as the previous user if you hit 'Cancel', I didn't try it with
the 'proper' WWW-Authenticate header cos i don't know what that should be -
do you know at all ?

nice to see you venture out of the AD newsgroups

Cheers

Ollie Riches

 

[Joe Kaplan \(MVP - ADSI\)]

The best thing to do is sniff the traffic and look at the headers that are
sent back. You can also use an http proxy debugger like Fiddler for this.

Generally, if you use Basic auth, it will be something like Basic
realm=xxxx, and IWA is Negotiate, but I can't remember the exact syntax of
either, so you should be sure.

Half of my life is actually building big ASP.NET applications and doing
security integration work, so as a result, I follow this group too.

It may not be the case that you can actually clear out the cache on the
client without running some client code though. The reprompt may be the
best you can do.

Let us know if you find more details.

Joe K.

 

[Patrick Olurotimi Ige]

Sorry i guess i didn't read your Quaestion well!
Well its good Joe dropped here ..He will provide concerete details for
sure..
Let us know how u go about it..
Patrick

 

[Ollie]

thsnks Joe will have a look later today , I had considered clearing out the
client cache and I am aware you can do it with an AcitveX control and you
can also do it with IE6 SP1 (my preferred solution out of the two) and
javascript I believe.

http://support.microsoft.com/kb/q195192/#kb1

http://blogs.msdn.com/kclemson/archive/2003/11/17/53911.aspx

Cheers

Ollie Riches

 

[Joe Kaplan \(MVP - ADSI\)]

Ah, that's a spiffy new feature. I'm going to hang on to that link.

Thanks for digging that up.

Cheers,

Joe K.