This message was discovered on microsoft.public.dotnet.framework.aspnet.security.
| Mark A. Richman |
How do I use Forms to authenticate a Windows user, without having the popup
box presented?
Seems like microsoft should add "Mixed" authentication mode to "Windows" and
"Forms" in web.config.
I need the solution to work with both Active Directory and non-AD domains.
Thanks,
Mark
|
|
|
| |
|
| |
| |
| Aaron Margosis [MS] |
In order to do Integrated Windows authentication, the server must challenge
the client for credentials. There is no way for the server to say, "Give me
credentials, but never present a UI." If the browser has credentials that
the server will accept, no UI is presented, but if not, the browser presents
a dialog.
HTH
-- Aaron
"Mark A. Richman" <Click here to reveal e-mail address> wrote in message
news:uHnACLaLCHA.2256@tkmsftngp13...
> How do I use Forms to authenticate a Windows user, without having the
popup
[Original message clipped]
|
|
|
| |
|
| |
| |
| Mark A. Richman |
Is there any way to use the HTTP AUTH_USER and AUTH_PASSWORD variables to
authenticate against either Active Directory or the PDC? I could then use
"Forms" instead of "Windows", and only present the form if necessary.
- Mark
"Aaron Margosis [MS]" <Click here to reveal e-mail address> wrote in message
news:#kDR6VMMCHA.2580@tkmsftngp11...
> In order to do Integrated Windows authentication, the server must
challenge
> the client for credentials. There is no way for the server to say, "Give
me
[Original message clipped]
|
|
|
| |
|
|
| |
| |
| Aaron Margosis [MS] |
If I understand you correctly, those variables aren't going to be set unless
the user is already authenticated.
Here's one thing you could do, although it's a bit convoluted. On your
login form, offer two login methods. The first is the usual forms mechanism
(enter a username and password, click the "Login" button). The second
offers a button that says something like "Use my Windows logon". When the
user clicks it, they are redirected to a page in a subfolder. Configure the
subfolder this way:
* In IIS, disallow anonymous access, and allow only Integrated Windows.
* In the subfolder's web.config, *allow* anonymous access (<allow
users="*"/>), and specify <identity impersonate="true"/>. (Note that
"anonymous" in the web.config means that a forms auth cookie is not required
to get to the page. Impersonate means that you will impersonate the
authenticated user.)
In the Page_Load of the page in the subfolder, include code like this:
private void Page_Load(object sender, System.EventArgs e)
{
// If I'm here, I'm authenticated
WindowsIdentity wi = WindowsIdentity.GetCurrent() ;
String sName = wi.Name;
FormsAuthenticationTicket ticket = new
FormsAuthenticationTicket(sName, false, 5000);
FormsAuthentication.SetAuthCookie(sName, false, "/");
// then redirect to an appropriate page...
}
What this does is set the forms auth cookie with the Windows identity of the
logged on user. Note that you are still doing forms auth here -- you are
not impersonating the user, merely identifying and authenticating the
Windows user, without having to collect and validate a username and
password.
-- Aaron
"Mark A. Richman" <Click here to reveal e-mail address> wrote in message
news:#QdaqbMMCHA.2748@tkmsftngp13...
[Original message clipped]
|
|
|
| |
|
| |
| |
| Aaron Margosis [MS] |
BTW, note that if the user clicks the "Windows logon" button and does not
have credentials that are recognized by or accepted by the web server, the
user WILL get the popup dialog (assuming IE is the browser).
-- Aaron
"Aaron Margosis [MS]" <Click here to reveal e-mail address> wrote in message
news:enwCK4PMCHA.2548@tkmsftngp08...
> If I understand you correctly, those variables aren't going to be set
unless
[Original message clipped]
|
|
|
| |
|
| |
|
| |
| LC |
Aaron,
If I followed this correctly...the applications web.config file would have
<authentication mode="Forms" /> but the subfolder would need to have
<authentication mode="Windows" /> . From what I've found the
authentication mode cannot be set in a subfolder, or you get the message:
'Authentication' section cannot be defined for
directories below the application root.
So would the subfolder need to acutally be a seperate application, as
defined by IIS...and thus .NET?
"Aaron Margosis [MS]" <Click here to reveal e-mail address> wrote in message
news:enwCK4PMCHA.2548@tkmsftngp08...
> If I understand you correctly, those variables aren't going to be set
unless
[Original message clipped]
|
|
|
| |
|
|
| |
|
|
|
|
|
|
|
|
