Authentication

this is all very easy to do. All you need to do is offer a form which asks
for user's name and pwd - you can they get this data from the form using
ASP and perform a database lookup to see if that username and password exists.
if you wanted to get really fancy, you could also have a list of valid urls
the user is allowed to access and everything else is disallowed.

make sure you read my article on web-based input before continuing.

YOU HAVE BEEN WARNED :-)

"Kirk" <khaynes@digitalconsulting.net> wrote:
>
>Hi,
>
>I would like to do authentication programmatically.
>Currently, IIS handles authentication for 'secure' folders on the website.
>What I want to do is to provide all my clients with a login webpage with
>a username/password form.
>When the client types in their username/password for the NT account on the
>web server, I want to somehow authenticate them with ASP, like IIS does
when
>it brings up that dialog box and asks for the username and password.
>Once authenticated, I will then access a database that will return the URL
>to the client's folder to which they have access with that NT account username/password
>and redirect their browser to that URL.
>
>Thanks
>
>Bye
>

if that's all you want to do then it's even easier! just elect to use any
of the auth schemes built into IIS on the vdir, dir or file in question and
the user will be prompted to enter their creds.

"Kirk" <khaynes@digitalconsulting.net> wrote:
>
>What does what you've suggested have to do with logging on a user with an
>NT authentication on directories?
>
>"Michael Howard" <mikehow@microsoft.com> wrote:
>>
>>this is all very easy to do. All you need to do is offer a form which asks
>>for user's name and pwd - you can they get this data from the form using
>>ASP and perform a database lookup to see if that username and password
exists.
>>if you wanted to get really fancy, you could also have a list of valid
urls
>>the user is allowed to access and everything else is disallowed.
>>
>>make sure you read my article on web-based input before continuing.
>>
>>YOU HAVE BEEN WARNED :-)
>>
>>"Kirk" <khaynes@digitalconsulting.net> wrote:
>>>
>>>Hi,
>>>
>>>I would like to do authentication programmatically.
>>>Currently, IIS handles authentication for 'secure' folders on the website.
>>>What I want to do is to provide all my clients with a login webpage with
>>>a username/password form.
>>>When the client types in their username/password for the NT account on
>the
>>>web server, I want to somehow authenticate them with ASP, like IIS does
>>when
>>>it brings up that dialog box and asks for the username and password.
>>>Once authenticated, I will then access a database that will return the
>URL
>>>to the client's folder to which they have access with that NT account
username/password
>>>and redirect their browser to that URL.
>>>
>>>Thanks
>>>
>>>Bye
>>>
>>
>

I don't think you can do that with anything built in (assuming you aren't
using ASP.net) You may be able to code an object that can make the thread
impersonate a different user though.
--
Eli Allen
eallen@bcpl.net

"Kirk" <khaynes@digitalconsulting.net> wrote in message
news:3aad9a9b$1@news.dev-archive.com...
>
> What does what you've suggested have to do with logging on a user with an
> NT authentication on directories?
>
> "Michael Howard" <mikehow@microsoft.com> wrote:
> >
> >this is all very easy to do. All you need to do is offer a form which
asks
> >for user's name and pwd - you can they get this data from the form using
> >ASP and perform a database lookup to see if that username and password
exists.
> >if you wanted to get really fancy, you could also have a list of valid
urls
> >the user is allowed to access and everything else is disallowed.
> >
> >make sure you read my article on web-based input before continuing.
> >
> >YOU HAVE BEEN WARNED :-)
> >
> >"Kirk" <khaynes@digitalconsulting.net> wrote:
> >>
> >>Hi,
> >>
> >>I would like to do authentication programmatically.
> >>Currently, IIS handles authentication for 'secure' folders on the
website.
> >>What I want to do is to provide all my clients with a login webpage with
> >>a username/password form.
> >>When the client types in their username/password for the NT account on
> the
> >>web server, I want to somehow authenticate them with ASP, like IIS does
> >when
> >>it brings up that dialog box and asks for the username and password.
> >>Once authenticated, I will then access a database that will return the
> URL
> >>to the client's folder to which they have access with that NT account
username/password
> >>and redirect their browser to that URL.
> >>
> >>Thanks
> >>
> >>Bye
> >>
> >
>

this may not work in all cases because to log a user on in win2000 (and nt4)
you need TCB priv and the asp page is already impersonating a user which
would not have TCB priv, so the call to LogonUser() would fail owing to lack
of priv.

"Eli Allen" <eallen@bcpl.net> wrote:
>I don't think you can do that with anything built in (assuming you aren't
>using ASP.net) You may be able to code an object that can make the thread
>impersonate a different user though.
>--
>Eli Allen
>eallen@bcpl.net
>
>"Kirk" <khaynes@digitalconsulting.net> wrote in message
>news:3aad9a9b$1@news.dev-archive.com...
>>
>> What does what you've suggested have to do with logging on a user with
an
>> NT authentication on directories?
>>
>> "Michael Howard" <mikehow@microsoft.com> wrote:
>> >
>> >this is all very easy to do. All you need to do is offer a form which
>asks
>> >for user's name and pwd - you can they get this data from the form using
>> >ASP and perform a database lookup to see if that username and password
>exists.
>> >if you wanted to get really fancy, you could also have a list of valid
>urls
>> >the user is allowed to access and everything else is disallowed.
>> >
>> >make sure you read my article on web-based input before continuing.
>> >
>> >YOU HAVE BEEN WARNED :-)
>> >
>> >"Kirk" <khaynes@digitalconsulting.net> wrote:
>> >>
>> >>Hi,
>> >>
>> >>I would like to do authentication programmatically.
>> >>Currently, IIS handles authentication for 'secure' folders on the
>website.
>> >>What I want to do is to provide all my clients with a login webpage
with
>> >>a username/password form.
>> >>When the client types in their username/password for the NT account
on
>> the
>> >>web server, I want to somehow authenticate them with ASP, like IIS does
>> >when
>> >>it brings up that dialog box and asks for the username and password.
>> >>Once authenticated, I will then access a database that will return the
>> URL
>> >>to the client's folder to which they have access with that NT account
>username/password
>> >>and redirect their browser to that URL.
>> >>
>> >>Thanks
>> >>
>> >>Bye
>> >>
>> >
>>
>
>

I would say that it would not be very secure doing it that way, wouldn't you?

I've been looking into this for the past few days and a meta-database of
some sort keeps being referred to in several texts that purposefully sidestep
their way around the issue I'm trying to explore.

Ring any bells?

"Michael Howard" <mikehow@microsoft.com> wrote:
>
>out of interest - why do you wanna do it programmatically? you can always
>use, say, basic auth and stuff the username and password in as part of the
>uri? no work required by you!

I think you have been up 20 hours before you post here. OF COURSE YOU NEED
THE PASSWORD. WHAT ARE YOU TALKING ABOUT! Get some sleep!