Windows pass-through authentication?

[Jane]

When running a NetTalk web server on an intranet, is it possible to capture the Windows Active Directory domain user's login name?  (Something like using GetUserName from CWUTIL).

Thanks for any help.

Jane Fleming

[peterH]

Hi Jane (and welcome here  )

Which user are you refering to? I think you mean the user running the app in the browser and in that case, no.

The NT app lives in it's own world and knows nothing about the user's local pc's and their AD's. The only user the NTWS would know about is the user starting the server program.

But if I'm on the right track (assuming you want to try automating the logon to your NT app) you could maybe write a program that'll retrieve the user's login name using GetUserName and then login to the NT app. That may be possible using FileExplorer. However, I don't even know if it's doable, it's just a long shot.

Peter

[Jane]

Hi, Peter,

Yes, the right track.

For example, when I'm on a domain computer and connect to the internal SQL Server Reporting Services website on our company LAN, Internet Explorer automatically authenticates me.

When I use a browser on my laptop that's not part of the domain, SSRS presents me with a login screen because the domain-based SSRS security has no idea who I am.

I'd like to know whether the mechanism that SSRS uses to know who's at the other end of the browser could be used connecting to a NetTalk app.

[kevin plummer]

Hi Jane,

check out the ActiveX example that ships with NTW. I think this opens up some possibilities if you use IE.

Otherwsie, I use MSSQL (but don't use SSRS) and one would think you could authenticate SSRS in the same way you authenticate an SQL connection, that is, assuming authentication is setup for mixed mode authentication and you had another user setup in SQL you could use via the web.

Cheers,

Kevin

[Jane]

Thanks, Kevin.

I was using SSRS and pass-through authentication just as an example.

My NetTalk web server does access a SQL database, but the app itself does that using SQL authentication not related to the identity of the user connecting from a browser.

I want to know who's connecting from the browser session to set some user-specific configuration stuff (preferences and access).  That's just stuff my web server app needs to know, not anything involved with SQL authentication.

And while I mentioned IE, a lot of our internal users use Chrome. 
While Chrome won't display the SSRS reports properly, BTW, it does pass through the user authentication information to the SSRS web service just fine.

Jane

[Bruce]

Hi Jane,

so let's cover some bases.

a) the "Browser" running on the client machine is running JavaScript, but it "isolates" that JavaScript from the machine itself. So it's not possible in JavaScript to get things like the Windows Login etc.

b) Bear in mind that you can run a browser on anything, so on many platforms (like say an iPhone) the windows login does not apply anyway.

c) If JavaScript is limited, then you need something else to "bridge" the gap between browser and machine. In the case of IE this is an ActiveX control (and  example 45 - wScriptActive shows you how this is done.) but of course this technique only works in IE, other browsers would require other techniques. Actually, it won't even necessarily work in IE, if the user has support for ActiveX turned off it'll fail there too.

d) I've done a search, but I don't see how it's possible in chrome. So any more information you have on that would be useful.


Cheers
Bruce

[Jane]

Thanks, Bruce.

I don't know the mechanism, just from an end-user have experienced that it works on the corporate networks where I contract.

This is one article I just found:  http://dev.chromium.org/developers/design-documents/http-authentication

And a quick search turned this up for firefox:  http://ole.michelsen.dk/blog/firefox-auto-login-with-windows-authentication-and-ad/

If this isn't workable...  looking at the "LoginBeforeFrame" and "AccessLevels" demos, it would appear that the approach might be to protect at least the login screen with SSL and then to have the webserver exe hash the password and authenticate against its own user file?

Thanks.

Jane

[Bruce]

Hi Jane,

thanks for the links - they make for interesting reading, and I may use them later on.
Unfortunately they only do Integrated Authentication for NTLM authentication, and that's not something we currently support. I'll keep an eye on it, but it's not something I'd be able to do in the short term.

>> it would appear that the approach might be to protect at least the login screen with SSL

do the whole app in SSL. Don't mess around with some SSL and some not. There's no benefit to that, and it causes problems elsewhere.

>> and then to have the webserver exe hash the password and authenticate against its own user file

yes.

cheers
Bruce

[Bruce]

follow up to this in this thread;
http://www.nettalkcentral.com/index.php?option=com_smf&Itemid=36&topic=7268.0