Slowhand
|
| Posted: 12/07/2004, 2:17 AM |
|
Is there any way to use NT login instead of login table in project settings? Is it enough to set DB conn to NT Login? Is the login form required in that case?
Any help much appreciated,
Slowhand
|
|
|
 |
Richard Gutery
|
| Posted: 12/13/2004, 8:38 PM |
|
I'm not sure exactly what you are asking, so here goes. There is no way to
map an ASP Login Form to the NT Logon Process (called NTLSA). It's a secure
process owned by SVCHOST and cannot be called directly!
There are two distinctive ways in doing this:
1) Use MS ADSI COM to instantiate a connection to AD via ADSI (NT anad
Win2K+ both use ADSI, NT is just a little more limited). Once you have a
connection to ADSI, create an LDAP query to query the User Account Object
(using CN=domain context, CN=Users etcc). In the AD user account object you
can extract the user context (i.e. permissions). Store the context into a
session varaiable and then compare the session data to some table somewhere
that has a list of users (or constants whichever you prefer). Of course, you
would map the AD User Context to the Login ID table (or whatever),
2) This is probabaly alot easier (trust me it took me almost 3 weeks to make
the above work consistantly). Change the NTFS directory (or possibly more
correctly; The File Perms) to a specific GROUP. Assign the NT (or AD)
accountto the Group. The user would then get the Famous Windows NT Login
Dialog box and be authenticated by NT.
A final note about Option 2. if you do this, then the user will have to
enter Username, Password and Domain Name. To bypass the Domain portion of NT
Authentication, do the following:
1) If your IIS box is a Member Server, change the Authetication to use the
Domain for authentication ex: \mydomain,
2) If you are running IIS on a DC, then simply use the backslah (\) instead
of the Domain Name. The NetBIOS Domain name won't work (IIS resets it to
blank every 15 minutes and will screw things up). Using the UPN (i.e.
bob@bob.com won't work either, because AD needs the Domain Context. The
single backslashs (\) refers to the default domain.
I realize that it's probably more than what you were looking for, but both
will work and Option 2 is the easiest to impliment.
Here's a link that may help with Option 1:
http://support.microsoft.com/default.aspx?scid=kb;en-us;269190
Here's a link that may help with Option 2:
http://support.microsoft.com/default.aspx?scid=kb;en-us;168908 Use method
one here, the other methods are for Exchange and IIS.
Hope they help.
RG
"Slowhand" <Slowhand@forum.codecharge> wrote in message
news:241b5835089463@news.codecharge.com...
> Is there any way to use NT login instead of login table in project
> settings? Is
> it enough to set DB conn to NT Login? Is the login form required in that
> case?
>
> Any help much appreciated,
>
> Slowhand
> ---------------------------------------
> Sent from YesSoftware forum
> http://forums.codecharge.com/
>
|
|
|
|
peterr
Posts: 5971
|
| Posted: 12/14/2004, 2:23 AM |
|
I'd like to add that another user posted code example for LDAP authentication at http://forums.codecharge.com/posts.php?post_id=48603, probably equivalent to method #1 above.
Of course the implementation in other programming language may very somewhat.
_________________
Peter R.
YesSoftware Forums Moderator
For product support please visit http://support.yessoftware.com |
 |
|
Richard Gutery
|
| Posted: 12/14/2004, 8:50 AM |
|
Good post. I recall that Iworked on a project several months back wherein we
installed PHP for NT (http://www.php.net/downloads.php) and Microsoft Unix
Services for Windows (http://www.microsoft.com/windows/sfu/).
I had one of my people try the code in your post and it (apparently) worked
without a hitch! Of course, the Path for the shell_exec may have to be
changed and it's important to note that chown should allocate perms as
ga+rwe (or 777).
Could be a big time saver for those that use PHP.
RG
|
|
|
|
|
