Wrox Home  
Search P2P Archive for: Go
Shopping CartView Cart  |  My Account  |  Support
Home Browse Titles

P2P Archives
 

Archive Index
Back to Active P2P Forum

 


Wrox Chapters on Demand - Download the chapters you need and take them on the go!
Wrox First - Instant Access online to new Wrox books

New Titles for ASP.NET

Cover image for product 0470190647
DotNetNuke Websites Problem Design Solution
Cover image for product 0470391847
Jumping from ASP to ASP.NET
View Code Camp Videos - Presentations by Wrox Authors
  Return to Index  

aspx_professional thread: Solutions Toolkit logon code doesn't work

Message #1 by "Chris" <wrox@d...> on Wed, 27 Nov 2002 15:43:41
Hi Chris,

First of all, have you downloaded a copy of Building Secure ASP.NET
Applications from Microsoft's website? It is a lengthy tome (over 600
pages!) but it tells you everything you might need to know about ASP.NET
Security, and it's very modular (so there is quite a lot of repetition in
that 600 pages, so that you do not have to keep cross referencing other
chapters while you read it). You can get the document at:
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/ht
ml/secnetlpmsdn.asp

I have been wrestling with a similar problem, and I haven't found a really
satisfactory solution. If you need to call LogonUser, whatever process does
the call needs the privilege. One route to go would be to put the call in a
class that inherits from ServicedComponent, and configure it using COM+
admin to run under a process identity that has the required privilege.
Perhaps this gives you a bit more security (providing you configure your
component as a Server application).

Are you using forms authentication?

BTW, I have found that the return value from LogonUser is useless. I have
also found that if the user whose credentials you pass can't be found, but
the guest account can, then it logs on the guest account. To check whether
or not it has actually logged someone on, check the return value of the
hToken.

I'm not sure how you're calling LogonUser, but here is a bit of code from my
class:

--- Begin Code

    public class LogonSvc
    {
	private const int LOGON32_PROVIDER_DEFAULT = 0;
      private const int LOGON32_LOGON_NETWORK = 3;
      private const int LOGON32_LOGON_INTERACTIVE = 2;
      private const int LOGON32_LOGON_BATCH = 4;
      private const int LOGON32_LOGON_NETWORK_CLEARTEXT = 3;

      /// <summary>
      /// imported API Functions
      /// </summary>
	[DllImport("advapi32.dll", CharSet=CharSet.Auto)]
      private static extern int LogonUser(String lpszUserName,
                                  String lpszDomain,
                                  String lpszPassword,
                                  int dwLogonType,
                                  int dwLogonProvider,
                                  ref IntPtr phToken);

      [DllImport("advapi32.dll", CharSet=CharSet.Auto)]
      private static extern int RevertToSelf();

      [DllImport("kernel32.dll")]
      private static extern int GetLastError();

      public bool isUserValid(string sDomain, string sUserName, string
sPassword)
      {
        try
        {
          IntPtr hToken = IntPtr.Zero;
          int loggedOn = LogonUser(sUserName, sDomain, sPassword,
              LOGON32_LOGON_NETWORK_CLEARTEXT, LOGON32_PROVIDER_DEFAULT, ref
hToken);
          string fullName = FullUserName(sDomain, sUserName);
          if(hToken.ToInt32() == 0)
            return false;
          WindowsIdentity wi = new WindowsIdentity(hToken);
          RevertToSelf();
          return (wi.Name.ToUpper() == fullName.ToUpper());
        }
        catch(Exception ex)
        {
          // do your error handing here
          return false;
        }
      }
--- end code

Hope this helps.

Cheers,

Helen

> -----Original Message-----
> From: Chris [mailto:wrox@d...]
> Sent: Wednesday, November 27, 2002 8:43 AM
> To: ASPX_Professional
> Subject: [aspx_professional] RE: Solutions Toolkit logon code doesn't
> work
>
>
> Helen, thanks for your reply.
>
> Yes, we're calling WindowsLogon.Authenticate with domain/user and
> password and the private function LogonUser in the WindowsLogon class
> that it calls is returning false.  I don't know how to get
> detailed error
> information from that call to an unmanaged .DLL - is there a method?
>
> However your permissions note may be the (unwanted) answer.
> We haven't
> given ASPNET user permission to 'act as part of the operating
> system'...
> that's pretty unsafe, isn't it?  And if ASPNET user needs
> that permission
> to log on a user, an impulse to have ASPNET temporarily impersonate a
> user with 'act as part of the operating system' permission
> seems dead in
> the water too.
>
> Our goal is to send end-user credentials from our own form to
> somewhere,
> and end up with a Windows Identity object on which we can use the
> IsInRole method to determine Windows group membership, all
> well secured.
> Can this solution help us do that?  Any others?
>
> Thanks again for your help.
>
>
> > Hi Chris
>
> Is the call to LogonUser?
>
> If so, the process making the call has to have the privilege
> "act as part
> of
> the operating system".
>
> What error does it throw?
>
> Cheers,
>
> Helen

  Return to Index  
About Wrox  |  Contact Us  |  Subscribe to an RSS Feed of New Wrox Titles
Copyright © 2000-2004 by John Wiley & Sons, Inc. or related companies. All rights reserved. Please read our Privacy Policy