Wrox Home  
Search P2P Archive for: Go
Shopping CartView Cart  |  My Account  |  Support
Home Browse Titles

P2P Archives
 

Archive Index
Back to Active P2P Forum

 


Wrox Chapters on Demand - Download the chapters you need and take them on the go!
Wrox First - Instant Access online to new Wrox books

New Titles for ASP.NET

Cover image for product 0470379308
Professional ASP.NET 3.5 Security, Membership, and Role Management with C# and VB
Cover image for product 047041569X
LINQ-ifying TheBeerHouse: An N-Tier LINQ Web Application with ASP.NET 2.0 Website Programming Problem Design Solution
Attention User Groups: Post your next LUG event here
  Return to Index  

security_asp thread: Re: which method is more reliable to get NT user account

Message #1 by "Brandon" <patricrat@h...> on Wed, 9 May 2001 17:08:26
Brandon,

Thanks for your reply. I did not know how to use ADSI to retrieve username.
I then looked at the Professinal Active Server Pages 3.0, chapter 21,
Introducing ADSI and Active Directory. The lines on the bottom of page 837
seem to suggest there are some security related problems with using the ADSI
authentication. I am confused. Please let me know if I misunderstand the
meaning in the paragraph on that page.

Thanks,

Xuehua.

----- Original Message -----
From: "Brandon" <patricrat@h...>
To: "Security_asp" <security_asp@p...>
Sent: Wednesday, May 09, 2001 5:08 PM
Subject: [security_asp] Re: which method is more reliable to get NT user
account


> Actually Xuehua, why not try using ADSI (Active Directory) to retrieve
> username. Assuming you have a Windows 2000 based network ADSI provides you
> with extreme extensibility (say if you need to retrieve the groups' that
> the user belongs to), it's considerably easier than developing an MTS
> comp, and it is fairly reliable. Additionally, I have found that the logon
> user environment variable is incredibly unreliable, and will only work if
> you set IIS Authentication to NTFS.
>
> Best Regards,
>
> Brandon Osborne
> US Dept of Defense
> hr90215@d...
> > Hi,
> >
> > I used the following two ways to get the NT user account, who requesting
> a
> > web page, when the web site is set to NT challenge/response only:
> >
> > 1. use the Request.SeverVariables(logon_user)
> > 2. create a non-transactional MTS component, then use the method of the
> > ObjectContext object, i.e. ObjectContext.Security.GetDirectCallerName to
> > retrive the NT user account.
> >
> > Both give the same results. However, it seems to me that the first one
> get
> > the information from the client machine's environment variables, and if
> a
> > hacker changed the environment variables, the Request.SeverVariables
> > (logon_user) may give wrong information. Would the second way, i.e.
> > ObjectContext.Security.GetDirectCallerName gives more reliable NT user
> > account?
> >
> > As I do not know the exact mechanism behind the two methods, anybody can
> > comment on the two methods?
> >
> > Thanks,
> >
>
> ---
> http://www.asptoday.com - the leading site for timely,
> in-depth information for ASP developers everywhere.
$subst('Email.Unsub')
>

  Return to Index  
About Wrox  |  Contact Us  |  Subscribe to an RSS Feed of New Wrox Titles
Copyright © 2000-2004 by John Wiley & Sons, Inc. or related companies. All rights reserved. Please read our Privacy Policy