[AccessD] Active Directory Authentication or Lookup for DB

Heenan, Lambert Lambert.Heenan at AIG.com
Tue Nov 18 12:04:43 CST 2008


Would this work for you? ...

Private Declare Function LogonUser Lib "Advapi32" Alias "LogonUserA" (ByVal
_
    lpszUserName As String, ByVal lpszDomain As String, _
    ByVal lpszPassword As String, ByVal dwLogonType As Long, _
    ByVal dwLogonProvider As Long, phToken As Long) As Long
Private Declare Function CloseHandle Lib "kernel32" (ByVal hObject As Long)
As _
    Long
Const LOGON32_PROVIDER_DEFAULT = 0&
Const LOGON32_LOGON_NETWORK = 3&

' Check whether a username/password pair is correct
'
' if DOMAIN is omitted, it uses the local account database
' and then asks trusted domains to search their account databases
' until it finds the account or the search is exhausted
' use DOMAIN="." to search only the local account database
'
'  IMPORTANT: works only under Windows NT and 2000 and XP

Private Function CheckWindowsUser(ByVal UserName As String, _
    ByVal Password As String, Optional ByVal Domain As String) As Boolean
    Dim hToken As Long, ret As Long

    ' provide a default for the Domain name
    If Len(Domain) = 0 Then Domain = vbNullString
    ' check the username/password pair
    ' using LOGON32_LOGON_NETWORK delivers the best performance
    ret = LogonUser(UserName, Domain, Password, LOGON32_LOGON_NETWORK, _
        LOGON32_PROVIDER_DEFAULT, hToken)
    
    ' a non-zero value means success
    If ret Then
        CheckWindowsUser = True
        CloseHandle hToken
    End If
End Function 

Lambert

-----Original Message-----
From: accessd-bounces at databaseadvisors.com
[mailto:accessd-bounces at databaseadvisors.com] On Behalf Of Lawrence Mrazek
Sent: Tuesday, November 18, 2008 12:10 PM
To: 'Access Developers discussion and problem solving'
Subject: Re: [AccessD] Active Directory Authentication or Lookup for DB

Hi Drew:

Sorry about the delay in responding; trying to get over some sort of illness
brought home by the kids!

Basically, I think they'd like to do a lookup against AD, compare against a
username in the application table, if both match, then allow them to
proceed. These apps are already secured by Active Directory permissions,
most of them are custom reporting and analysis tools I developed to provide
them with functionality lacking in their enterprise software. 

Do you think the above scenario is doable?

Larry Mrazek
ph. 314-432-5886
lmrazek at lcm-res.com
http://www.lcm-res.com


-----Original Message-----
From: accessd-bounces at databaseadvisors.com
[mailto:accessd-bounces at databaseadvisors.com] On Behalf Of Drew Wutka
Sent: Monday, November 17, 2008 9:59 AM
To: Access Developers discussion and problem solving
Subject: Re: [AccessD] Active Directory Authentication or Lookup for DB

So what kind of code are you looking for to get there?  Just the basic
logged in user stuff, or do you want some code to query/authenticate against
AD?

Drew

-----Original Message-----
From: accessd-bounces at databaseadvisors.com
[mailto:accessd-bounces at databaseadvisors.com] On Behalf Of Lawrence Mrazek
Sent: Saturday, November 15, 2008 1:19 AM
To: 'Access Developers discussion and problem solving'
Subject: Re: [AccessD] Active Directory Authentication or Lookup for DB

Hi Drew:

Thanks for the great response; it really helped bring everything into focus.


I might only need to query against Active Directory, so a common user
framework running on all of their apps might do the trick.

Larry Mrazek
ph. 314-432-5886
lmrazek at lcm-res.com
http://www.lcm-res.com


-----Original Message-----
From: accessd-bounces at databaseadvisors.com
[mailto:accessd-bounces at databaseadvisors.com] On Behalf Of Drew Wutka
Sent: Friday, November 14, 2008 3:49 PM
To: Access Developers discussion and problem solving
Subject: Re: [AccessD] Active Directory Authentication or Lookup for DB

Ok, you asked, so sit back and read.  I am not going to include any code at
this point, because there would be too much to throw at you at once!

To start with, there are a few ways to get AD information.  The easiest and
least code intensive is to just go off of NT User name (or Active Directory
Account name).  To retrieve this name, is a very simple function (just a few
lines of code).  You can also retrieve the name of the domain you are on
with a simple line of code too.  So if you just want to know that jsmith on
MyCompany domain is getting into your database, you can use those two simple
functions to verify that.

HOWEVER, the steps above are going to go off of the credentials of the user
currently logged into the machine.  It will even work if the user is
technically 'offline', because the functions for those will go off of the
local machine's cached credentials.  This is usually as far as most Access
developers will go to integrate their systems with Active Directory.

However, if you want to go further, you can actually 'query' Active
Directory.  Querying AD is a little different then Access Queries.  The
language is a bit different, different qualifiers, structure, etc.
However, by querying AD, you can get a list of all current users, groups,
group membership, etc.  You can also 'authenticate' a user against Active
directory.  I have a function that will do that if you provide the username
and password.  

So, if you truly want to make a system that is integrated with Active
Directory, I would build a 'user framework'.  I do this with a global user
class.  When it initializes, it gets all the current user information based
off of the logged in user, but it can be changed to represent another user
through the authentication method I described earlier.  All
functions/features are then verified through this class.

I will caution you, however, that while Access is a great RAD tool, when it
is used as a Front End, it is less then secure.  I personally have never
used AD integration with an Access FE, I have used it with a VB FE and with
Web based front ends, where the database is not directly available to the
users.  So if you are looking to use AD integration as a simple method of
user administration, go ahead, but if you are planning on user AD
integration for security purposes, I would recommend a different platform
for your front end.

Drew

-----Original Message-----
From: accessd-bounces at databaseadvisors.com
[mailto:accessd-bounces at databaseadvisors.com] On Behalf Of Lawrence Mrazek
Sent: Friday, November 14, 2008 1:03 PM
To: 'Access Developers discussion and problem solving'
Subject: [AccessD] Active Directory Authentication or Lookup for DB

Hi Folks:

Is it possible to use Active Directory to login to an Access DB (XP in this
case)? Can I access the current AD username and groups via VBA code?

I'm just trying to see what's possible in this area right now and if anyone
is using this functionality in their apps. 

Thanks in advance. 

Larry Mrazek
ph. 314-432-5886
lmrazek at lcm-res.com
http://www.lcm-res.com



--
AccessD mailing list
AccessD at databaseadvisors.com
http://databaseadvisors.com/mailman/listinfo/accessd
Website: http://www.databaseadvisors.com The information contained in this
transmission is intended only for the person or entity to which it is
addressed and may contain II-VI Proprietary and/or II-VI Business Sensitive
material. If you are not the intended recipient, please contact the sender
immediately and destroy the material in its entirety, whether electronic or
hard copy. You are notified that any review, retransmission, copying,
disclosure, dissemination, or other use of, or taking of any action in
reliance upon this information by persons or entities other than the
intended recipient is prohibited.


--
AccessD mailing list
AccessD at databaseadvisors.com
http://databaseadvisors.com/mailman/listinfo/accessd
Website: http://www.databaseadvisors.com


--
AccessD mailing list
AccessD at databaseadvisors.com
http://databaseadvisors.com/mailman/listinfo/accessd
Website: http://www.databaseadvisors.com The information contained in this
transmission is intended only for the person or entity to which it is
addressed and may contain II-VI Proprietary and/or II-VI Business Sensitive
material. If you are not the intended recipient, please contact the sender
immediately and destroy the material in its entirety, whether electronic or
hard copy. You are notified that any review, retransmission, copying,
disclosure, dissemination, or other use of, or taking of any action in
reliance upon this information by persons or entities other than the
intended recipient is prohibited.


-- 
AccessD mailing list
AccessD at databaseadvisors.com
http://databaseadvisors.com/mailman/listinfo/accessd
Website: http://www.databaseadvisors.com


-- 
AccessD mailing list
AccessD at databaseadvisors.com
http://databaseadvisors.com/mailman/listinfo/accessd
Website: http://www.databaseadvisors.com



More information about the AccessD mailing list