[AccessD] OT: Retreiving user login name via ASP

Drew Wutka DWUTKA at marlow.com
Wed Aug 6 15:09:41 CDT 2003


The connection strings only contain the DB login info, not the NT Token that
is used to communicate with another network server.

If you want, I'll find the KB article that describes the situation.

Drew

-----Original Message-----
From: Haslett, Andrew [mailto:andrew.haslett at ilc.gov.au]
Sent: Thursday, July 31, 2003 9:33 PM
To: 'Access Developers discussion and problem solving'
Subject: RE: [AccessD] OT: Retreiving user login name via ASP


>> For example, if you have an IIS
>> server hosting your Intranet, and you have a file server that has company
>> databases on it, you cannot access the company databases from the
Intranet,
>> through ASP. 

Have to disagree.

Your connection strings to the database (in your ASP code) specify your
authentication details to database servers, or any other resources required.


Anonymous authentication, if enabled will map all anonymous requests to the
IUSR_<MACHINE_NAME> account (by default-although this can be changed), which
will then need to be given database access if not specifying an account in
your connection string (bad!! - don't want to give anonymous users access to
a resource, even if it is limited).

We have no problems passing on our tokens to other resources / servers when
using integrated authentication...

Cheers,
Andrew

-----Original Message-----
From: Drew Wutka [mailto:DWUTKA at marlow.com]
Sent: Friday, 1 August 2003 11:52 AM
To: 'Access Developers discussion and problem solving'
Subject: RE: [AccessD] OT: Retreiving user login name via ASP


Sorry, I'm WAY behind on my list posts (It's showing 633 unread right
now....).  This is definitely my ball of wax, in fact, Susan and I just
wrote up an article about this.

Okay, here's the deal, there is a MAJOR drawback to using Integrated Windows
Authentication.  The drawback is, that you cannot use any resources that are
not directly located on the IIS server.  For example, if you have an IIS
server hosting your Intranet, and you have a file server that has company
databases on it, you cannot access the company databases from the Intranet,
through ASP.  In fact, I don't even think a link would work either...in fact
I am 98% sure of that, but I'm too swamped to test it.  The reason is, the
Integrated method creates a local token, not a domain token, so it's only
valid on the local machine, not anywhere else on the domain.

Now, Anonymous and Plain Text Authentication both create valid network
tokens.  So both of those methods are able to access other network
resources.  However, with Anonymous, you can't tell who is hitting the site,
because everyone is using the same 'anonymous' account.  You can tell the IP
Address though, and I would guess there has got to be a way to get the
logged on user from the current IP address from a domain controller....would
have to think about how to do that.  With Plain Text authentication though,
you can tell who's logged in (in fact the login credentials can be in the
URL), but the name and password are sent through the lines in plain text (as
the method is titled).  In fact, you can retrieve the password through ASP.

There is a fourth option, but only if the IIS server is a controlling server
on an Active Directory domain.  It is called digest authentication, but it
also requires that your domain uses reversible encryption.  It works a lot
like Integrated Windows authentication, but it doesn't have the local
resource issue.

Drew

-----Original Message-----
From: Haslett, Andrew [mailto:andrew.haslett at ilc.gov.au]
Sent: Thursday, July 31, 2003 5:48 PM
To: 'Access Developers discussion and problem solving'
Subject: RE: [AccessD] OT: Retreiving user login name via ASP


No drawbacks at all. In fact its a (very simple) security enhancement, in
that only authorised users of your domain can now access the site.

Don't know your environment, but if your site were to hold sensitive
information and it were hacked from outside somehow, then its an extra step
for the hackers to get around since anonymous access is disabled.

Cheers,
Andrew

-----Original Message-----
From: Jim DeMarco [mailto:Jdemarco at hshhp.org]
Sent: Thursday, 31 July 2003 9:40 PM
To: Access Developers discussion and problem solving
Subject: RE: [AccessD] OT: Retreiving user login name via ASP


Got it.  I had to disable Anonymous Access and now I see the user name.  Any
thoughts on what effect doing this will have if we disable anonymous access
on our intranet?

Thanks a lot for the help Andrew.

Jim DeMarco
Director of Product Development
HealthSource/Hudson Health Plan


-----Original Message-----
From: Haslett, Andrew [mailto:andrew.haslett at ilc.gov.au]
Sent: Wednesday, July 30, 2003 6:15 PM
To: 'Access Developers discussion and problem solving'
Subject: RE: [AccessD] OT: Retreiving user login name via ASP


Jim,

In IIS, right click the website in question to bring up its properties.
Under Directory Security you will see options for a number of methods of
authentication.  Uncheck everything except integrated and the Users NT login
will then be used to authenticate them to your site.

Their details should also then be passed to those HTTP server variables for
you to access.  If that doesn't work then there must be a setting incorrect
somewhere as it does work - we use it in our apps on the intranet at work.

Cheers,
Andrew


-----Original Message-----
From: Jim DeMarco [mailto:Jdemarco at hshhp.org]
Sent: Thursday, 31 July 2003 2:52 AM
To: Access Developers discussion and problem solving
Subject: RE: [AccessD] OT: Retreiving user login name via ASP


Andrew,

This didn't work.  How do I know if we're using Integrated Authentication?
Is that Windows or IIS?

Thanks,

Jim

-----Original Message-----
From: Haslett, Andrew [mailto:andrew.haslett at ilc.gov.au]
Sent: Tuesday, July 29, 2003 8:09 PM
To: 'Access Developers discussion and problem solving'
Subject: RE: [AccessD] OT: Retreiving user login name via ASP


If using Integrated Authentication, the NT user name is passed through the
browser HTTP Server variables.

Try this:
Response.Write (Request.ServerVariables("LOGON_USER"))

This returns a string in the format domain\username

If LOGON_USER doesn't work, try REMOTE_USER

Cheers,
Andrew



-----Original Message-----
From: Jim DeMarco [mailto:Jdemarco at hshhp.org]
Sent: Wednesday, 30 July 2003 6:35 AM
To: Access Developers discussion and problem solving
Subject: [AccessD] OT: Retreiving user login name via ASP


Having a disagreement with the boss that maybe someone here can clear up for
me.  He thinks there is a way to return the Win2K user login name from an
ASP page.  I'm not 100% certain but I don't know that I've ever seen that
done.  

Does anyone know if it's possible?  If it is a code sample would be
appreciated.

Thanks,

Jim DeMarco


****************************************************************************
*******
"This electronic message is intended to be for the use only of the named
recipient, and may contain information from Hudson Health Plan (HHP) that is
confidential or privileged.  If you are not the intended recipient, you are
hereby notified that any disclosure, copying, distribution or use of the
contents of this message is strictly prohibited.  If you have received this
message in error or are not the named recipient, please notify us
immediately, either by contacting the sender at the electronic mail address
noted above or calling HHP at (914) 631-1611. If you are not the intended
recipient, please do not forward this email to anyone, and delete and
destroy all copies of this message.  Thank You".
****************************************************************************
*******

_______________________________________________
AccessD mailing list
AccessD at databaseadvisors.com
http://databaseadvisors.com/mailman/listinfo/accessd
Website: http://www.databaseadvisors.com

IMPORTANT - PLEASE READ ******************** 
This email and any files transmitted with it are confidential and may 
contain information protected by law from disclosure. 
If you have received this message in error, please notify the sender 
immediately and delete this email from your system. 
No warranty is given that this email or files, if attached to this 
email, are free from computer viruses or other defects. They 
are provided on the basis the user assumes all responsibility for 
loss, damage or consequence resulting directly or indirectly from 
their use, whether caused by the negligence of the sender or not.
_______________________________________________
AccessD mailing list
AccessD at databaseadvisors.com
http://databaseadvisors.com/mailman/listinfo/accessd
Website: http://www.databaseadvisors.com


****************************************************************************
*******
"This electronic message is intended to be for the use only of the named
recipient, and may contain information from Hudson Health Plan (HHP) that is
confidential or privileged.  If you are not the intended recipient, you are
hereby notified that any disclosure, copying, distribution or use of the
contents of this message is strictly prohibited.  If you have received this
message in error or are not the named recipient, please notify us
immediately, either by contacting the sender at the electronic mail address
noted above or calling HHP at (914) 631-1611. If you are not the intended
recipient, please do not forward this email to anyone, and delete and
destroy all copies of this message.  Thank You".
****************************************************************************
*******

_______________________________________________
AccessD mailing list
AccessD at databaseadvisors.com
http://databaseadvisors.com/mailman/listinfo/accessd
Website: http://www.databaseadvisors.com

IMPORTANT - PLEASE READ ******************** 
This email and any files transmitted with it are confidential and may 
contain information protected by law from disclosure. 
If you have received this message in error, please notify the sender 
immediately and delete this email from your system. 
No warranty is given that this email or files, if attached to this 
email, are free from computer viruses or other defects. They 
are provided on the basis the user assumes all responsibility for 
loss, damage or consequence resulting directly or indirectly from 
their use, whether caused by the negligence of the sender or not.
_______________________________________________
AccessD mailing list
AccessD at databaseadvisors.com
http://databaseadvisors.com/mailman/listinfo/accessd
Website: http://www.databaseadvisors.com


****************************************************************************
*******
"This electronic message is intended to be for the use only of the named
recipient, and may contain information from Hudson Health Plan (HHP) that is
confidential or privileged.  If you are not the intended recipient, you are
hereby notified that any disclosure, copying, distribution or use of the
contents of this message is strictly prohibited.  If you have received this
message in error or are not the named recipient, please notify us
immediately, either by contacting the sender at the electronic mail address
noted above or calling HHP at (914) 631-1611. If you are not the intended
recipient, please do not forward this email to anyone, and delete and
destroy all copies of this message.  Thank You".
****************************************************************************
*******

_______________________________________________
AccessD mailing list
AccessD at databaseadvisors.com
http://databaseadvisors.com/mailman/listinfo/accessd
Website: http://www.databaseadvisors.com

IMPORTANT - PLEASE READ ******************** 
This email and any files transmitted with it are confidential and may 
contain information protected by law from disclosure. 
If you have received this message in error, please notify the sender 
immediately and delete this email from your system. 
No warranty is given that this email or files, if attached to this 
email, are free from computer viruses or other defects. They 
are provided on the basis the user assumes all responsibility for 
loss, damage or consequence resulting directly or indirectly from 
their use, whether caused by the negligence of the sender or not.
_______________________________________________
AccessD mailing list
AccessD at databaseadvisors.com
http://databaseadvisors.com/mailman/listinfo/accessd
Website: http://www.databaseadvisors.com
_______________________________________________
AccessD mailing list
AccessD at databaseadvisors.com
http://databaseadvisors.com/mailman/listinfo/accessd
Website: http://www.databaseadvisors.com

IMPORTANT - PLEASE READ ******************** 
This email and any files transmitted with it are confidential and may 
contain information protected by law from disclosure. 
If you have received this message in error, please notify the sender 
immediately and delete this email from your system. 
No warranty is given that this email or files, if attached to this 
email, are free from computer viruses or other defects. They 
are provided on the basis the user assumes all responsibility for 
loss, damage or consequence resulting directly or indirectly from 
their use, whether caused by the negligence of the sender or not.
_______________________________________________
AccessD mailing list
AccessD at databaseadvisors.com
http://databaseadvisors.com/mailman/listinfo/accessd
Website: http://www.databaseadvisors.com


More information about the AccessD mailing list