Re: Authentication
- From: "Ming Zhang" <mzhang@xxxxxxxxx>
- Date: Sat, 27 Aug 2005 17:52:03 -0700
Hi John,
Thanks for your response.
The wrapper app has to use form authentication (can NOT use windows
authentication) because there is no way to handle cases like "must change
password the first time login" if use windows authentication. Under windows
authentication, iis just return HTTP 401.1 if "must change password the
first time login" is set to true even the user provides correct password,
hence there is no way to distinguish whether it's wrong password, or need to
change password.
My existing apps require to use windows authentication (this is just the
requirement of those apps, I can't change it). So the problem is how to pass
the credential that authenticated against AD (by form authentication) to
other apps that only support windows authentication.
I know this might be a wired problem, but this is the case I am facing.
Thanks
Ming
"John Rivers" <first10@xxxxxxxxxxxxxx> wrote in message
news:1125166367.175555.143870@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
>
>
>
>
> Hi there,
>
> isn't it case that after they set their new password using your wrapper
> application that they only have to login once using the windows
> authentication
> with their new password and after that everything will be automatic
> again?
>
> or is it prompting them one time for each app?
>
> in which case I would look at getting all the apps to use the
> same authentication realm, so IE only keeps one setting for all of
> them.
>
> look at the web.config file for <authentication realm="try and make
> this the same across all your apps"/>
>
> (this corresponds to the realm parameter in the www-authenticate http
> header)
> (this is what ie uses to make the key for storing auth credentials)
>
> i am just brainstorming to try and help
> so sorry if i am on the wrong track
>
> John
>
> ps cool name you have :)
>
>
>
> Ming Zhang wrote:
>> Hi guys,
>> I have couple of ASP.NET applications that only support digest windows
>> authentication, and credentials are managed in a central AD. When users
>> login to one app, they can easily navigate to other apps without reenter
>> UID/PWD. Everything works except it doesn't meet our security policy for
>> new
>> created users. When creating a new user, it's required to have "user must
>> change password when first time login". In this case, the user will just
>> get
>> an 401.1 access deny error without any other clue.
>>
>> One solution is to write a wrapper web app that can detect this setting
>> and
>> allows user to change their password through internet. This can be done
>> by
>> using Form Authentication to authenticate against AD. Now the question is
>> after a user successfully authenticated in this wrapper app, if the user
>> navigate to other apps (which require windows authentication), the
>> authentication dialog will popup again. This is really what we hate to
>> see.
>> I am stuck here. So my question is if there is a way to let IE knows that
>> the current connection is already authenticated, so IE doesn't need to
>> popup
>> the dialog again.
>>
>> Your help is greatly appreciated!
>>
>> Ming
>
.
- Follow-Ups:
- Re: Authentication
- From: John Rivers
- Re: Authentication
- References:
- Authentication
- From: Ming Zhang
- Re: Authentication
- From: John Rivers
- Authentication
- Prev by Date: Re: <sessionState cookieless="true" />
- Next by Date: Re: <sessionState cookieless="true" />
- Previous by thread: Re: Authentication
- Next by thread: Re: Authentication
- Index(es):
Relevant Pages
|
