|
security
newsgroups
|
|||||||||||||||||||||||
|
|||||||||||||||||||||||
A twist to "Logon User at Domain"just scanned the postings and i'm alittle suprised. There seams to be no way, to make a user logon/authenticate at a domain WITHOUT the user making his username AND PASSWORD available to the application initiating the logon/ authentication process.... Is that right? I'm refering to CredUIPromptForCredentials function which "publishes" the password of the application the invoking it. Any hint how to initiate the authentication process in a way which does not make password readable to the invoking appliction? I really hope i'm just missing something, and it's not by design.... TIA br Radek If the user is already logged in to Windows, then you can just use their
security token directly. Otherwise, perhaps you can explain what you are trying to do. Joe K. -- Show quoteHide quoteJoe Kaplan-MS MVP Directory Services Programming Co-author of "The .NET Developer's Guide to Directory Services Programming" http://www.directoryprogramming.net -- <Radek.Jedras***@gmail.com> wrote in message news:1171629185.547619.184480@t69g2000cwt.googlegroups.com... > Hi all, > > just scanned the postings and i'm alittle suprised. There seams to > be no way, > to make a user logon/authenticate at a domain WITHOUT the user making > his username > AND PASSWORD available to the application initiating the logon/ > authentication process.... > > Is that right? > I'm refering to > > CredUIPromptForCredentials function > > which "publishes" the password of the application the invoking it. > > Any hint how to initiate the authentication process in a way which > does > not make password readable to the invoking appliction? > > I really hope i'm just missing something, and it's not by design.... > > TIA > br > Radek > On Feb 16, 4:19 pm, "Joe Kaplan"
<joseph.e.kap***@removethis.accenture.com> wrote: Show quoteHide quote > If the user is already logged in to Windows, then you can just use their Yes, the user is logged in already, but at a different domain.> security token directly. Otherwise, perhaps you can explain what you are > trying to do. > > Joe K. > > -- > Joe Kaplan-MS MVP Directory Services Programming > Co-author of "The .NET Developer's Guide to Directory Services Programming"http://www.directoryprogramming.net > --<Radek.Jedras***@gmail.com> wrote in message > > news:1171629185.547619.184480@t69g2000cwt.googlegroups.com... > > > > > Hi all, > > > just scanned the postings and i'm alittle suprised. There seams to > > be no way, > > to make a user logon/authenticate at a domain WITHOUT the user making > > his username > > AND PASSWORD available to the application initiating the logon/ > > authentication process.... > > > Is that right? > > I'm refering to > > > CredUIPromptForCredentials function > > > which "publishes" the password of the application the invoking it. > > > Any hint how to initiate the authentication process in a way which > > does > > not make password readable to the invoking appliction? > > > I really hope i'm just missing something, and it's not by design.... > > > TIA > > br > > Radek- Hide quoted text - > > - Show quoted text - This is a vpn scenario: user starts his machine and logs in with his local user name. Later he connects via vpn to a company network. With this connection in place he can start an application which needs his company-domain identity. This works already, we are able to authenticate the user in the company domain, BUT only by presenting him a login dialog (Windows api) and ** passing over ** the info he provides (user name / password) to the DomainControler for authentication .... The point is: is there a way to do this, without enabling the application to "read" users login info ? thanks for reading ;) cheerio Radek You could have the user run the application with "Run As..." so that Windows
would start the program under a different security context and your app wouldn't be doing the impersonation. That brings it outside of your application. Otherwise, no. Joe K. -- Show quoteHide quoteJoe Kaplan-MS MVP Directory Services Programming Co-author of "The .NET Developer's Guide to Directory Services Programming" http://www.directoryprogramming.net > > Yes, the user is logged in already, but at a different domain. > > This is a vpn scenario: user starts his machine and logs in with his > local user name. > Later he connects via vpn to a company network. > With this connection in place he can start an application which needs > his > company-domain identity. > > This works already, we are able to authenticate the user in the > company domain, > BUT only by presenting him a login dialog (Windows api) and ** passing > over ** the info he provides (user name / password) > to the DomainControler for authentication .... > > The point is: is there a way to do this, without enabling the > application to "read" users login info ? > > thanks for reading ;) > > cheerio > Radek > > 
Other interesting topics
How to bypass Forms Authentication on selected pages programmatica
Unable to run external program exe's RsaCryptoServiceProvider doubt Request.UrlReferrer + IE7 + "Invalid Certificate" = bad news How to generate validationKey ?? Client Certificate Selection Books on .net security Client certificates do not show up installing the last Root Update Validate certificate Do any microsoft buildtime dependancies C#/C/c++/VB/etc. need to be updated for the 2007 policy on d |
|||||||||||||||||||||||
