[thelist] Getting Login Name & Password

Ken Schaefer Ken at adOpenStatic.com
Wed May 25 14:03:53 CDT 2005 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
: From: thelist-bounces at lists.evolt.org [mailto:thelist-
: bounces at lists.evolt.org] On Behalf Of j s
: Subject: [thelist] Getting Login Name & Password
: 
: Is there a way, on a web page(asp), to pick up the user's login name &
: password that was used to login into their pc with?
: 
: Jess
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

>From ASP, running on a web server, you are only able to get the credentials
that a user logs on to the IIS server with. There is no guarantee that these
are the same credentials that the user logged onto their computer with, since
the user can supply alternate credentials if they want.

There are a few comments I would add to the other posts that have already
been posted:
a) If you use an insecure authentication protocol (e.g. Basic), then both the
username and password are transmitted in the clear, and your web app can
access them. However, users should be educated be very careful about
submitting their credentials, in the clear, to websites, because those
websites can then reuse those credentials to do whatever they want

b) There are a number of Request.ServerVariables, and you need to be aware of
the differences between the two: there's Logon_User and Auth_User. The
differences are detailed here:
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/iissdk/iis/s
ervervariables.asp?frame=true

c) Autologon by IE. This can happen if the authentication protocol is either
NTLM or Kerberos (not just NTLM) BUT there are a number of other requirements
that need to be met. The most important is that the website is located in the
local Intranet security zone. Autologon will not happen in the Internet zone
(this is a security restriction - it means the user has control over where
their credentials are sent):
http://support.microsoft.com/?id=258063

d) If you want a bunch of details about how IIS and HTTP authentication
works, you can grab this PDF:
http://www.adopenstatic.com/resources/books/293_CYA_IIS6_05.pdf
which is chapter 5 from the IIS6 book I co-authored, which covers the
authentication stuff that IIS supports.

Cheers
Ken

--
www.adOpenStatic.com/cs/blogs/ken/

More information about the thelist mailing list