WebApp Sec mailing list archives
Re: get network user name
From: Josh <its.josh () verizon net>
Date: Fri, 10 Mar 2006 23:16:09 -0500
Give this a try to get Firefox to authenticate automatically. (I cant confirm if it works, havent tried it myself)
http://blogs.wdevs.com/shog9/archive/2005/03/09/2668.aspxYou can see my previous email for info on setting up IIS so you can use .NET for gathering the user name. No client-side apps are required, all authentication is handled by the browser.
John Bond wrote:
First of all Thank you for all your responses. Let me expand on wht the situation is. The server can be either windows or *nix The webserver can be apache2 or IIS The client will be either windows or *nix. the browser can be anything but i could limit this to firefox and MSIE if needed but firefox is a must the languaged used can be preety much anything par assembly. if needed seperate extentios for MSIE and firefox could be writen. The whols process should be seemless from the users point of view.All the users will be logged into a win 2003 Active directory domain. it is this login name which i require (possibly their password or akerbose ticket if possible). What i need is the loged in users usersname. This will be used toquery the active directory to find out infomation about a the user. If i am unable to bind to the ldap as the user i could bind as ageneric use that had read writes. However this would mean having a script containig a username/password that had read rights to the entire AD. This means that the web server has to trust any infomation it gets, as i said this is an intranet site so some restraint can be taken, but not much and im sure some would say it shouldnt make a difference. **Nemesis Knight saidIf this is an Intranet site running IIS on a Windows Server...the information is already contained in the IIS Event Logs.The logs can only get the username from basic auth (i think) I would like their domain login username **Josh saidI've built a few apps that do what you are looking for with .NET and IIS.This would certanly be usefull. Would the solution requier any .NET support on the client side? as this may not be possible du to the use of *nix systems. **Fears, Erik saidUse NTLM authentication (SSIP) if everyone is part of an NT domain.This looks like a good idea. My understanding is i can implment in php (with cURL), i imagine aspx and posibly perl. It is also supported by firefox and MSIE is that correct? is their support for other browser specificly opera and Konqueror? **Adam Tuliper saidOne thing to note is unless authentication is enabled on the webserver you won't get this information.Could you please expand on this it seems that NTLM can be done with a php solution using the cURL library. **Adam Tuliper saidI believe IE will first send the current logged on user named when prompted by the webserverWhen you say prompt are you refering to a webserver prompting a client or a physicle user seesing a prompt **Adam Tuliper saidIf you arent going to actually use the information for any actual authentication you would > need to write an isapi filter (iis assuming) etc. to prompt the client, and discard the result > and then allow access.I hope to use this infomation to bind to AD as the user and retrive a couple of attributes. However writing an ISAPI filter (or an apache mod) is doable and propably preferable to designing a tool bar. **Josh saidThe only other browser I've tested was Firefox which requires theuser to manually log in. Ohh... this could be a show stopper. is there another solution or could firefox be given support via an extention. Any way thankyou all for your comments. Please keep them coming. Idealy i want a solution that could be rolled out to as many combanations of the following as possible. server os: any browser: any web server: IIS, Apache server side language:asp/aspx, php, cgi idealy there sould be nothing for the client to install on their side ------------------------------------------------------------------------- Sponsored by: WatchfireWatchfire's AppScan is the industry's first and leading web application security testing suite, and the only solution to provide comprehensive remediation tasks at every level of the application. See for yourself. Download AppScan 6.0 today.https://www.watchfire.com/securearea/appscansix.aspx?id=70130000000BxQ1 --------------------------------------------------------------------------
------------------------------------------------------------------------- Sponsored by: WatchfireWatchfire's AppScan is the industry's first and leading web application security testing suite, and the only solution to provide comprehensive remediation tasks at every level of the application. See for yourself. Download AppScan 6.0 today.
https://www.watchfire.com/securearea/appscansix.aspx?id=70130000000BxQ1 --------------------------------------------------------------------------
Current thread:
- get network user name John Bond (Mar 09)
- Re: get network user name Josh (Mar 09)
- Re: get network user name Adam Tuliper (Mar 09)
- Re: get network user name Josh (Mar 09)
- RE: get network user name Auri Rahimzadeh (Mar 09)
- Re: get network user name Adam Tuliper (Mar 09)
- <Possible follow-ups>
- Re: get network user name John Bond (Mar 10)
- Re: get network user name Josh (Mar 11)
- Re: get network user name Josh (Mar 09)