Loginging into a Domain?
-
At my company, we've got a client/server that requires user-names for security reasons. Some users can access more data than others. It runs on our company LAN, and is only used in-house. We use raw TCP/IP to do all of our communication (no SOAP or fancy XML stuff). We've got a complex network with several domains and centrally administered user accounts, so we thought functions like GetUserName() are enough to know who we're dealing with (the app sends the name over with each request). Turns out we were wrong. We have many users who go home and use Cisco VPN to run our app. Many of them run Windows98/ME, or XP without logging into our company domain. They'll have usernames like "Frank" instead of "FPrisco", and worse, they can make up any user name they want and pretend to be anyone. I've looked into the Win32 security apis, and my god they are complicated. What we want to do is avoid jostling local users who have legitamately logged into the PC, vs people who are using non-authenticated logins on crappy OSes. I have two specific questions: 1) There do not seem to be any standard OS dialog for handling a domain login (gathering the username, password, and domain-name and then doing the authenticate), a'la what you see in explorer when you try to access shares you are not authenticated for. Is there such a thing? Do all apps that can do domain logins re-implement this dialog? 2) In the absence of any library code to do (1), I've figured out how to determine whether a username/domain/password combinationis legitamate. Once I have a valid login, is there anyway to "set" this into the user's environment, so they are not-reprompted every time they start up our app, or use other network services that require a domain login? Any help would be appreciated.
-
At my company, we've got a client/server that requires user-names for security reasons. Some users can access more data than others. It runs on our company LAN, and is only used in-house. We use raw TCP/IP to do all of our communication (no SOAP or fancy XML stuff). We've got a complex network with several domains and centrally administered user accounts, so we thought functions like GetUserName() are enough to know who we're dealing with (the app sends the name over with each request). Turns out we were wrong. We have many users who go home and use Cisco VPN to run our app. Many of them run Windows98/ME, or XP without logging into our company domain. They'll have usernames like "Frank" instead of "FPrisco", and worse, they can make up any user name they want and pretend to be anyone. I've looked into the Win32 security apis, and my god they are complicated. What we want to do is avoid jostling local users who have legitamately logged into the PC, vs people who are using non-authenticated logins on crappy OSes. I have two specific questions: 1) There do not seem to be any standard OS dialog for handling a domain login (gathering the username, password, and domain-name and then doing the authenticate), a'la what you see in explorer when you try to access shares you are not authenticated for. Is there such a thing? Do all apps that can do domain logins re-implement this dialog? 2) In the absence of any library code to do (1), I've figured out how to determine whether a username/domain/password combinationis legitamate. Once I have a valid login, is there anyway to "set" this into the user's environment, so they are not-reprompted every time they start up our app, or use other network services that require a domain login? Any help would be appreciated.
Well, so far the best bit information I've found is the SSPI Authentication Sample on MSDN. SSPI lets me take a username, password, and domain, and see if its valid. It does all the work finding & contacting the domain servers. I haven't been able to 'store' a successful login, or find any sort of standard dialog for handling the login, but for the moment this SSPI function is enough. One thing I am having trouble with though, is getting the current domain on Win98. There is the LookupAccountName API function, which is not supported on Win9x. I just need to know which domain the user has logged into. Google searches aren't turning up much, other than affirmation hat LookAccountName sucks.