I have an Intranet application wi开发者_Python百科th Windows Authentication. Everything works fine. However, for some sensitive operations (it could be approving AP check, or grading a student) I need to get user's id and password. The goal is to prevent somebody walking to unattended terminal, and generally for non-repudiation. Trivial with forms authentication - but I can't figure out how to do it with Windows authentication.
I don't think it matters, but it's MVC application and authentication is done against Active Directory
Typically, server application needs to issue HTTP Status Code 401 to tell client for authentication information. However, in case of windows authentication, once user is authenticated, the token is cached by client system or browser and used subsequently whenever needed. So in your case, even if you issue 401, client will send the same token again - so your main problem of abusing unattended terminal will not get solved (as user already logged in there into the system).
One of the way could be simulate forms authentication from the application - i.e. on sensitive operations, prompt user for his/her windows password again (note that you will be already having user's name(identity) if you are using windows authentication) and then re-validate that password using active directory API (or logon user windows API).
Personally, I feel that you are trying to solve the problem at server which is wrong end - I would rather have a IT policy that prohibits unlocked unattended terminals - either user should lock the workstation or have a password protected screen saver. Typically, these things can be somewhat enforced via group policy.
In my webforms app I've got one page set as only allowing Windows Auth and no others, and then to get the username (since they have to have already done the 401 auth procedure via the browser) I get their username like thus:
string username = Request.ServerVariables["LOGON_USER"];
and then I can query the Membership provider to get the user information from the infrastructure.
Or are you trying to manually do the 401 auth process?
how to manually authenticate user in asp.net windows authentication
精彩评论