WebApp Sec mailing list archives
RE: Browser login with Windows domain login
From: "Simon Cunningham" <Simon.Cunningham () enline com>
Date: Thu, 8 Apr 2004 16:11:01 +0100
That's what NTLM does. There are a number of prerequisites required to get this to work which may be at odds with your application - everything (usually) has to be Microsoft, web server has to be in same domain, users need to set up IE so it sends credentials, AD can't be in native mode (I think). I'm sure those more knowledgeable than I will point out the vulnerabilities in this approach. Depending upon what you want to do in the application with user identity you might want to use NTLM authentication in conjunction with something like Netegrity SiteMinder. Simon -----Original Message----- From: stevenr () mastek com [mailto:stevenr () mastek com] Sent: 08 April 2004 14:22 To: webappsec () securityfocus com Subject: Browser login with Windows domain login Hi I needed some pointers/links/tips from you folks on a problem. I have a web-based application. Is it possible to sign in a user into the browser based application transparently based on the windows NT domain login. By this I mean that when the user opens the browser and types in the URL, the client machine should automatically send the user credentials to the application. FYI, the windows domain login is authenticated against Microsoft Active Directory. If this is possible, can anyone point me to some sites/tutorials? I have googled but have not come up with anything useful, hence this mail. Are there any known vulnerabilites with this kind of approach for web based logins? Any help would be appreciated. Thanks Steve MASTEK "Making a valuable difference" Mastek in NASSCOM's 'India Top 20' Software Service Exporters List. In the US, we're called MAJESCO ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Opinions expressed in this e-mail are those of the individual and not that of Mastek Limited, unless specifically indicated to that effect. Mastek Limited does not accept any responsibility or liability for it. This e-mail and attachments (if any) transmitted with it are confidential and/or privileged and solely for the use of the intended person or entity to which it is addressed. Any review, re-transmission, dissemination or other use of or taking of any action in reliance upon this information by persons or entities other than the intended recipient is prohibited. This e-mail and its attachments have been scanned for the presence of computer viruses. It is the responsibility of the recipient to run the virus check on e-mails and attachments before opening them. If you have received this e-mail in error, kindly delete this e-mail from all computers. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ********************************************************************** LEGAL NOTICE The information contained in this communication is confidential and may be legally privileged. It is intended solely for the use of the individual or entity to whom it is addressed and others authorised to receive it. If you are not the intended recipient, please notify the sender immediately and you are hereby notified that any disclosure, copying distribution or taking of any action in reliance on the content of this information is strictly prohibited and may be unlawful. Enline plc is neither liable for the proper and complete transmission of the information contained in this communication nor for any delay in its receipt. Any views or opinions expressed are solely those of the author and do not necessarily represent those of Enline plc. DATA PROTECTION ACT 1998 We retain your contact details on our marketing database that we may use to contact you regarding our seminars, services or publications. The information is used by Enline plc or by our marketing agencies for marketing purposes. We do not pass it on to any other third parties. If you would like us to amend your details or refrain from using your details, please contact our Marketing Department on 08705 502015 or email marketing () enline com <marketing () enline com> Please visit our website at www.enline.com <http://www.enline.com/> This footnote also confirms that this email message has been swept by MIMEsweeper for the presence of computer viruses. **********************************************************************
Current thread:
- Browser login with Windows domain login stevenr (Apr 08)
- <Possible follow-ups>
- RE: Browser login with Windows domain login Michael Howard (Apr 08)
- RE: Browser login with Windows domain login Simon Cunningham (Apr 08)
- Re: Browser login with Windows domain login m . delibero (Apr 08)
- RE: Browser login with Windows domain login Stegman, William (Apr 08)
- RE: Browser login with Windows domain login stevenr (Apr 08)
- RE: Browser login with Windows domain login Scovetta, Michael V (Apr 08)
- RE: Browser login with Windows domain login Vincent . Kwok (Apr 08)
- RE: Browser login with Windows domain login Tom Martin (Apr 08)
- RE: Browser login with Windows domain login David Carroll (Apr 08)
- RE: Browser login with Windows domain login David Carroll (Apr 08)