Using CFLAP to Authenicate with an existing CF Application

Report · Nov 21, 2006

Not sure if I can do this, but, I was wondering if someone could help me out with this question.

I created a helpdesk ticket application that allows employees to submit tickets to IT. This application resides on the Intranet.

Currently, if the user wants to view the tickets he/she created, they click on their name (an employee ID is being passed in the link) and it displays all the tickets that particular user has created.

While this works as intended. I wanted to take it one step forward by having tickets display based on the authenication from Active Directory (the LDAP server).

Now, I know that in Internet Explorer, there is an option to Enable Integrated Windows Authenication. I believe this authenicates off of Active Directory.

As of now (and I should have thought of this), when a user creates a ticket, they select their name from an Employees table within the Intranet Database. The Employee Directory is being pulled from this table and not Active Directory.

My question is this:

I would like to give the ability for users to view their submitted tickets by authenicating off of Active Directory. With IE's intergrated windows authenication, is this possible?

Report · Nov 21, 2006

I would like to give the ability for users to view their submitted
tickets by authenticating off of Active Directory. With IE's integrated
windows authentication, is this possible?

Yes, it is possible and we do it all the time here. The basic steps are
as follows.

1) Enable Integrated Windows Security in IIS for the
website|directory|file desired.

1.A) Disable Anonymous Login for the same resource(s).

2) CGI.Auth_User will now be populated with the Active Directory User ID
of the person loged onto the client machine when these resource(s) are
accessed.

3) <CFLDAP ...> Can be used to retrieve other data from active directory
and|or provide verification of the user with their password.

Report · Nov 27, 2006

quote:

Originally posted by: Newsgroup User

2) CGI.Auth_User will now be populated with the Active Directory User ID
of the person loged onto the client machine when these resource(s) are
accessed.

Is there anyway where I can see the userid being passed? I did a cfdump, but, i'm not seeing anything

Report · Nov 27, 2006

Is there anyway where I can see the userid being passed? I did a cfdump,
but, i'm not seeing anything

If you did a dump of the CGI scope, and CGI.Auth_User is an empty string
then you have "Anonymous" access turned on in IIS. Anonymous must be
turned off for the web server to provide the domain\username to the
CGI.Auth_User variable.

Report · Nov 21, 2006

Thanks Ian,

Do you have an example of how to use CGI.Auth_user?

So, something like this example will work?
http://www.sargeway.com/blog/index.cfm?mode=entry&entry=30

Report · Nov 21, 2006

Do you have an example of how to use CGI.Auth_user?

So, something like this example will work?
http://www.sargeway.com/blog/index.cfm?mode=entry&entry=30

That link to Sarge's blog uses CGI.Auth_User.

<cfset userName = RemoveChars(CGI.Auth_User, 1, Find('\', CGI.Auth_User))>

I usually do something like this
<cfset userName = ListLast(CGI.Auth_User,"\")>

Either method works fine. This strips out the domain name from
cgi.auth_user which actually returns domain\username when authentication
is turned on in IIS.

Then userName [see: (cn=#userName#)] is used in the following
<cfldap...> calls. You will need to modify these tags to match your
particular Active Directory setup. At a minimum you will need to
provide a valid userName and password to an account on your AD that is
allowed to read the selected attributes.

!---#### Use the userName to retrieve the authenticated user's AD
attributes ####--->

<cfldap "QUERY"
name="getUser"
attributes="dn, name, telephoneNumber, mail"
start="cn=Users,DC=Sargeway,DC=COM"
scope="ONELEVEL"
filter="(&(objectClass=User)(cn=#userName#))"
server="localhost"
port="389"
username="cn=Administrator,cn=Users,dc=sargeway,dc=com"
password="#adminPass#">

<cfdump var="#getUser#" label="User">



<cfldap action="QUERY"
name="getGroups"
attributes="cn, dn"
start="cn=Users,dc=sargeway, dc=com"
scope="SUBTREE"
filter="(&(objectClass=group)(member=#getUser.dn#))"
sort="cn"
sortcontrol="ASC"
server="localhost"
port="389"
username="cn=Administrator,cn=Users,dc=Sargeway,dc=com"
password="#adminPass#">

<cfdump var="#getGroups#" label="Groups">

Report · Nov 21, 2006

PS. I'm sure you will also need to change the start parameter to a valid
path in your AD.

Report · Nov 21, 2006

Another question,

How would I check against the employeeID and the Active Directory User ID?

Right now, I have this:

<cfset getEmployeeTickets=IsDefined("URL.employeeID")>


<cfif getEmployeeTickets>

<cfquery datasource="Intranet" name="getAllTicketsForUser">
SELECT
*
FROM dbo.helpdesk
WHERE employeeID=<cfqueryparam value="#URL.employeeID#" cfsqltype="cf_sql_varchar">
</cfquery>
</cfif>

Report · Nov 21, 2006

How would I check against the employeeID and the Active Directory User ID?

Depends on where that data is. If employeeID is part of your your
active directory you can retrieve it from there and use that in your
ticket query. Or you need to add your Active Directory User ID's to
your ticket database and then use that in your where clause.

Report · Nov 27, 2006

Ok, that worked but, turning off anonymous access now prompts the user to log in (i'm guessing it's authenticating to Active Directory).

I was under the impression that the Integrated Windows Auth would authenticate when the user logs into the domain.

When you created your application, do the users have to authenticate twice?

This is what I am using just to see if I can log into AD and authenicate
This works fine and I can authenicate, but, I am confused on how I can implement this without having the user log on:

Form:
----------------------
<html>
<head>
<title>Active Directory Login Example</title>
</head>
<body>
<div align="center">Active Directory Login Example
</div>
<cfform action="cfldap.cfm" name="login" method="post">
<table border="0" align="center" cellpadding="0" cellspacing="0">
<tr>
<TD>UserName:</td>
<TD>
<cfinput type="Text" name="cfUserName" size="20" required="yes">
</td>
</tr>
<tr>
<td>Password:</TD>
<td><cfinput type="Password" name="cfPassword" required="yes"> </TD>
</tr>
<tr>
<td> </TD>
<td><input name="Submit" type="Submit" value="Submit"> </TD>
</tr>
</table>
</cfform>
</body>
</html>

Login Check:
--------------------
<cfparam type="string" name="LoginMessage" default="">

<cfldap action="QUERY"
name="GetUserInfo"
attributes="dn"
start="dc=yourdomain,dc=com"
Scope="subtree"
filter="(&(objectclass=user)(samaccountname=#form.cfusername#))"
server="serverName.yourdomain.com"
Port="389"
username="admin@yourdomain.com"
password="yourpassword">

<cfif #getuserinfo.recordcount# gt 0>
<cftry>
<cfldap action="QUERY"
name="AuthenticateUser"
attributes="givenname,samaccountname,dn,cn,mail"
start="dc=yourdomain,dc=com"
maxrows="1"
Scope="subtree"
filter="(&(objectclass=user)(samaccountname=#form.cfusername#))"
server="serverName.yourdomain.com"
Port="389"
username="#form.cfusername#@yourdomain.com"
password="#form.cfpassword#">
<cfset LoginMessage = "User Authentication Passed">
<cfcatch type="any">
<cfset LoginMessage = "User Authentication Failed">
</cfcatch>
</cftry>
<cfelse>
<cfset LoginMessage = "Username not found">
</cfif>

<html>
<head>
<title>Active Directory Login</title>
</head>
<body>
Login Status:<br><br>
<cfoutput>#LoginMessage#</cfoutput> <br><br>
<cfif #getuserinfo.recordcount# gt 0 AND #LoginMessage# neq "User Authentication
Failed">
<cfoutput>#AuthenticateUser.cn#</cfoutput>
</cfif>
<cfdump var="#cgi#">
</body>
</html>

Taken from this example: http://cfdj.sys-con.com/read/114248.htm

Report · Nov 27, 2006

I was under the impression that the Integrated Windows Auth would
authenticate when the user logs into the domain.

IF the user is using a browser that uses the IE engine. In other words
the IE browser.

Possible Netscape Navigator, I've heard that it contains both the IE and
Mozilla engines.

Report · Nov 27, 2006

Yes, the entire environment is using IE.

Report · Nov 27, 2006

Yes, the entire environment is using IE.

Does your network use multiple domains? If so are the users and servers
on different domains? I think I recall that automatic, behind the
scenes logon with "Integrated Windows Authentication" only works when
everything is on the same domain.

That is how our network is, we operate pretty much everything on one
domain, and it does work for us. Users, who use the IE browser, are not
requested to log on to resources secured with "Integrated Windows
Authentication" as long as they are logged onto the client computer.

Report · Nov 27, 2006

We have the same exact type of network you have set up. Maybe I'll restart the domain controller tonight to see what happens.

Report · Nov 27, 2006

Just to confirm, you have "Integrated Windows Authentication" and ONLY
"Integrate Windows Authentication" selected on the resources you want to
secure in IIS.

You may also want to check multiple levels [website/directory/file] in
case you have something different at a higher or lower level with
different permissions.

Report · Nov 29, 2006

Yes, I have Intregrated Win Auth and Only that option

The NTFS permissions allow the "EVERYONE" group "read & execute", "list folder contents" and "read" rights.

I really dont know what the deal is with this....

Adobe Community

Using CFLAP to Authenicate with an existing CF Application