Single Sign on Coldfusin App

Same idea as MS Outlook...currently once i logged into windows, I dont have to enter the same credentials to the outlook...it just opens it...so there is no way to retrieve nt username and pass?

Not that I know of, but why do you think you need the user's password?

NTLM authentication, aka 'Windows Integrated Security' works by saying, this user is authenticated on the client machine.  Here is their domain/userName value.  Use it as necessary.  I have never needed to have the password passed in behind the scenes to authorize users to a web site, or portion there of.  And honestly that sounds like a bad idea to me.

When I have need a password to authenticate a user, I have asked for it with a form, at the moment the authentication is required.  Because any earlier authentication may no longer be valid.  I.E. the user has left their desk and somebody else has sat down at their computer.

Remember there are two parts to security:

Authentication:  Prove you are you.

Authorization:  Here is that access you are allowed.

This is for our internal network...only

Ian's question is: if you've already used integrated authorisation @ web server level, why do you need the password.  IE: what would you be using the password for?  Generally, all one needs as password for is to verify the user and grant the authorisation, but in this situation the authorisation has already been done by the web server.  So all CF should need to know is "yes, the user has been authorised, and I verify that this is who they are" (which is the value passed in the CGI.auth_user variable).  So if you have that auth_user value, it's safe to assume they've been authenticated: that is the whole intent of the mechanism.

There could be a good reason you need to know the pwd too, but you're not articulating why.  What do you need to do with it.  IE: how are you needing to use it in your CF code.

--

Adam

How will i auth the user against a corporate ldap? Dont i need to pass the password and username?

On the first hit to the site, the client will pass both login and pwd to the web server, and the webserver will do the authentication.  This authentication will be achieved by the webserver asking the directory service (or whatever mechanism is in place) if the user/pwd combo is valid.  The directory service will say "yes" or "no", and will also probably pass back some directory security settings too (authorisation).  Once that's done, the web server will tell CF "this user is authenticated to access the site (the authorisation is handledby the web server, so CF doesn't need to know about that), and in case you need to know which specific user it is, here's their login name in CGI.auth_user".

The passing of the login/pwd can be handled automatically between IE and IIS, although will probably need to be captured manually if other browsers / web servers are involved.

It's at that first hit to the site the auth is done, and it's done between client, web server and whatever back-end system does the authorisation.  but after that it's done.  This all takes place before CF is involved, and all CF should need to know is who the user is.

Are you saying that after that happens you need to authenticate to some other system?

You're not really being very clear about what you are setting out to do here.  Can you please describe more thoroughly what you need to do?

--

Adam

One thing I will add to Adam's excellent reply (Welcome back Adam by the way).

You often do need to have a user name and password to access data in the activie directory or other ldap depository.  Seldom does this user name and password need to be those of the user accessing the web site.  But just needs to be an account that can read the desired information in the ldap records about the web site user.

On our system we have a specific ColdFusion domain user, creatively named "cfldapuser," that grants this access.  With this user it is reletively trivial to read a web site user record with the <cfldap....> tag and get all their groups and other activie directory data.

This outputs nothing:

<cfoutput>#cgi.auth_user#</cfoutput>

Confirm that you have "Windows Integrated Security" selected and "Anonymous" is NOT selected in the IIS configuration.

I did then...a dialog box is asking a user/pass??

Then you are not using a Microsoft Browser.

NTLM "Windows Integrated Security" being a Microsoft standard, only works siliently in a Microsoft Browser on a Microsoft client connecting through a Microsoft domain to a Microsoft Web Server running on a Microsoft server.

Presuming you maybe using Firefox as a browser, it does of an option in it's configuration (about:config in the url) that allows you to set it up to siliently pass NTLM authentication just is Internet Explore does.  I have no idea if other browsers have a feature such as this.

I am using ie 8

OK!

Then are you logged into the client machine?

Do you, or any group you are a member of, have some type of permissions to the web site resources you have just locked down with Windows integrated security?

Those are the only three causes of which I can think that would cause a dialog box being shown.  Non IE browser, no premissions to the website or you are not logged into the domain.

It sounds like the domain you're accessing is in the internet zone in your browser config.  It needs to be in the intranet zone (I think... I don't use IE, and it's been a while since I've had to do this).

Can I recommend you do some reading up on how all this is supposed to work, and get more of a handle on how this is supposed to work.

All this is really well documented (and covered in numerous forums elsewhere about the place... Google will find 'em).

I'm getting the distinct feeling we're participating in a wheel-reinvention exercise here.

--

Adam

(Welcome back Adam by the way).

G'day mate.

I'm out of work @ present (well... since March - long story), so have some time on my hands, but also want to keep my hands in.  Often sorting out the answers to people's questions lead me down a path I hadn't trod before.

These forums haven't improved, have they (the software, not the content)?  Plus the traffic seems well down on what it was like before the change over.  Big props to Adobe there.  Well done.  You must be proud.

--

Adam

Not to hijack the thread too much.

No, not much has improved in the forums as far as I can tell.  I'm just too bulldog stuborn to leave.

But, I can so for sure, that I respond to less threads then I would have without nntp or something equally convieant.

thank you for your input guys... I think my idea will dissolve itself...