15 Replies Latest reply on Nov 29, 2006 8:27 AM by finestationery

    Using CFLAP to Authenicate with an existing CF Application

    finestationery
      Not sure if I can do this, but, I was wondering if someone could help me out with this question.

      I created a helpdesk ticket application that allows employees to submit tickets to IT. This application resides on the Intranet.

      Currently, if the user wants to view the tickets he/she created, they click on their name (an employee ID is being passed in the link) and it displays all the tickets that particular user has created.

      While this works as intended. I wanted to take it one step forward by having tickets display based on the authenication from Active Directory (the LDAP server).

      Now, I know that in Internet Explorer, there is an option to Enable Integrated Windows Authenication. I believe this authenicates off of Active Directory.

      As of now (and I should have thought of this), when a user creates a ticket, they select their name from an Employees table within the Intranet Database. The Employee Directory is being pulled from this table and not Active Directory.

      My question is this:

      I would like to give the ability for users to view their submitted tickets by authenicating off of Active Directory. With IE's intergrated windows authenication, is this possible?
        • 1. Re: Using CFLAP to Authenicate with an existing CF   Application
          Level 7
          I would like to give the ability for users to view their submitted
          tickets by authenticating off of Active Directory. With IE's integrated
          windows authentication, is this possible?

          Yes, it is possible and we do it all the time here. The basic steps are
          as follows.

          1) Enable Integrated Windows Security in IIS for the
          website|directory|file desired.

          1.A) Disable Anonymous Login for the same resource(s).

          2) CGI.Auth_User will now be populated with the Active Directory User ID
          of the person loged onto the client machine when these resource(s) are
          accessed.

          3) <CFLDAP ...> Can be used to retrieve other data from active directory
          and|or provide verification of the user with their password.
          • 2. Re: Using CFLAP to Authenicate with an existing CF Application
            finestationery Level 1
            Thanks Ian,

            Do you have an example of how to use CGI.Auth_user?

            So, something like this example will work?
            http://www.sargeway.com/blog/index.cfm?mode=entry&entry=30
            • 3. Re: Using CFLAP to Authenicate with an existing CF   Application
              Level 7
              Do you have an example of how to use CGI.Auth_user?

              So, something like this example will work?
              http://www.sargeway.com/blog/index.cfm?mode=entry&entry=30

              That link to Sarge's blog uses CGI.Auth_User.

              <cfset userName = RemoveChars(CGI.Auth_User, 1, Find('\', CGI.Auth_User))>

              I usually do something like this
              <cfset userName = ListLast(CGI.Auth_User,"\")>

              Either method works fine. This strips out the domain name from
              cgi.auth_user which actually returns domain\username when authentication
              is turned on in IIS.

              Then userName [see: (cn=#userName#)] is used in the following
              <cfldap...> calls. You will need to modify these tags to match your
              particular Active Directory setup. At a minimum you will need to
              provide a valid userName and password to an account on your AD that is
              allowed to read the selected attributes.

              !---#### Use the userName to retrieve the authenticated user's AD
              attributes ####--->

              <cfldap "QUERY"
              name="getUser"
              attributes="dn, name, telephoneNumber, mail"
              start="cn=Users,DC=Sargeway,DC=COM"
              scope="ONELEVEL"
              filter="(&(objectClass=User)(cn=#userName#))"
              server="localhost"
              port="389"
              username="cn=Administrator,cn=Users,dc=sargeway,dc=com"
              password="#adminPass#">

              <cfdump var="#getUser#" label="User">

              <!---#### Use the user's DN attribute to find their group memberships
              ####--->

              <cfldap action="QUERY"
              name="getGroups"
              attributes="cn, dn"
              start="cn=Users,dc=sargeway, dc=com"
              scope="SUBTREE"
              filter="(&(objectClass=group)(member=#getUser.dn#))"
              sort="cn"
              sortcontrol="ASC"
              server="localhost"
              port="389"
              username="cn=Administrator,cn=Users,dc=Sargeway,dc=com"
              password="#adminPass#">

              <cfdump var="#getGroups#" label="Groups">
              • 4. Re: Using CFLAP to Authenicate with an existing CF   Application
                Level 7
                PS. I'm sure you will also need to change the start parameter to a valid
                path in your AD.
                • 5. Re: Using CFLAP to Authenicate with an existing CF Application
                  finestationery Level 1
                  Another question,

                  How would I check against the employeeID and the Active Directory User ID?

                  Right now, I have this:
                  <!---CHECK FOR ID FROM ViewTickets.CFM--->
                  <cfset getEmployeeTickets=IsDefined("URL.employeeID")>
                  <!---check for Employee ID Number--->
                  <!---IF yes, get--->
                  <cfif getEmployeeTickets>
                  <!--- Get ticket number --->
                  <cfquery datasource="Intranet" name="getAllTicketsForUser">
                  SELECT
                  *
                  FROM dbo.helpdesk
                  WHERE employeeID=<cfqueryparam value="#URL.employeeID#" cfsqltype="cf_sql_varchar">
                  </cfquery>
                  </cfif>



                  • 6. Re: Using CFLAP to Authenicate with an existing CF   Application
                    Level 7
                    How would I check against the employeeID and the Active Directory User ID?

                    Depends on where that data is. If employeeID is part of your your
                    active directory you can retrieve it from there and use that in your
                    ticket query. Or you need to add your Active Directory User ID's to
                    your ticket database and then use that in your where clause.
                    • 7. Re: Using CFLAP to Authenicate with an existing CF   Application
                      finestationery Level 1
                      quote:

                      Originally posted by: Newsgroup User



                      2) CGI.Auth_User will now be populated with the Active Directory User ID
                      of the person loged onto the client machine when these resource(s) are
                      accessed.





                      Is there anyway where I can see the userid being passed? I did a cfdump, but, i'm not seeing anything
                      • 8. Re: Using CFLAP to Authenicate with an existing CF     Application
                        Level 7
                        Is there anyway where I can see the userid being passed? I did a cfdump,
                        but, i'm not seeing anything


                        If you did a dump of the CGI scope, and CGI.Auth_User is an empty string
                        then you have "Anonymous" access turned on in IIS. Anonymous must be
                        turned off for the web server to provide the domain\username to the
                        CGI.Auth_User variable.
                        • 9. Re: Using CFLAP to Authenicate with an existing CF Application
                          finestationery Level 1
                          Ok, that worked but, turning off anonymous access now prompts the user to log in (i'm guessing it's authenticating to Active Directory).

                          I was under the impression that the Integrated Windows Auth would authenticate when the user logs into the domain.

                          When you created your application, do the users have to authenticate twice?

                          This is what I am using just to see if I can log into AD and authenicate
                          This works fine and I can authenicate, but, I am confused on how I can implement this without having the user log on:

                          Form:
                          ----------------------
                          <html>
                          <head>
                          <title>Active Directory Login Example</title>
                          </head>
                          <body>
                          <div align="center">Active Directory Login Example
                          </div>
                          <cfform action="cfldap.cfm" name="login" method="post">
                          <table border="0" align="center" cellpadding="0" cellspacing="0">
                          <tr>
                          <TD>UserName:</td>
                          <TD>
                          <cfinput type="Text" name="cfUserName" size="20" required="yes">
                          </td>
                          </tr>
                          <tr>
                          <td>Password:</TD>
                          <td><cfinput type="Password" name="cfPassword" required="yes"> </TD>
                          </tr>
                          <tr>
                          <td> </TD>
                          <td><input name="Submit" type="Submit" value="Submit"> </TD>
                          </tr>
                          </table>
                          </cfform>
                          </body>
                          </html>

                          Login Check:
                          --------------------
                          <cfparam type="string" name="LoginMessage" default="">

                          <cfldap action="QUERY"
                          name="GetUserInfo"
                          attributes="dn"
                          start="dc=yourdomain,dc=com"
                          Scope="subtree"
                          filter="(&(objectclass=user)(samaccountname=#form.cfusername#))"
                          server="serverName.yourdomain.com"
                          Port="389"
                          username="admin@yourdomain.com"
                          password="yourpassword">

                          <cfif #getuserinfo.recordcount# gt 0>
                          <cftry>
                          <cfldap action="QUERY"
                          name="AuthenticateUser"
                          attributes="givenname,samaccountname,dn,cn,mail"
                          start="dc=yourdomain,dc=com"
                          maxrows="1"
                          Scope="subtree"
                          filter="(&(objectclass=user)(samaccountname=#form.cfusername#))"
                          server="serverName.yourdomain.com"
                          Port="389"
                          username="#form.cfusername#@yourdomain.com"
                          password="#form.cfpassword#">
                          <cfset LoginMessage = "User Authentication Passed">
                          <cfcatch type="any">
                          <cfset LoginMessage = "User Authentication Failed">
                          </cfcatch>
                          </cftry>
                          <cfelse>
                          <cfset LoginMessage = "Username not found">
                          </cfif>

                          <html>
                          <head>
                          <title>Active Directory Login</title>
                          </head>
                          <body>
                          Login Status:<br><br>
                          <cfoutput>#LoginMessage#</cfoutput> <br><br>
                          <cfif #getuserinfo.recordcount# gt 0 AND #LoginMessage# neq "User Authentication
                          Failed">
                          <cfoutput>#AuthenticateUser.cn#</cfoutput>
                          </cfif>
                          <cfdump var="#cgi#">
                          </body>
                          </html>

                          Taken from this example: http://cfdj.sys-con.com/read/114248.htm
                          • 10. Re: Using CFLAP to Authenicate with an existing CF   Application
                            Level 7
                            I was under the impression that the Integrated Windows Auth would
                            authenticate when the user logs into the domain.

                            IF the user is using a browser that uses the IE engine. In other words
                            the IE browser.

                            Possible Netscape Navigator, I've heard that it contains both the IE and
                            Mozilla engines.
                            • 11. Re: Using CFLAP to Authenicate with an existing CF Application
                              finestationery Level 1
                              Yes, the entire environment is using IE.
                              • 12. Re: Using CFLAP to Authenicate with an existing CF   Application
                                Level 7
                                Yes, the entire environment is using IE.

                                Does your network use multiple domains? If so are the users and servers
                                on different domains? I think I recall that automatic, behind the
                                scenes logon with "Integrated Windows Authentication" only works when
                                everything is on the same domain.

                                That is how our network is, we operate pretty much everything on one
                                domain, and it does work for us. Users, who use the IE browser, are not
                                requested to log on to resources secured with "Integrated Windows
                                Authentication" as long as they are logged onto the client computer.
                                • 13. Re: Using CFLAP to Authenicate with an existing CF Application
                                  finestationery Level 1
                                  We have the same exact type of network you have set up. Maybe I'll restart the domain controller tonight to see what happens.

                                  • 14. Re: Using CFLAP to Authenicate with an existing CF   Application
                                    Level 7
                                    Just to confirm, you have "Integrated Windows Authentication" and ONLY
                                    "Integrate Windows Authentication" selected on the resources you want to
                                    secure in IIS.

                                    You may also want to check multiple levels [website/directory/file] in
                                    case you have something different at a higher or lower level with
                                    different permissions.
                                    • 15. Re: Using CFLAP to Authenicate with an existing CF Application
                                      finestationery Level 1
                                      Yes, I have Intregrated Win Auth and Only that option

                                      The NTFS permissions allow the "EVERYONE" group "read & execute", "list folder contents" and "read" rights.

                                      I really dont know what the deal is with this....