• Global community
    • Language:
      • Deutsch
      • English
      • Español
      • Français
      • Português
  • 日本語コミュニティ
    Dedicated community for Japanese speakers
  • 한국 커뮤니티
    Dedicated community for Korean speakers
Exit
0

NTLM Authentication

Guest
Jun 23, 2009 Jun 23, 2009

Copy link to clipboard

Copied

Hello. How do I get ColdFusion 8 to use an Active Directory in Server 2003/8 (NTLM) to authenticate users? I want users to login to the site using their domain information. The server runs Apache... Do I need IIS?

Thanks!

TOPICS
Advanced techniques

Views

3.7K

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines

correct answers 1 Correct answer

Valorous Hero , Jun 24, 2009 Jun 24, 2009

I can not go much father with out me, or some other contractor, comming to your site and writing your code for you after interviewing your network adminstrator of the correct data.  The usual rate for that type of work is $100 US/hour plus travel expenses and up.

<cfldap action="query"
        server="{name or IP of AD server}"
        name="returnQry"
        start="{starting branches of LDAP tree to search}"
        filter="{filterString}"
        username="{domain}\#FORM.USERNAME#"
        password=
...

Votes

Translate

Translate
Valorous Hero ,
Jun 24, 2009 Jun 24, 2009

Copy link to clipboard

Copied

IIS is the normal web server to use 'windows integrated security'.  I have seen NTML modules for Apache, but I have never used one.

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Guest
Jun 24, 2009 Jun 24, 2009

Copy link to clipboard

Copied

OK. So if I reconfigure the web server to use IIS, how do I setup CF8 to use the AD for authentication? The AD is on a separate machine, but same network.... Do you have an example?

Thanks a lot!

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Valorous Hero ,
Jun 24, 2009 Jun 24, 2009

Copy link to clipboard

Copied

ColdFusion has little knowledge or care of the Active Directory server.

This is all handled by the web server.  Once you have IIS set up using Windows Inegrated Security.  It takes care of all the work.  Populates the cgi.AUTH_USER variable and passess everything to ColdFusion.  So the minimal CFML code is simple this.

<cfoutput>

#cgi.AUTH_USER#

</cfoutput>

<cfif listLast(cgi.AUTH_USER,'\') EQ "iskinner">

   YOU ARE IAN SKINNER YOU CAN'T SEE THIS PAGE

   <cfabort>

</cfif>

If you want to use more information from the active directory data store the <CFLDAP...> tag is the natural extension of this funtionality.  The documentation has plenty of information on how to configure and use it.  With this tag, you can get user groups, check their password, find full name, phone numbers and whatever else you may be stroring in your Active Directory tree.

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Guest
Jun 24, 2009 Jun 24, 2009

Copy link to clipboard

Copied

Thank you! I will try this out once I configure IIS.

Once I have the user logged in, I can set access via <cfif> tags based on username/groups from <cfldap>, right?

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Valorous Hero ,
Jun 24, 2009 Jun 24, 2009

Copy link to clipboard

Copied

You don't need <cfldap> for the username that will already be provided by the web server.

But for groups or other data associated with that user account in Active Directory, yes you would use <cfldap....> which will return a record set of the specified data that you can then use in other decision and|or looping logic.

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Guest
Jun 24, 2009 Jun 24, 2009

Copy link to clipboard

Copied

OK. Thanks... But how do I actually login with a username and password? I have a simple login for with the input boxes I need, but how do I get that to authenticate into the AD and start a session?

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Valorous Hero ,
Jun 24, 2009 Jun 24, 2009

Copy link to clipboard

Copied

If you use windows integrated security in IIS then you do not need the form.  The webserver and the browser takes care of all of this themseleves.  With an IE browser on a windows client it will happen automatiacly.  With other browsers, such as FireFox, they will usually display a dialog box to the user.  Some browsers do not support NTLM.

If you want to use your form, you do not need the windows integrated security or NTLM.  You would just collect the username and password and pass those to the <cfldap...> tag.  If the correctly configured <cfldap...> tag returns a record set then the user name and password are correct, if it does not, then they are not correct.

<cfldap action="query"
        server="{ActiveDirectoryServer}"
        name="returnQry"
        start="OU=HQ Users,OU=DPR Users,DC=inside,DC=cdpr,DC=ca,DC=gov"
        filter="{filterString}"
        username="{domain}\{username}"
        password="{password}"
        attributes = "{attributes}">

<cfdump var="#returnQry#">

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Guest
Jun 24, 2009 Jun 24, 2009

Copy link to clipboard

Copied

OK. So I guess I will use LDAP than to login with a form, as I want a login page, not a dialog box. Do I still need IIS, or will Apache work?

Attached is what I have so far.... How do I get that to actually login though? I'm not sure how to connect my login page to <cfldap> and work from there...

Thanks so much!

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Valorous Hero ,
Jun 24, 2009 Jun 24, 2009

Copy link to clipboard

Copied

Yeah, if you are not using IIS's Windows Integrated Security, then you probably do not need IIS.

Just be aware of the pitfalls of using a plain text form for security.  I.E. there is encrtypion at the tcp/ip level those user names and passwords are going to be transfered accross the network in plain text.  You will probably need to combine your login form with some SSL configuration on your web server.

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Guest
Jun 24, 2009 Jun 24, 2009

Copy link to clipboard

Copied

I was planning on using HTTPS with LDAP/S. I just need to figure out how to get that login for to use LDAP to authenticate... How would that be done? I'm not sure what code goes where...

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Valorous Hero ,
Jun 24, 2009 Jun 24, 2009

Copy link to clipboard

Copied

The parameters of the <cfldap..> tag are strings.

That can be hand coded string literal constants or they can be variables that contain strings.

Such as form scope variables.

It is a pretty straight forward process from there once you know the proper connection information for you Active Directory server.

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Guest
Jun 24, 2009 Jun 24, 2009

Copy link to clipboard

Copied

The <cfldap> tag isn't where I have the issue. I know how to get the information with the query.... but how do I combine <cfldap> with my login page to create an authentication mechanism? That is where I am stuck...

Thanks. 🙂

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Valorous Hero ,
Jun 24, 2009 Jun 24, 2009

Copy link to clipboard

Copied

I can not go much father with out me, or some other contractor, comming to your site and writing your code for you after interviewing your network adminstrator of the correct data.  The usual rate for that type of work is $100 US/hour plus travel expenses and up.

<cfldap action="query"
        server="{name or IP of AD server}"
        name="returnQry"
        start="{starting branches of LDAP tree to search}"
        filter="{filterString}"
        username="{domain}\#FORM.USERNAME#"
        password="#FORM.PASSWORD#"
        attributes = "{attributes}">

<cfif returnQry.recordCount GTE 1>
  <!---- user has been authenticated against the active directory do something about it. --->
<cfelse>
  <!--- user has failed to authenticate against the active directory do something about it. --->
</cfif>

The ColdFusion documentation has sample code very similar to what is being provided here.

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Guest
Jun 24, 2009 Jun 24, 2009

Copy link to clipboard

Copied

Thanks. That is what I needed to connect the form to the <cfldap>.

        username="{domain}\#FORM.USERNAME#"
        password="#FORM.PASSWORD#"

Thank you SO much!

Now I just need to get that into a session... Thanks again.

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Engaged ,
Jun 30, 2009 Jun 30, 2009

Copy link to clipboard

Copied

NTLM security support is available under Apache.  "mod_ntlm" (or "mod_auth_ntlm") can be installed to do it.

It is certainly true, however, that if you have IIS readily available (as you probably do), and if it will work just-as-well as Apache in your case, it does make good sense to "do as the Romans do."  An academic exercise, while interesting, is also unprofitable.

In any case, this module (like mod_auth_ldap) can be used to secure the entire site "in one swell foop."  If the user manages to get into the site at all, he has passed authentication and his Windows credentials are known.  This is "the way to go" for intranets.

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Advisor ,
Jun 30, 2009 Jun 30, 2009

Copy link to clipboard

Copied

LATEST

I agree with " If the user manages to get into the site at all, he has passed authentication and his Windows credentials are known.  This is "the way to go" for intranets." as stated by TLC-IT.  If you decide to use Windows integrated authentication with IIS this Adobe technote may be useful to you.

http://kb2.adobe.com/cps/185/tn_18516.html

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Resources
Documentation