Subject: RE: Browser login with Windows domain login - msg#00034

Previous Message by Date: click to view message preview

RE: Browser login with Windows domain login

Have a look at mod_ntlm for apache - this should let you authenticate your users from the apache server to your existing windows domain controllers http://modntlm.sourceforge.net/ -----Original Message----- From: stevenr@xxxxxxxxxx [mailto:stevenr@xxxxxxxxxx] Sent: 08 April 2004 16:21 To: webappsec@xxxxxxxxxxxxxxxxx Subject: RE: Browser login with Windows domain login Hi all Thanks for all the pointers guys/gals. I will follow them up. One clarification though, the web server is not IIS alone, its Apache from Oracle 9i App server. There is an existing IIS-based application existing, but that's not within my scope. So basically the web application would reside on Apache 1.3. Regards Steve -----Original Message----- From: Steven Rebello Sent: Thursday, April 08, 2004 6:52 PM To: webappsec@xxxxxxxxxxxxxxxxx Subject: Browser login with Windows domain login Hi I needed some pointers/links/tips from you folks on a problem. I have a web-based application. Is it possible to sign in a user into the browser based application transparently based on the windows NT domain login. By this I mean that when the user opens the browser and types in the URL, the client machine should automatically send the user credentials to the application. FYI, the windows domain login is authenticated against Microsoft Active Directory. If this is possible, can anyone point me to some sites/tutorials? I have googled but have not come up with anything useful, hence this mail. Are there any known vulnerabilites with this kind of approach for web based logins? Any help would be appreciated. Thanks Steve MASTEK "Making a valuable difference" Mastek in NASSCOM's 'India Top 20' Software Service Exporters List. In the US, we're called MAJESCO ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Opinions expressed in this e-mail are those of the individual and not that of Mastek Limited, unless specifically indicated to that effect. Mastek Limited does not accept any responsibility or liability for it. This e-mail and attachments (if any) transmitted with it are confidential and/or privileged and solely for the use of the intended person or entity to which it is addressed. Any review, re-transmission, dissemination or other use of or taking of any action in reliance upon this information by persons or entities other than the intended recipient is prohibited. This e-mail and its attachments have been scanned for the presence of computer viruses. It is the responsibility of the recipient to run the virus check on e-mails and attachments before opening them. If you have received this e-mail in error, kindly delete this e-mail from all computers. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Next Message by Date: click to view message preview

RE: Browser login with Windows domain login

Try this for Apache....SPNEGO interceptor. http://modgssapache.sourceforge.net/ Does the trick. David From: <stevenr@xxxxxxxxxx> To: <webappsec@xxxxxxxxxxxxxxxxx> Subject: RE: Browser login with Windows domain login Date: Thu, 8 Apr 2004 20:50:42 +0530 Hi all Thanks for all the pointers guys/gals. I will follow them up. One clarification though, the web server is not IIS alone, its Apache from Oracle 9i App server. There is an existing IIS-based application existing, but that's not within my scope. So basically the web application would reside on Apache 1.3. Regards Steve -----Original Message----- From: Steven Rebello Sent: Thursday, April 08, 2004 6:52 PM To: webappsec@xxxxxxxxxxxxxxxxx Subject: Browser login with Windows domain login Hi I needed some pointers/links/tips from you folks on a problem. I have a web-based application. Is it possible to sign in a user into the browser based application transparently based on the windows NT domain login. By this I mean that when the user opens the browser and types in the URL, the client machine should automatically send the user credentials to the application. FYI, the windows domain login is authenticated against Microsoft Active Directory. If this is possible, can anyone point me to some sites/tutorials? I have googled but have not come up with anything useful, hence this mail. Are there any known vulnerabilites with this kind of approach for web based logins? Any help would be appreciated. Thanks Steve MASTEK "Making a valuable difference" Mastek in NASSCOM's 'India Top 20' Software Service Exporters List. In the US, we're called MAJESCO ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Opinions expressed in this e-mail are those of the individual and not that of Mastek Limited, unless specifically indicated to that effect. Mastek Limited does not accept any responsibility or liability for it. This e-mail and attachments (if any) transmitted with it are confidential and/or privileged and solely for the use of the intended person or entity to which it is addressed. Any review, re-transmission, dissemination or other use of or taking of any action in reliance upon this information by persons or entities other than the intended recipient is prohibited. This e-mail and its attachments have been scanned for the presence of computer viruses. It is the responsibility of the recipient to run the virus check on e-mails and attachments before opening them. If you have received this e-mail in error, kindly delete this e-mail from all computers. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ _________________________________________________________________ Get rid of annoying pop-up ads with the new MSN Toolbar ? FREE! http://toolbar.msn.com/go/onm00200414ave/direct/01/

Previous Message by Thread: click to view message preview

RE: Browser login with Windows domain login

Have a look at mod_ntlm for apache - this should let you authenticate your users from the apache server to your existing windows domain controllers http://modntlm.sourceforge.net/ -----Original Message----- From: stevenr@xxxxxxxxxx [mailto:stevenr@xxxxxxxxxx] Sent: 08 April 2004 16:21 To: webappsec@xxxxxxxxxxxxxxxxx Subject: RE: Browser login with Windows domain login Hi all Thanks for all the pointers guys/gals. I will follow them up. One clarification though, the web server is not IIS alone, its Apache from Oracle 9i App server. There is an existing IIS-based application existing, but that's not within my scope. So basically the web application would reside on Apache 1.3. Regards Steve -----Original Message----- From: Steven Rebello Sent: Thursday, April 08, 2004 6:52 PM To: webappsec@xxxxxxxxxxxxxxxxx Subject: Browser login with Windows domain login Hi I needed some pointers/links/tips from you folks on a problem. I have a web-based application. Is it possible to sign in a user into the browser based application transparently based on the windows NT domain login. By this I mean that when the user opens the browser and types in the URL, the client machine should automatically send the user credentials to the application. FYI, the windows domain login is authenticated against Microsoft Active Directory. If this is possible, can anyone point me to some sites/tutorials? I have googled but have not come up with anything useful, hence this mail. Are there any known vulnerabilites with this kind of approach for web based logins? Any help would be appreciated. Thanks Steve MASTEK "Making a valuable difference" Mastek in NASSCOM's 'India Top 20' Software Service Exporters List. In the US, we're called MAJESCO ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Opinions expressed in this e-mail are those of the individual and not that of Mastek Limited, unless specifically indicated to that effect. Mastek Limited does not accept any responsibility or liability for it. This e-mail and attachments (if any) transmitted with it are confidential and/or privileged and solely for the use of the intended person or entity to which it is addressed. Any review, re-transmission, dissemination or other use of or taking of any action in reliance upon this information by persons or entities other than the intended recipient is prohibited. This e-mail and its attachments have been scanned for the presence of computer viruses. It is the responsibility of the recipient to run the virus check on e-mails and attachments before opening them. If you have received this e-mail in error, kindly delete this e-mail from all computers. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Next Message by Thread: click to view message preview

RE: Browser login with Windows domain login

Try this for Apache....SPNEGO interceptor. http://modgssapache.sourceforge.net/ Does the trick. David From: <stevenr@xxxxxxxxxx> To: <webappsec@xxxxxxxxxxxxxxxxx> Subject: RE: Browser login with Windows domain login Date: Thu, 8 Apr 2004 20:50:42 +0530 Hi all Thanks for all the pointers guys/gals. I will follow them up. One clarification though, the web server is not IIS alone, its Apache from Oracle 9i App server. There is an existing IIS-based application existing, but that's not within my scope. So basically the web application would reside on Apache 1.3. Regards Steve -----Original Message----- From: Steven Rebello Sent: Thursday, April 08, 2004 6:52 PM To: webappsec@xxxxxxxxxxxxxxxxx Subject: Browser login with Windows domain login Hi I needed some pointers/links/tips from you folks on a problem. I have a web-based application. Is it possible to sign in a user into the browser based application transparently based on the windows NT domain login. By this I mean that when the user opens the browser and types in the URL, the client machine should automatically send the user credentials to the application. FYI, the windows domain login is authenticated against Microsoft Active Directory. If this is possible, can anyone point me to some sites/tutorials? I have googled but have not come up with anything useful, hence this mail. Are there any known vulnerabilites with this kind of approach for web based logins? Any help would be appreciated. Thanks Steve MASTEK "Making a valuable difference" Mastek in NASSCOM's 'India Top 20' Software Service Exporters List. In the US, we're called MAJESCO ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Opinions expressed in this e-mail are those of the individual and not that of Mastek Limited, unless specifically indicated to that effect. Mastek Limited does not accept any responsibility or liability for it. This e-mail and attachments (if any) transmitted with it are confidential and/or privileged and solely for the use of the intended person or entity to which it is addressed. Any review, re-transmission, dissemination or other use of or taking of any action in reliance upon this information by persons or entities other than the intended recipient is prohibited. This e-mail and its attachments have been scanned for the presence of computer viruses. It is the responsibility of the recipient to run the virus check on e-mails and attachments before opening them. If you have received this e-mail in error, kindly delete this e-mail from all computers. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ _________________________________________________________________ Get rid of annoying pop-up ads with the new MSN Toolbar ? FREE! http://toolbar.msn.com/go/onm00200414ave/direct/01/