Home
ASP.NET Forums » General ASP.NET » Security » Clearing windows credentials for new login

Clearing windows credentials for new login

Last post 04-26-2007 10:10 PM by XiaoYong Dai – MSFT. 4 replies.

Sort Posts:

  • Clearing windows credentials for new login

    04-21-2007, 11:22 AM
    • Member
      17 point Member
    • glenn22
    • Member since 04-20-2007, 7:59 PM
    • Posts 54
    I have a set of 3 ASP.NET pages. The Initial page is viewable to all users, anonymous or otherwise, the other 2 pages are in a separate directory with integrated windows authentication. On the 2 protected pages I have code to check if the logged in users is a member of a specific security group or not (User.IsInRole), and if they are not if redirects them back to the initial page. This all works fine, but when they user is bumped back to the initial page I want to clear the windows credentials they logged in with in order for them to be able to re-login. What is the code used for that?

  • Re: Clearing windows credentials for new login

    04-21-2007, 12:01 PM
    • Member
      17 point Member
    • glenn22
    • Member since 04-20-2007, 7:59 PM
    • Posts 54

    One other thing I'd like to know is this:

     When a user goes to login to one of the above mentioned windows authenticated pages, how can I make it default to our domain instead of them having to type in <domain>\<username>.  Our users are used to simply typing in their username without the domain and will find this process difficult to adjust to.

  • Re: Clearing windows credentials for new login

    04-24-2007, 10:41 AM
    • Member
      17 point Member
    • glenn22
    • Member since 04-20-2007, 7:59 PM
    • Posts 54
    no one have any help from these 2 issues? the one I am most interested in is actually the second problem, setting a default domain for login.

  • Re: Clearing windows credentials for new login

    04-24-2007, 11:48 PM

    Hi

    Another solution would be to use impersonation. First, you need to unimpersonate (you cannot impersonate when you're already impersonating), by using the RevertToSelf() method. Then you can assume the 'new' identity by using the LogonUser API and impersonate with that user in domain.

    Example:
     
    [DllImport("advapi32.dll", SetLastError=true)]
      public static extern bool LogonUser(String lpszUsername, String lpszDomain, String lpszPassword,
       int dwLogonType, int dwLogonProvider, ref IntPtr phToken);


      [DllImport("kernel32.dll", CharSet=CharSet.Auto)]
      public extern static bool CloseHandle(IntPtr handle);

      [DllImport("advapi32.dll", CharSet=CharSet.Auto, SetLastError=true)]
      public extern static bool DuplicateToken(IntPtr ExistingTokenHandle,
       int SECURITY_IMPERSONATION_LEVEL, ref IntPtr DuplicateTokenHandle);

      const int LOGON32_PROVIDER_DEFAULT = 0;
      const int LOGON32_LOGON_INTERACTIVE = 2;

      /// <summary>
      /// This method switches between users...
      /// </summary>
      /// <param name="username">The windows username</param>
      /// <param name="domain">The domain this user belongs to</param>
      /// <param name="password">The users password.</param>
      private void SwitchUser( string username, string domain, string password)
      {
      
       IntPtr tokenHandle = new IntPtr(0);
       // This is for the .NET 1.0 framework...
       // IntPtr duplicateHandle = new IntPtr(0);

       tokenHandle = IntPtr.Zero;
       bool retVal = LogonUser( username,
        domain,
        password,
        LOGON32_LOGON_INTERACTIVE,
        LOGON32_PROVIDER_DEFAULT,
        ref tokenHandle );

       if( !retVal )
       {
        throw new Win32Exception();
       }
       
       // If you use <identity impersonate="true" /> in your web.config,
       // you first need to unimpersonate (you can't impersonate when
       // you're already impersonating...
       System.Security.Principal.WindowsIdentity.Impersonate( IntPtr.Zero );

       // For .NET 1.0 you need to use the DuplicateToken method to
       // create a duplicate handle. In .NET 1.1 you don't need this
       WindowsIdentity newID = new WindowsIdentity(tokenHandle);
       
       WindowsImpersonationContext newUser = newID.Impersonate();
       try {
        // now, do the stuff you need to do with the new user account
        TextBox1.Text = WindowsIdentity.GetCurrent().Name;
       } finally {
        // Go back to the original user.
        newUser.Undo();
        CloseHandle(tokenHandle);

       }

      }

    Also, you can refer to the article
    http://msdn2.microsoft.com/en-us/library/system.security.principal.windowsimpersonationcontext(VS.80).aspx
     
    Best Regards
    XiaoYong Dai
    Microsoft Online Community Support

    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

  • Re: Clearing windows credentials for new login

    04-26-2007, 10:10 PM
    Answer

    Hi

    I have to correct my answer.

    It's not possible to clear Windows credentials, Instead, we can send a 401 HTTP status code and ask the client to re-input the user credential:

     

            string strUser = User.Identity.Name;

     

            if (strUser.Contains("tingwang"))

            {

                Response.StatusCode = 401;

            }

            else

            {

                …

            }

    Best Regards
    XiaoYong Dai
    Microsoft Online Community Support

    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
Page 1 of 1 (5 items)
RSS Available

Contact | Advertise | Ads by BanManPro | Running IIS7
All Rights Reserved. | Terms of Use | Trademarks | Privacy Statement
© 2009 Microsoft Corporation.