Free Download:
|
 | |
 | NateDawg | | Asp.Net User |
| Re: Retrieving User Info from DotNetNuke | 8/10/2005 11:08:18 PM |
| 0/0 |   |
|
Can I get the password of a logged in user un-hashed so that I can use it and their username to log that user into a database?
I'm writing modules that interface to a company?s back-end database and I would like them (the user) to each log into that database so I can set permissions per-user rather than using one username and password to log into the database and funneling everyone across that connection. It would be nice if I could use the info of an already validated user to keep them from having to log-in a second time whenever they get to a page that interfaces with the database. BTW here's some background that might make a difference in the answer. I?m using:
Windows 2003 SP1
The server is the Active Directory primary domain controller.
IIS 6.0
MS-SQL server 2000 SP4
DNN 3.1
And Tam?s Authentication & login modules
Using the username and password of a user that is in A.D. for DNN was quite nice and saves my users from having to have a log-in for there PC and the website, but now I would like it if there was a way of telling SQL server that when this authenticated user goes to this module say to delete data from the database it will use there username and password to connect to the database so that only users who I specify may delete data and if it becomes an issue with the manager and they ask me who deleted the data I can refer back to the SQL log file and find the username of the person who performed the deletion. (Not a problem yet, just trying to cover my own ;-)
For anyone not familiar with how tam?s authentication modules work, I?ll give a quick overview. When a user (who has a username and password already in Active Directory) goes to the portal for the first time and logs in using there windows username and password the module will authenticate it against Active Directory. At that point the user information is also stored in the DNN database. So the same username and password exist for the user in both A.D. and DNN. I don?t care were I get the password from as long as it will work to log the user into the SQL server, which uses Windows Authentication.
Any help would be appreciated.
Thanks, Nathan Rover |
| Bunce | | Asp.Net User |
| Re: Retrieving User Info from DotNetNuke | 8/11/2005 4:49:51 AM |
| 0/0 | |
|
I doubt you'll be able to get the password - but you shouldn't really need it for your purposes.
Firstly, if you don't give SQL permissions to individual users then
there's no way for them to delete data, and hence you can't get in
trouble.
The only way they would be able to do this through the front-end
application (such as a module giving this ability in DNN) which is in
turn allowed specific database access. Now loss of data this way
is rare, and even if it is, you could make sure that the particular
module
in question logs all deletes made, and hence you could still get the
user in question (ie the DNN
user).
If this is still no good, then you'll need to impersonate the currently
logged in user across to your database connection. This is done
with a web.config setting but I'm not sure how it will impact on Tam's
authentication system. There's also the issue of passing your
authentication across servers (ie - web server to database
server). Search google for 'double-hop' authentication.
If you still want to go down this route, you still shouldn't need
the password. Windows authentication doesn't work that way.
Once a user is authenticated in a windows domain (ie when they login
with a valid username and password) they are given a 'token' which is
used to authorise them against specific resources. The password
is never used again after that (well, it shouldn't be anyway)
All in all, I think if you're relying on SQL logging to find out who is
deleting data then there's something wrong with your architecture
somewhere down the line.
Cheers,
Andrew
|
| NateDawg | | Asp.Net User |
| Re: Retrieving User Info from DotNetNuke | 8/12/2005 7:04:12 PM |
| 0/0 | |
|
How does the e-mail password function get the password in clear text to send it to a user if it?s stored hashed in the database? ![Confused [*-)]](/emoticons/emotion-42.gif)
Thanks, Nathan Rover |
| Bunce | | Asp.Net User |
| Re: Retrieving User Info from DotNetNuke | 8/13/2005 3:07:42 AM |
| 0/0 | |
|
It doesn't.
Well, the Active Directory accounts won't anyway. When I do
this and put in my username ([DOMAIN]\[Username]) it returns some
random number which obviously isn't my Active Directory password.
I have no idea what Tam (or the Membership provider) puts in the DNN user tables as a password for Windows accounts, but
its not your AD password. Its irrelevant what is stored in
DNN, as its not used when authenticating. Thats the whole point - the
responsibility of authenticating someone is passed on to AD so the DNN
password is never (shouldn't be) looked at when using Windows Authentication.
 NateDawg wrote: | |
Using the username and password of a user that is in A.D. for DNN was quite nice
|
|
Try to change that mindset - you're not using the username and password
at all - you're basically relying on Active Directory to tell you that this user has been authenticated, and is who he/she states to be.
Cheers,
Andrew
|
| NateDawg | | Asp.Net User |
| Re: Retrieving User Info from DotNetNuke | 8/13/2005 11:10:01 PM |
| 0/0 | |
|
Well, I'm still not too sure how it works but it works...![Confused [8-)]](/emoticons/emotion-43.gif)
<code>
If MyBase.UserId >= 0 Then
UserName = MyBase.UserInfo.Username.ToString()
Password = MyBase.UserInfo.Membership.Password.ToString()
End If
</code>
It does everything I need it to do, and it works with Tam's Authentication module, and the password is returned in cleartext.
The key is to do it only to logged in users thats why I have the if statement, without it the module would crash.
thats my $.02, Nathan Rover |
| NateDawg | | Asp.Net User |
| Re: Retrieving User Info from DotNetNuke | 8/14/2005 3:10:03 AM |
| 0/0 | |
|
Well, only Tam knows due to the fact that the module is not open source... ![Sad [:(]](/emoticons/emotion-6.gif)
BTW Tam, if your reading this, I would greatly appreciated if you made the source code available for the
authentication module, and I?m sure there are more programmers that feel the same way I do, but, I digress.
The way I think it works it that when a user logs in for the first time they are authenticated against AD, then
the username and password they typed in get put into the database. So, it matches what?s in AD, but it was
supplied by the user.
The major problem I have with this is, when the password changes in AD the old password will still work in
DNN. This is why I wish the authentication module was open source. But I think I can develop a hacky
work-around by making a function that will do scheduled deletion of users from the DNN database.
In reply to your question ?How did you initially create the users in DNN?? I didn?t they get added the first
time they log-in. the only non AD users are host and admin? witch I need to read up on how to promote a
user to super-user, so that I can turn my Administrator account into the super-user. So I can get rid of both
the default DNN users.
?I bet if you change the password in the database, you'd still be able to log into DNN using Windows Auth.?
Correct, and it will overwrite the password in the database when you log in, with the one in AD.
?How are your users currently logging in? Users should never have to enter their username and password
using this method of authentication...? kinda? if they are at a computer which is logged in to the domain then
they are automatically logged in as the user who is logged on to the PC. If they come across the internet there
is a form log-in which they can use to log-in.
?I'd be quite worried if Tam's provider is somehow retrieving the users' password from active directory and
inserting it into the DNN database.? Me too?. Tam, please make the authentication module open source?.
Just my $.02, Nathan Rover ![Geeked [8-|]](/emoticons/emotion-15.gif) |
| wallew | | Asp.Net User |
| Re: Retrieving User Info from DotNetNuke | 8/14/2005 3:28:59 AM |
| 0/0 | |
|
Wish I had the code to this! (hint hint)!
Wallew
|
| Bunce | | Asp.Net User |
| Re: Retrieving User Info from DotNetNuke | 8/14/2005 7:37:42 AM |
| 0/0 | |
|
| NateDawg wrote: | |
The way I think it works it that when a user logs in for the first time they are authenticated against AD, then
the username and password they typed in get put into the database. So, it matches what?s in AD, but it was
supplied by the user.
|
|
hmmm - It will be interesting to see what Tam says. I think if you first don't
create the user in DNN then Tams module just gets the username and puts
it in the database on first logging in. It doesn't (shouldn't)
use the password when authenticating users from then on, therefore
there should be no point in getting it. The exception might be
when wanting to implement 'mixed' authentication where a username and
password is required.. I'm not sure how that woud work...
| NateDawg wrote: |
?I bet if you change the password in the database, you'd still be able to log into DNN using Windows Auth.?
Correct, and it will overwrite the password in the database when you log in, with the one in AD.
|
|
I don't think it does... Well I hope not.. Why would it need
to? It doesn't need to check the password when using Integrated
Auth so why update the password? I've never manually created our
users in DNN and the passwords are definitely not in the database... -
Well, according to what was returned using the 'Email password facility
I discussed earlier..
Nathan, could you do a test for me as I'm keen to get to the bottom of
this.. Could you log into your portal using an account that doesn't
already exist in DNN, using Tams module in Windows Auth mode (therefore
the account will be created automatically). Then use that
email password function and see what it returns?
Cheers,
Andrew |
| NateDawg | | Asp.Net User |
| Re: Retrieving User Info from DotNetNuke | 8/15/2005 12:15:51 AM |
| 0/0 | |
|
Logged the user in with Tams Forms Authenticaiton Module.
It's in Form/ADSI Auth. mode.
It's version 3.0.13.
Nathan Rover |
| DanBall | | Asp.Net User |
| Re: Retrieving User Info from DotNetNuke | 8/15/2005 11:48:22 AM |
| 0/0 | |
|
Just putting my 1.5 cents worth in here...
The way I figure it is working is that you enter your username/password into DNN, it uses that username/password to ask AD if it is a correct match, and AD will respond yes/no, providing the authentication necessary. DNN doesn't "have" to store the password locally, but it theoretically "could", seeing as you already typed it into DNN in the first place.
My guess would be that it is caching the password for future "session" authentication requests, not storing it in it's database. As such, it is a variable that should accessible during the user session.
And no, AD will NOT return the password under any circumstances, it simply tells you if you have the right one or not.
|
| JasonCochran | | Asp.Net User |
| Re: Retrieving User Info from DotNetNuke | 1/6/2006 12:50:30 PM |
| 0/0 | |
|
Gents,
I've been through this ad nauseum in the past few days, and I have a few ideas to offer. Sorry, I know I'm a little late coming here. I have been working to implement TTT.Authentication for DNN 2.1.2, so all the following relates to that version of the software as downloaded from Tam's site.
- The password is not being "retrieved" from AD, it is simply being confirmed by AD. Tam's module asks AD if the password is correct, if it responds yes, then he can store the value you typed into DNN and "have your AD password."
- Since this was unacceptable I was able to change the code a bit to store a bogus password in DNN. Then when I see an AD user logs in, his password will never match the bogus password and everything else will function as normal. Works pretty well, actually. The only disadvantage being that the "Password Reminder" feature is useless, so I had to hack the core to get rid of that option.
- The only problem we are now having is that IIS is somehow caching the passwords, so when an AD password is changed, the user can actually use both the old and new passwords (in DNN only, not on another computer where AD is used). We've yet to resolve this little jewel.
Any thoughts?
Regards,
Jason |
|
| |
Free Download:
|
Books:  Professional DotNetNuke 4: Open Source Web Application Framework for ASP.NET 2.0 Authors: Shaun Walker, Joe Brinkman, Bruce Hopkins, Scott McCulloch, Patrick J. Santry, Chris Paterra, Scott Willhite, Dan Caron, Pages: 517, Published: 2006 Beginning DotNetNuke Skinning and Design: Skinning and Desing Authors: Andrew Hay, Nina Meiers, Shaun Walker, Pages: 432, Published: 2007 Microsoft Log Parser Toolkit Authors: Gabriele Giuseppini, Mark Burnett, Pages: 350, Published: 2005 Beginning DotNetNuke 4.0 Website Creation in C# 2005 with Visual Web Developer 2005 Express: From Novice to Professional Authors: Nick Symmonds, Pages: 391, Published: 2006 Beginning DotNetNuke 4.0 Website Creation in VB 2005 with Visual Web Developer 2005 Express: From Novice to Professional Authors: Nick Symmonds, Pages: 448, Published: 2006 DotNetNuke For Dummies Authors: Lorraine Young, Philip Beadle, Scott Willhite, Chris Paterra, Pages: 408, Published: 2007 Web 2.0 Heroes: Interviews with 20 Web 2.0 Influencers Authors: Bradley L. Jones, Pages: 273, Published: 2008 Web:Retrieving User Info from DotNetNuke - ASP.NET Forums I'm trying to retrieve user info from DotNetNuke. Basically all I want to do is get the username of the person currently logged on to the ... Possible to Retrieve DNN Login Field - ng.asp-net-forum.dotnetnuke ... possible to edit preferred user information? > DotNetNuke Module . ... You can set your DNN to retrieve password using an email address by ... Retrieving specific users profile properties in calculated column ... it will be possible in UDT5; http://www.dotnetnuke.com/Community/Blogs/tabid/825 /EntryID/1038/Default.aspx; you can use Reports5 to retrieve data out of a ... Retrieving login data for DotNetNuke > WheelMUD - A C# MUD Server ... Jun 16, 2008 ... User Services Feedback Center · People on this site ... Retrieving login data for DotNetNuke. Well, I had a hair pulling session trying to ... Retrieving User Info from DotNetNuke - ASP.NET Forums Re: Retrieving User Info from DotNetNuke. 08-15-2005, 7:48 AM. Contact ... Re: Retrieving User Info from DotNetNuke. 10-19-2005, 3:35 PM ... How to retrieve the dnn UserName - Iframe Module [Lead: Vitaly ... Dim dnnUserInfo As New DotNetNuke.Entities.Users.UserInfo. PortalID = dnnUserCtrl. ... What can i do to retrieve the User Name? ... Let’s Talk DotNetNuke User Personalization The DotNetNuke.Services.Personalization.Personalization class contains a ... A PersonalizationInfo object is retrieved using data from each UserInfo object. ... variables not retrieving on 2nd page of form > DotNetNuke Module ... Having issues getting Session or Cookie Variables to retrieve. ... Product General Information / User Guides, --General Information ... DotNetNuke Modules - Retrieving Settings On Monday we discussed how to save setting information for our modules. ... 2008 ; DotNetNuke Modules - Retrieving Settings - September 24th, 2008 ... Venexus DotNetNuke Blog - Active Directory Retrieving User Info from DotNetNuke - Discussion on Tam's module and Active Directory. Building Secure ASP.NET Applications: Authentication, Authorization, ... |
|
Search This Site:
|
|