Get Visitor's Windows Username in C#

Question

Hi all. Fairly new to ASP.Net and I would appreciate some help. Is there a way to get a website visitor's Windows NT user name without forcing them to log in? The only thing I can seem to be able to get is the username of who is logged in on my web server. For example, John Doe's windows logon name is jdoe and Joe Smith's name is jsmith, if I had code on my page to display their user name for John Doe it would display "Welcome jdoe" and for Joe Smith it would display "Welcome jsmith."

Eventually I will use this information to query active directory for things like e-mails, first and last names, etc.

Thanks in advance!

Answer 1

could this article be of help for you?

Single Sign-On Enterprise Security for Web Applications

Answer 2

If your website is on an intranet, your users are using Internet Explorer and you enable 'Integrated Windows Authentication', and your ASP.NET application allows Windows authentication, then your ASP.NET application can lookup the user in the active directory/Local Users and Computers using this method:

application.User

..which will return a WindowsPrincipal object.

Answer 3

You need to have the user log in; there is no other way for you to get their user name. The browser will, by design, prevent you from getting that information.

You can use Windows Authentication in ASP.NET by changing the authentication node in the web.config file:

<authentication mode="Windows">
</authentication>

Once you've done that, you will have enough information to easily query AD.

Answer 4

Without logging in at least once (or authenticating against openId), it's going to be very difficult (maybe even impossible) to do this with external (internet) web users.

Here's why:

It's a chicken and egg problem.

When your ASP page is run, it's running as the IIS process, so by default whatever account is running IIS will be the logged in account.

So you have no idea what account to impersonate. Even if you did know which account, your IIS shouldn't have suitable permissions to impersonate any arbitrary account without supplying credentials (ie logging in).

If you think about it, it's a huge security risk to be able to just willynilly display a users windows username on any page.

Without logging in, you could just ask the user for a username, and store that value in a cookie or an LSO. Then anytime the user visits your page, you read the cookie and print the value. If the cookie is deleted, just present the user with a dialog asking them to store their username. Obviously this won't help you when you want to search AD (and you shouldn't provide an externally facing AD search without authentication--for security sake).

The only real approach here is to require your users to login (if you want to provide a custom experience).

Answer 5

You could do an LDAP query to retrieve the active directory property displayname, or firstname lastname, based on samaccountname=jdoe