NT authentication login

Question

I have a site I am working on, on this site users can login to get more private information. My client has another site elseware that uses nt authentication for accessing it. What they want to do is have a button on the site I am working on under the private area that will send them to the ntauthenticated site, but not require them to log on to that site instead passing the username and password that they used to log into my site to the other site for them.

Is it possible to do this? and how would I accomplish it? Is there a better way to do this?

Answer 1

How will the other site validate your username and password?

Ideally your site shouldn't even be remembering the user's password to be able to pass it to another site (you store hashes of the password, not the password itself, and only use the actually password during validation).

What if your site provided a token to the user, who presents that token to the new site, which in turn asks your site to validate the token. Basically the second site is trusting you to tell them who the user is.

This all breaks down if the second site is actually using the Windows accounts for anything other than just retrieving a user name (for example permissions on the underlying file), since the user is not logged on as the actual Windows user account in this scenario.

Answer 2

To be honest the other site is a sharepoint site that I do not have any control of. All they'll let me do is stuff on my own site to jump to the sharepoint site. And the sharepoint site is using nt authentication.

Answer 3

If you need to authenticate against the second site, you may need to spawn a new thread and call the windows LogonUser API. Once you have the security token, assign it to the new thread and do your connection via that thread.

LogonUser requires enhanced privileges, and isn't Managed code, so there are some pretty severe hiccups to using it. But that's been the only work around I've been able to find to get a Forms authenticated site talking to a Windows Authenticated Service/Site.

Hope this helps.

Answer 4

Is this an intranet environment? If so they shouldn't have to login anyways. If sharepoint is setup using "Integrated Authentication" and the site is listed as a trusted site in IE, the browser will use there network cred for auto login. This can be setup on firefox as well.

Answer 5

Here's an (untested) theory, the details of which will greatly depend on what types of authentication the Sharepoint site will accept. I'll tackle Basic, since it's the easiest.

You'll write out some JavaScript that uses XMLHttpRequest to submit a request to the Sharepoint site, and add their username and password to the request headers. Their browser will run that JavaScript, and get logged into the Sharepoint site.

Now, when they click the link, the client's browser should have the cached credentials to send to the Sharepoint site.

Possible issues:

• XMLHttpRequest does not allow cross domain auth
• Browser and XHR don't share auth info
• Sharepoint and XHR can't agree on auth method

Another option is to proxy the connection to Sharepoint, which allows you to login server side (bypassing XHR limitations and browser security) - but requiring load on your server and possibly some URL target issues.

Answer 6

Your users will not be able to connect to the NTLM site directly without getting an NTLM challenge. I would write what would effectively be a proxy to the NTLM site; i.e your server-side code will have credentials to connect to the NTLM site, and it passes through the requests from your users.

As you mention it's SharePoint (spit) bear in mind that SharePoint has a bunch of Web Services you could use for this (rather than doing screen-scraping).