How do I change who is logged in (allow for another user to login) to an application that is using Windows Authentication without having the PC user log off?
+1
A:
To clarify: Do you want to be logged in to Windows with one account and then be able to view a web site that uses Windows Authentication with a different user?
Maybe you can run the browser under a different account with runas.
Assaf Lavie
2010-05-05 19:04:04
Yes, that's what I need to accomplish. So I accept the user's name and password through textboxes and stuff, how then do I proceed?
Matt
2010-05-05 19:06:15
Once you enter your credentials the browser runs under that account, so you just navigate and see. If you're trying to do this with code then you need to read about Impersonation.
Assaf Lavie
2010-05-05 19:13:01
Impersonation as in changing the "cookie" [or other auth] or impersonation as in how IIS runs? Let's not go down the wrong path, of course. "Cookie" impersonation would be good here, but I think they intend to provide a logout option, not "admin only" function.
drachenstern
2010-05-05 19:16:39
+1
A:
You could prevent IE (I assume) from automatically passing NTLM credentials. But then you'll get a login dialog.
You can change the "automatically login behavior" by doing the following in IE:
Tools -> Internet Options -> Security tab -> Intranet zone (I assume)
Then click "Custom level..." and scroll to the bottom to User Authentication -> Logon.
Select the "Prompt for user name and password" option.
FF has similar options by going into "about:config" and change the "network.automatic-ntlm-auth.trusted-uris" setting.
Craig
2010-05-05 19:04:56
This is correct. If the site is not on the intranet or in the trusted sites list, it will prompt for credentials on a default install. Naturally those choices can be overridden.
drachenstern
2010-05-05 19:07:11
Yep, that's what I meant. Good list of instructions there Craig. Now the only problem is those have to be repeated on each computer using the app, or he has to convince the PC that he's not on the intranet. Sounds like time for a Group Policy if he's doing something intranet. However, the reply to Assaf Lavie makes me think he's not got 401 auth working yet. Waiting for more details before I respond ;)
drachenstern
2010-05-05 19:14:46
+1
A:
Right-click on your browser icon, choose "Run as...", and provide the other user's credentials.
Joshua Flanagan
2010-05-05 19:05:22
Is there a way I can programmatically make that login window open based on an event in my web app?
Matt
2010-05-05 19:12:17
+2
A:
You would be better served to use forms-based auth against AD with impersonation. Pass-through authentication is uneven and introduces a number of issues you don't even want to begin to deal with.
Nissan Fan
2010-05-05 19:17:14
only problem with this is I am using Oracle as my database (not by choice) and the DBA's refuse to install the ASP.NET membership schema which I'm not even sure can be done.
Matt
2010-05-05 19:19:11
You don't have to use the ASP.NET membership schema. You can derive your own custom MembershipProvider that can validate users against whatever you want... database, windows active directory, hard-coded usernames/passwords. =) The world is your oyster.
Craig
2010-05-05 19:23:20
Or throw up a SQL Express server and use the integrated ASPNETDB for the simple purpose of authentication. Or use an access provider and keep the file with the site (stupid cheesy and who uses an MDB nowadays, but it works!). Why go through all the headache of linking to ORA for just auth?
drachenstern
2010-05-05 19:40:49