Maybe I'm wrong, but it sounds like you don't really want the password you
just want users to be allowed in only if they are valid NT Domain users.
In this case you just need to set IIS to disable anonymous and activate the
challenge response (which is more secure).
And then on the web server set the directory permissions for this
application (where the .cfm files are) to "No Access" for the IIS internet
user, and give access to the authorised users (if you just want all NT
logged users - use the Authenticated Users group.
If you need their NT username - get it from the CGI.Auth_User.
Any security scheme of passing NT login passwords in clear text (basic
security) and those then being used by CF or stored in a DB will be a major
security hole.
HTH,
Noam
You can also check out the following security considerations draft document:
http://aebco.com/content/index.cfm?fuseaction=CFX
<http://aebco.com/content/index.cfm?fuseaction=CFX>
----------
From: Jeff Stone [SMTP:[EMAIL PROTECTED]]
Sent: Friday, 10 November 2000 1:31
To: Fusebox
Subject: RE: Passing Windows NT Username & Password from Computer
Login
Thanks, I'll give that a try.
-----Original Message-----
From: Russel Madere [mailto:[EMAIL PROTECTED]]
Sent: Thursday, November 09, 2000 10:27 AM
To: Fusebox
Subject: RE: Passing Windows NT Username & Password from Computer
Login
To do this, you have to use the basic security in IIS, not the NT
Challenge
and Response.
The big short coming of this is that the user name and password are
passed
in plain text.
That is a huge no no. Leaves your site wide open to password
sniffers.
What I ended up doing at a previous job was user the CF Advanced
Security
(in CF Server Enterprise) and a custom form. There was no way to
intercept
the NT password except having the user enter it into a form.
Russel
============================================================
Russel Madere, Jr. Senior Web Developer
ICQ: 5446158 http://www.TurboSquid.com
Some days you eat the bear; some days the bear eats you.
============================================================
> -----Original Message-----
> From: Jeff Stone [mailto:[EMAIL PROTECTED]]
> Sent: Thursday, November 09, 2000 13:20
> To: Fusebox
> Subject: Passing Windows NT Username & Password from Computer
Login
>
>
> I have a client who wants me to build a security intranet login
> application.
> Instead of having a login screen asking the user to fill in a
username and
> password, they want the user's NT username and password to be
passed to my
> ColdFusion application automatically. That way, the user will not
have to
> login to the online application. I have figured out how to look
up the
> Local Users & Groups on a web server and pass that information on
once I
> have the NT username and password, but I cannot figure out how to
> automatically pass the username and password from the user's NT
login.
>
> I know one possibility is to have the user specify their NT
username and
> password in my application the first time they use it. Then, I
can store
> this encrypted information in a database and give the user a
cookie for
> future easy access, but this is not ideal plan.
>
> Has anyone done this before?
>
>
> Thank you,
>
> Jeff Stone
> [EMAIL PROTECTED]
>
------------------------------------------------------------------------------
To Unsubscribe visit
http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/fusebox or send a
message to [EMAIL PROTECTED] with 'unsubscribe' in the body.
