Using Coldfusion 8,
how can I check whether window user is currently logged in?
I know, I can use cgi.auth_user variable (domain\username ), however is it always reliable to use?
if not, what other ways to check?
IIRC, cgi.auth_user shows the username of a user authenticated via basic authentication. I don't think it supports windows domain connections. Assuming that you are on a windows domain, that should be easy to test -- just dump the cgi scope.
Related
I use psexec to run my app,
Some of the tasks my app does should have a logged on user,
so I want to check (from the app, not the server which runs the psexec)
if there is a user which currently logged on. I couldn't find any api which retrieve this. My code is in c++.
Any idea to check it?
use LsaEnumerateLogonSessions + LsaGetLogonSessionData
Found a solution to this issue
I enumerate the registry keys (using RegEnumKeyEx) under HKEY_USERS.
If there is a key different from the default ones (".DEFAULT","S-1-5-18","S-1-5-19","S-1-5-20") it means that at least on user is logged on
I am currently trying to authenticate users in a c++ application in Windows. I need to display a dialog for username and password and verify that they are an authenticated user on the Windows machine. Are there any libraries that allow for this functionality or a good way to go about it?
Probably CredUIPromptForWindowsCredentials (see http://msdn.microsoft.com/en-us/library/aa375178.aspx) or old CredUIPromptForCredentials (see http://msdn.microsoft.com/en-us/library/aa375177.aspx) could solve your problem?
UPDATED: Another the most old way to authenticate a user is using of SSPI. It will not help with displaying a dialog but this can you implement yourself. You can find a very old code example (probably the first one published by Microsoft) here http://support.microsoft.com/kb/180548.
If you do want use LDAP API (see http://msdn.microsoft.com/en-us/library/aa366102.aspx) you can use ldap_bind_s (see http://msdn.microsoft.com/en-us/library/aa366156.aspx) to verify user authentication. See http://msdn.microsoft.com/en-us/library/aa366106.aspx as a code example (it is not exactly what you want, but you can understand how these API work)
I am working to set up SSO for our intranet the idea is that a user would login to their workstation using their active directory username and password. Then a small application would run at login that would send some uniquely identifiable information,user name, and computers MAC address to the server were it would be entered into a database with a time stamp. Then when the user accesses the intranet a java applet would send the users mac address to the server and compare it to the database entry to see if it finds a match within a given time frame, if it does then it signs the user in and removes the entry from the database.
Unfortunately our intranet is not running on IIS so I can't use NTLM to do authentication which would be easier but not cross browser compatible which is one of the requirements. NTLM is also not an option because our intranet is only accessible in the form intranet.company.com and as far as I know NTLM does not work with addresses in that form.
Okay now onto the question. I am currently in the process of creating the client authentication application in C++ and need a way to get some unique identifier or token that would differentiate a legitimately logged in Active Directory user from some one who got a hold of the application and changed their local username to an AD user.
Yes I know this is probably the wrong way of doing it but right now it seems like the only option. If you have any suggestions beyond not doing it please let me know. Also I am aware of the huge gaping security hole it creates if you can think of a way to patch up that hole with out NTLM be sure to let me know.
AD is just Microsoft's implementation of Kerberos. One of the core features if Kerberos is to create such permission tickets. So, on that side your solution is not a hack at all. It's just the validation part that looks like a car crash.
However, I'm entirely lost at the client-side problem you have. The entire point of AD or Kerberos in general is that you can't spoof an authenticated user. You just ask the OS for a ticket for the logged-in user. It doesn't matter who gets hold of your app, or or what his local username would be. The OS knows precisely who is logged in.
I'm currently using ShellExecute "open" to open a URL in the user's browser, but running into a bit of trouble in Win7 and Vista because the program runs elevated as a service.
When ShellExecute opens the browser, it seems to read the "Local Admin" profile instead of the user's. So for example, if the user at the keyboard has Firefox as his default browser, it may open IE (which is the admin's default).
I know that the "runas" verb can be used to elevate, but how do you do it the other way around? Is there a way to open a URL in the default browser on a standard user's desktop from a service?
ShellExecute will execute the program in the context of the same session and same user as the process you are running.
If you'd like to use a different session or user token you can use the CreateProcessAsUser Win32 API.
There are several ways to obtain a user token, for example you can call the Win32 API:
LogonUser if you know the username and password
WTSQueryUserToken for any given session ID.
OpenProcessToken if you have another process handle
After a while of testing, the best way to determine the default browser is the following:
NOTE: It is strange but it's true...
It has nothing to say that an application is the default application for
some file type or web protocol like 'http'. What matters to determine the default
web browser is just what is registered in the start menu entry (see reg key below).
So forget all the HKCR\http, HKCU\Software\Classes\http, HKLM\Software\Classes\http and their friends.
read from "HKEY_CURRENT_USER\Software\Clients\StartMenuInternet"
read command line from "HKEY_LOCAL_MACHINE\Software\Clients\StartMenuInternet\\shell\open\command"
truncate the command line after ".exe"
Of course you need to impersonate as the logged on user first.
If this solution does not work (like with w2k), use the handler for the http protocol.
To actually start the default browser from a service we use an extra process which is within the service using the logged on user-context. This process starts the above commandline (using ShellExecute on platforms >= Vista). Be sure to use same integrity level (medium) as a default user (else IE won't work because it uses DDE).
HTH.
Aaron Margosis has a seven-step native code example at http://blogs.msdn.com/aaron_margosis/archive/2009/06/06/faq-how-do-i-start-a-program-as-the-desktop-user-from-an-elevated-app.aspx. Won't help you from your service if that is what you have - I agree your service shouldn't be trying to launch an app as the logged in user, especially since there might not be one.
I need to make a simple knowledge-base type application to use in company internal network. To make it simple and fast to use for end-users I would like to skip all the login in part (as it will be only visible to internal network users who we trust anyway) and automaticly pull the domain user name from the user and put it into the database (don't want people to waste time manually entering their name; the littler time they waste using the app, the higher chance they will actually use it).
So, is it possible to get that kind of information on a server? Do windows browsers send it in some headers that I could trust to be there?
If you are using IIS and Internet Explorer, you could turn on 'Integrated Windows Authentication' (NTLM authentication). This causes IE to automatically authenticate the user using your domain infrastructure. After automatic login, you can access the user name using the environment variable LOGON_USER. There is also a module for Apache (mod_ntlm) for this purpose, although I don't know its status.
Maybe you could event try to implement NTLM authentication yourself, but this will certainly be a lot of work.
Other than that, there seems to be no way since no reasonable browser will send the user name...
EDIT: It seems that python-win32 extensions or python-ntlm could do the trick, check out this thread. You still have to integrate it into Django, though.