Way to validate user is an "in-house" user

[Qik3Coder]

i have a website that is readily accessible to the rest of the world, I have (at least) 1 page that in order for someone to use it, they need to be an "in-house" user. I don't want to have to create a whole new login name password situation, because I don't want them to have to remember yet another password.

I was trying to create a screen where they could enter in their windows login name and password, so that I could validate them against Active Directory, but i am having issues with the password value.

Is there a "better" way to deal with the problem that I have of needing the user to be "on the network" to use this page?

-The answer to your problem may not be the answer to your question.

 

[Gorkem]

Why not test the IP.. ask your I.T. folks to provide you the internal "in-house" range of IP's and test against that.

Cheers,

G.

Oxigen - Next generation business solutions

http://www.oxigen.ca

-----------------------------
Components/Tools/Forums/Software/Web Services

 

[jmeckley]

you could also create a role for the users who are in-house. then secure the page based on the role.

Jason Meckley
Programmer
Specialty Bakers, Inc.

 

[saintedmunds]

Hi

If you use a database to login in with then when you check details you could have a new field Called InHouse and set this to true or false. then once they login set a session("InHouse") = True.

On the page you need to keep away from others have some thing like
If not (Session("InHouse")) then
Redirect back somehwere here ----
End If

Cheers

 

[Qik3Coder]

Gorkem: I may wind up doing this. I am trying to figure out how to handle VPN users (Non local IP).

JMeckley: I am trying to avoid having to setup any form of role based username/password system.

SaintEdmunds: I am actually trying to prevent access to a login page. We do use a database, but i don't store any information about the people who will be logging in.


Thanks,

-The answer to your problem may not be the answer to your question.

 

[Gorkem]

Technically, once a user connects to the VPN, they should have an "in-house" IP address. All traffic should then be going through this "in-house" IP rather than their normal IP address.



Oxigen - Next generation business solutions

http://www.oxigen.ca

-----------------------------
Components/Tools/Forums/Software/Web Services

 

[Qik3Coder]

Yeah, I got the ip range from the network guy, and am going to try that next.

I am having some issues with how to handle some of our MOSS items in a similar fashion, I cannot seem to find, readily, how to do this. The pages don't actually exist on the server so I cannot just tag them through IIS.

Thanks,

-The answer to your problem may not be the answer to your question.

 

[dpk136]

if you are fine with the Active directory route. i would try to verify that the user is a valid user in the active directory. why even check for a password unless you are only allowing access to certain people. if you have access to IIS, you can allow access to people in your network

David Kuhn

 

[Qik3Coder]

dpk136: The webpage is hosted as a publicly accessible site. I believe I would have to access their computer to get their active directory name, which may or may not blow up quite nicely. So I have to ask them for their user name. All they would have to do is enter in a name of someone they spoke with on the phone, in order to bypass the security, if I didnt also ask for their windows password.

My only sticking point now is how to handle our out facing MOSS sites in a similar fashion.


-The answer to your problem may not be the answer to your question.

 

[dpk136]

what if you host the internal pages as a seperate application. this would give you more leeway with how you handle security.

David Kuhn

 

[Qik3Coder]

They are still a part of SiteX, but they are a restricted access page. If i make it a separate application, I will have all sorts of resource issues, because it will need to talk with all the resources that exist in the other site.

-The answer to your problem may not be the answer to your question.

 

[BoulderBum]

So let me see if I understand correctly.

1. You have a public website where anonymous users can browse most of the content.
2. You don't want to store anyone's credentials in a database, and most anonymous users never need credentials.
3. You have a subdirectory or set of pages that you only want AD users to have access to.

Is that right?

If so, and if it's acceptable to have the AD users enter their AD user name and password when trying to access the secured directory, then there's a straightforward way to handle the situation.

Simply use an ActiveDirectoryMembershipProvider and configure your secured subdirectory to deny access to anonymous users.

ActiveDirectoryMembershipProvider

http://msdn2.microsoft.com/en-us/library/system.web.security.activedirectorymembershipprovider.aspx

web.config (see "deny users='?'")

http://www.dotnetjohn.com/articles.aspx?articleid=246

Anyone trying to browse to the secured pages will have to enter their credentials in the page you specify, and the credentials they enter will validate against Active Directory vs. your own database.

MCP, MCTS - .NET Framework 2.0 Web Applications

 

[Qik3Coder]

BoulderBum, That is what i was initially going for.

I have two options, that i have to propose.
One being the AD username/password combo, which may have security implementation issues.

The other being the ip blocking, which i have to figure out how to deal with MOSS (Sharepoint) pages.

-The answer to your problem may not be the answer to your question.