NTLM authentication

Re: NTLM authentication

"webrod" <rodolphe.aoust in@gmail.comwro te in message
news:1167833180 .697563.84840@h 40g2000cwb.goog legroups.com...
Is the webservice on the public internet...?

Re: NTLM authentication

Is the webservice on the public internet...?
no, not all.

Re: NTLM authentication

"webrod" <rodolphe.aoust in@gmail.comwro te in message
news:1167840539 .950567.53800@s 34g2000cwa.goog legroups.com...
OK - well, that certainly makes it easier.

So, then, presumably a user logs onto their workstation with their Windows
domain userid & password and then runs a desktop app (or maybe browses the
corporate intranet) which references a webservice running on a webserver in
the same domain as the user...? Is this right...?

What do you want to "know" next? Once you know what you need to know, what
do you need to do with that information...?

Re: NTLM authentication

"webrod" <rodolphe.aoust in@gmail.comwro te in message
news:1167833180 .697563.84840@h 40g2000cwb.goog legroups.com...AFAIK WSE 3.0 does not support NTLM, why not use Kerberos?

Willy.

Re: NTLM authentication

thanks you very much for your answer Mark.

What I want to know is a way to check a user credential against a NTLM
database.

Suppose I log on a workstation with BOB, then I want to start my .NET
application which access a web service as ALICE user.
My application will open a LOGIN form, then I want to provide ALICE
credential (login/pwd) to the web service.
Then my WS needs to check that the user (ALICE) really exists and check
the password.
(and if possible it should check the roles for authorization purpose
but I don't know yet if you can associate a role to a user with NTLM).

Actually, I am starting a project where my cutomers can have:
- AD (I use kerberos) =this is done
- ADAM (I do a LDAP bind against ADAM) =this is done
- winnt: I need to use NTLM (??) =this is in progress ;)

I don't want to use IIS setting, I would like to use something like
WSE.

Rod

Re: NTLM authentication

AFAIK WSE 3.0 does not support NTLM, why not use Kerberos?


Willy,

I think you're right, I read somewhere that NTLM is not a public
protocol, that's why it is not supported by WSE.
So I am still wondering how I can check a user credential against a
NTLM database without IIS.

Is there something like a LDAP bind (as I did with ADAM)??

Thanks for your help.

Rod

Re: NTLM authentication

AFAIK WSE 3.0 does not support NTLM, why not use Kerberos?

I forgot to answer to your question.
I can't use kerberos because I am on a Winnt system based on NTML not
kerberos.
Or I misundertsood something again...??

Rod

Re: NTLM authentication

"webrod" <rodolphe.aoust in@gmail.comwro te in message
news:1167896223 .776921.259880@ 42g2000cwt.goog legroups.com...Well, WSE3.0 is just an interim solution, WCF is the way to go and this one supports NTLM
authentication.

NTLM database?
You mean authenticating using NTLM.
ADAM does not hold Windows identities, so can't be used here.


Willy.

Re: NTLM authentication

"webrod" <rodolphe.aoust in@gmail.comwro te in message
news:1167896693 .425356.69600@i 80g2000cwc.goog legroups.com...I don't get it, this is a local intranet and you are only running SQL on a server which is
not a Domain member and you want to authenticate windows (local )accounts using NTLM (that
is SQL integrated security)?
Well, I'm afraid the answer is - you can't use WSE 3.0 without IIS hosting for this. One
(the best long term) option is to use WCF, which supports SSPI and SPNEGO, that means it can
authenticate using Kerberos and fallback to NTLM when not available.
Another option is to drop your DAL into a COM+ server application (using
System.Enterpri seServices) and use ADAM with LDAP "authentication " in order to implement
role based authorization. The COM+ server can run with "Windows" account credentials having
access to SQL server. Note that you'll need to use SSL authentication between the client and
the WSE service, if you want to make this secure, it makes littel sense to protect SQL
access when one can catch the clear text password traveling between client and server.



Willy.

Re: NTLM authentication

"webrod" <rodolphe.aoust in@gmail.comwro te in message
news:1167896051 .471261.59390@q 40g2000cwq.goog legroups.com...
Ah, in which case, I think you might be out of luck as I don't believe WSE
supports NTLM authentication - have you considered WCF...?

Re: NTLM authentication

Well, WSE3.0 is just an interim solution, WCF is the way to go and this one supports NTLMokay so I will read more information about WCF
actually I don't know how to say it :(
In Winnt, I guess the users are stored in a SAM database, right?
So is there a way to check a user credential against a SAM database??
Or, how can I check a user credential on winnt?
OK, I don't use ADAM, it was just an example :)
Actually I use ADAM only if the customer who will buy the product do
not have a domain (workgroup) but this is another problem.
In my current configuration, this is a WinNT system, so I do not have
AD nor ADAM.
I have a SAM database and I was wondering If I could bind the SAM to
authenticate a user (like I would do it with ADAM).

SUopose you have this credential : ALICE / ALICE_PWD
How do you do to check if this user (ALICE) really exist in the domain
(in the SAM database) and if the password (ALICE_PWD) is the right
one??
Maybe it's impossible, I don't know.

Thanks again for your time and your answer.
Rod

Re: NTLM authentication

SQL? Why are we speaking about SQL? :)

Actually, I have users who belong to a domain (WinNT).
So I have users in the SAM database.
Now what I want is to check that a user really exists in this DB with a
..NET script.
So I would like a way to query the SAM database OR to bind the SAM
database.
Yes, IIS is hosting my Web Service (the WS has to check the user
credential to provide access to the WS or not).
I am not saying that IIS is not hosting my WS, I am just saying that I
would like to have a solution without using IIS settings.

Rod

Re: NTLM authentication


Mark Rae wrote:not yet, you're right. Regarding WSE, it was an example. We can forget
it.

Rod

Re: NTLM authentication

"webrod" <rodolphe.aoust in@gmail.comwro te in message
news:1167909149 .759083.317590@ 6g2000cwy.googl egroups.com...
Is *that* all you want to do...? I.e. validate a login and password...?

Why don't you just do this:

using System.Director yServices;

public static bool Logon(string pstrDomain, string pstrUser, string
pstrPassword)
{
try
{
using (DirectoryEntry objADEntry = new DirectoryEntry( "LDAP://" +
pstrDomain, pstrUser, pstrPassword))
{
return !objADEntry.Nat iveObject.Equal s(null);
}
}
catch (System.Runtime .InteropService s.COMException)
{
return false;
}
catch (Exception)
{
throw;
}
}