Authenticate Windows Users
The sample code for this article shows how to use Active Directory or NTLM authentication for users, depending on the web.config settings. To use Active Directory, set the appSettings portion of the web.config file:
<appSettings>
<add key="UseActiveDirectory" value="true"/>
<add key="ActiveDirectoryServer" value="192.168.0.12"/>
</appSettings>
These settings trigger the .Net DirectoryEntry class to authenticate users through Active Directory. You can accomplish the authentication call with code like the following:
//Return the IP address of the AD Server
String serverName = GetServerName();
DirectoryEntry de = new DirectoryEntry("LDAP://" + serverName,
userName, password);
The code throws an exception if the username and password are not valid. The DirectroryEntry class is part of the System.DirectoryServices namespace, which supports programmatic access to Active Directory features.
A second method of authenticating users is through the native Win32 API LoginUser function. This method uses either NTLM or Kerberos authentication, depending on which version of Windows you use. LoginUser is the same function called when a user logs into a computer that runs Windows; it requires a domain name, username, and password.
You can use the following web.config setting to have the sample code in this article use native Windows authentication:
<appSettings>
<add key="UseActiveDirectory" value="false"/>
<add key="Domain" value="MyDomain" />
</appSettings>
These settings invoke code similar to the following:
if(!LogonUser(username, domain, password,
3, 0, out token))
{
//throw an exception for login failure
}
The magic value (3) specifies that the call should not try to actually log the user onto the current computer but instead just verify his or her credentials.
Where to Go from Here
The downloadable code consists of four Visual Studio.NET projects. The first, Authenticate, is the Web service described above. The ThickClient and WebApp clients demonstrate how to call the authentication service. All of the projects use the CryptoUtils project, which contains encryption code for transmitting usernames and passwords. Figure 2 shows an example of the ThickClient program.
| |
 |
Figure 2. Login Screen for the ThickClient Sample | The ThickClient client demonstrates how to call the authentication service.
|
Use the service I've provided as a starting point for your own projects, although it probably won't serve all of your needs in its present form. For instance, if your application needs to selectively grant permissions based on a user's group membership, then you will need to add custom code. To this end, if you're not using a custom set of usernames and passwords, then the authentication service can be extended to return the user's Windows security identifier.
Because the service is a single point of entry for your users, you might also add functionality to record login statistics, such as code that writes to the Windows Event Log or inserts records into a custom database table. Whatever the approach you decide to take, the service described here gives you a good deal of flexibility to take control of the authentication process in your applications.
 | Phil Syme co-authored "Sams Teach Yourself C# Internet Programming in 21 Days" and a companion book using VB.NET. Phil has also co-authored two articles published in IEEE Fault Tolerant Computing Symposium. Phil currently works in Washington, DC, implementing a large pension valuation and reporting system with .Net. to reach him by e-mail. |
Introduction 
Implement Custom SOAP Headers 
XML Encryption and the .NET Cryptography Classes 
Authenticate Windows Users 
