User Authentication

[Zyrenthian]

Hi All,
I dont think this is possible but maybe someone here knows differently. I need to validate a username and password (which will be the same as the users username and password) from a workstation. I would like to do it all on the client and not the server. However, what I am reading, it looks like I will need to open a socket on the server and talk to it from the client. Basically, we have a "generic" logon but we want to know which user is really at the computer when they access our application(s). They will be presented with a Logon dialog to enter a username password and domain. With that information, I first attemepted to use "LogonUser" but I dont want the "generic" logon to have the permissions required to use that. Second, I attempted using the security/secur32 dlls but those seem to need to run on a server for certain operations. Are there any other aproaches to validate a windows username and password?

Matt

 

[MKuiper]

Matt,

My advice: use your own user-id's and passwords. Store them somewhere encrypted in the application's database (or data files, or registry) and do not use the Windows logon.
What you want is creating a possible security hole. I will never trust any application except Windows logon, which asks for my user-id and password. The application might contain malware which is going to mis-use it. Or it might be monitored by some other process.
Even if this means that users have to remember another password, it is better than the possible risks.



Marcel

 

[Cagliostro]

Any password validations must be done on the server. Passwords are stored in encripted form(usualy using algorythm MD5 what does not give any ways to uncript passwords). Any passwords given by client are encripted and compared with encripted ones. Clients only gives some interface to enter password.

Ion Filipski

ICQ: 95034075
AIM: IonFilipski
filipski@excite.com