Using NT Logon to validate an ASP page

Results 1 to 2 of 2

Thread: Using NT Logon to validate an ASP page

  1. #1
    Fuzzy Guest

    Default Using NT Logon to validate an ASP page

    I need to do a bit of double validation. For this particular application, we are already using NT challenge/response. However, my boss wants to make sure that the person at the computer is the actual person. Is there a way to call an API to validate the person with their NT password at the LOCAL level, with no sensitive information being passed across the network?

  2. #2
    asphead Guest

    Default RE: Using NT Logon to validate an ASP page

    Unfortunately, short of writing an activex control, you cannot validate the way you want to at the local level. If you did write an activex control, you should be able to make the API calls you need.<BR><BR>HOWEVER. If you used SSL on the webserver , you could then use Basic Authentication at the webserver. This works because the entire transmission (including the username and password normally being passed in basic text) is encrypted as part of SSL. Since you used basic authentication, it would ask you everytime. In case you are not aware, you CAN set up SSL (at least with NT4) without purchasing certs from 3rd party cert. authorities.<BR><BR>I am assuming the risk you are trying to mitigate is the instance where a valid user already logged in walks away from his computer. I worked for a bank once where this was the exact situation. It was resolved by having a policy of password protected screen-savers on each desktop with a timeout of 5 minutes.<BR><BR>You may find something usefull by investigating user web certificates (i have never used them), but I think you will still find that if the user walks away while still logged in, the risk stands.<BR><BR>

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts