June 13, 2002 at 4:05 pm
Is it possible to force users to enter a login and password for an application while using Windows Authentication?
June 13, 2002 at 4:09 pm
Yes. Programmatically you can do this within the application, with it taking care of the NT authentication. Are you wanting to prompt them for a username and password in order to connect to SQL Server, though?
K. Brian Kelley
http://www.sqlservercentral.com/columnists/bkelley/
K. Brian Kelley
@kbriankelley
June 13, 2002 at 4:16 pm
Yes. I would like to users to have to log into our inhouse applications that access the SQL Server. I want to use windows authentication mode to reuse the active directory group structure, but I want secure the application by requiring a login and password. Make sence?
June 13, 2002 at 5:00 pm
This sounds more like a deployment question then. Are you deploying to the users' workstations or through another means such as Terminal Services/Citrix? In either case, they should already have integrated authentication from the OS login. By using integrated security for the database connection, that will send them through at their AD account.
K. Brian Kelley
http://www.sqlservercentral.com/columnists/bkelley/
K. Brian Kelley
@kbriankelley
June 13, 2002 at 5:31 pm
No reason you can't do both. Safeguard the data using NT authentication, but you can add code to the app that requires a password - one scenario might be you have a section reserved for managers only within an application that everyone uses. A better solution is to use NT/AD groups, test that the NT user is a member of the group or groups allowed access. This elimininates the inherent weaknesses of managing additional passwords and lets you or your admin manage access via NT itself.
Andy
June 13, 2002 at 8:08 pm
We are deploying VB applications directly to user workstations.
I was hoping to do something like in Andy's reply. We have AD groups already that I would like to use. How would you tie in the application login/password that an administrator doesn't have to maintain 2 sets of logins? Is there a setting I haven't found that connects to SQL Server using Windows Authentication, but still requires the login/password to be entered?
Thanks for the input!
Michelle
June 14, 2002 at 4:09 am
There's no connection really. Just to be clear, even though you're authenticating the user you can add NT groups and grant the permissions to the group (which you should really encapsulate in a role). But if you really want to do as I mentioned earlier and have true app level security, you have to go out and check AD yourself to see which groups they belong to.
Andy
June 14, 2002 at 6:22 am
The answer to the original question is you cannot force a login prompt unless they are not logged into the domain and the machine is set up to access the domain. The idea behin using Windows Authentication is to limit the number of times they have to login. What is the purpose of asking for the login info, I may have some other ideas to help?
"Don't roll your eyes at me. I will tape them in place." (Teacher on Boston Public)
June 14, 2002 at 8:41 am
Some of our user workstations are in high traffic areas. The original idea was to force the login on the application as a way to make sure it is still the user trying to use the application. More and more it sounds like we'll need to just use SQL Logins to do this...
June 14, 2002 at 11:00 am
Not at all. You have to differentiate user access in the application, vs the permissions the application needs to run. You certainly can provide each user with a sql login/password, or have them share one, but if you have the ability to use NT authentication, why wouldnt you just add a simple security check to your application itself?
Andy
June 14, 2002 at 12:33 pm
I am familiar with the code for doing a verification of a password in regards to NT. It should be simple enough to create an extended stored procedure to submit the username and password to to verify the validaty. Then in your app you prompt for password and show the current logged in user. Pass these two when submitted (using NT Auth to reach extended proc) and if the return is valid password you let them in under the current NT authenication. Could be an interesting product.
"Don't roll your eyes at me. I will tape them in place." (Teacher on Boston Public)
June 14, 2002 at 12:42 pm
Can you point me to the code (functions or stored procs) for working with NT password verification?
June 14, 2002 at 1:43 pm
What happens if the empowered user logs in and then leaves the app open, same problem isnt it? We normally use a screen saver lock to make sure nothing gets left unattended. To me its a much more effective security measure.
Andy
June 14, 2002 at 7:19 pm
I will get my function list off my machine at work and pass along. Email me directly though or I will forget. Also you can add a timer in you app that is started after each execute to the server or key press that you can time the security variable and and set empty telling your app they must reauthenticate. This way you don't have to worry a user has disabled a screen saver.
"Don't roll your eyes at me. I will tape them in place." (Teacher on Boston Public)
June 14, 2002 at 7:24 pm
Nothing a group policy wont fix!
Andy
Viewing 15 posts - 1 through 15 (of 16 total)
You must be logged in to reply to this topic. Login to reply