Fog Creek Software
Discussion Board




Client side scripting to get NT username?

Hello,

Im writing a web application for an intranet, and I wonder
if there is some way of getting the NT username from the
PC requesting the page.

I know javascript cannot read environment variables, is
there some other way of doing this with client side scripting?

Patrik
Thursday, October 31, 2002

Wow, if you could do that, then you have most of the information required to access the client's machine. You'd have their IP address from your logs, and their NT username from your script. All you'd need is a password, and you're good to go. Set up a password-required page on the site, and use the knowlege that most people would use the same password there as they would for their NT password, and you're good to go. Smart thinking.

There IS a way to do it, but it requires some above-average permissions on the client side for your page. There's also a way to do it on the server side with no special client-side permissions required. I hesistate to say how in a public forum though, because it sounds to me like you're just fishing for a way to collect usernames.

Troy King
Thursday, October 31, 2002

Troy,

I know the "above average permission" techniques, and,
also the "server-side" techniques you are referring to.
I already have implemented this functionallity using a COM
component (or ActiveX if you prefer to call it that).  I was just posting to see if anybody knew more straigthforward way than using ActiveX/COM and/or a specific brand of web server.

Thanks for pointing this out.

Patrik
Thursday, October 31, 2002

I got an inflated ego there for a minute; I apologize. You never know what's going to set off the crazy conspiracy guy that lives in my head. It sounds like you already know the methods I'm referring to anyway. I was talking about checking the LOGON_USER and REMOTE_USER variables, or use ADSI on the client side. They're what occurs to me off the top of my head. Other than that, I'd have to hit the web developer web sites, which is probably what you'll have to do.

Troy King
Thursday, October 31, 2002

>I got an inflated ego there for a minute;

We all suffer from inflated egos from time to time, so no worries.

The REMOTE_USER & LOGON_USER only gets set if you have a password protected site, ie. sends a 401 Unauthorized response. If you have an "open" site they do not get set.

I will check out the ADSI stuff as well.

Thanks,

Patrik
Thursday, October 31, 2002

You seem to understand lots of other ways of getting the information, but I wonder what's wrong with requiring authentication on your pages? That's the whole point of a 'password protected' site after all: it verifies the NT (or whatever authentication system) username.

Note that you can get NTLM authentication for Apache. I believe that if you don't really care about the password being right you can still get the username and domain.

The client is not supposed to be able to just read this sort of information for security reasons, though my last paragraph points out a way around it. IE's zone security is supposed to keep this 'hole' within your intranet, and a user can tighten it down further.

mb
Thursday, October 31, 2002

mb,

>Note that you can get NTLM authentication for Apache

Thanks for your suggestion. I will check NTLM out.

Patrik
Saturday, November 02, 2002

I can't even find the way to do it with com or active-x objects. I have the same situation at my job where my boss wants users of an intranet app I'm writing to not have to ever verify themselves (just get their windows username). If you guys don't want to post it, you can email me at joelonsoftware@REMOVETHISFIRSTFORNOSPAMmarkjrubin.com

Thanks in advance....hopefully,
Mark

Mark Rubin
Monday, June 02, 2003

*  Recent Topics

*  Fog Creek Home