Fog Creek Software
Discussion Board




NT Authorization from client program

Does anyone have an example of connecting to IIS from a client program (not Internet Explorer) when IIS is using Integrated Windows Authentication?

I can't prompt for the password, .Net isn't an option, and other authentication techniques like Basic or kerberos are out.

The PHBs here decided that since a user has already been authenticated by Win2K when they logged on, our app should be able to authenticate and call an XMLRPC server running as cgi on IIS. After IIS sends to 401, there is some negotiation, presumably using wininet.dll, but I can't figure out how to get what's needed.

Tom H
Friday, May 14, 2004

Can you use WININET to send the http requests to IIS? Then it'll all get taken care of for you.

Joel Spolsky
Fog Creek Software
Friday, May 14, 2004

or xmlhttp (which uses wininet deep under the covers)
or the .NET HTTP stuff, which is entirely different but also can handle it.

mb
Friday, May 14, 2004

"use WININET to send the http requests to IIS"

I think that's what I want. Most of our app is browser based, I'm not very familiar with Win32 so an example would help.

Here's a .Net example that I think does what I need. But .Net is still a couple of years away for us.

// using NTLM authentication with current user credentials
CNTLMAuthObject authObject;
client.AddAuthObj("NTLM", &authObject);

//client.NegotiateAuth(false);
client.NegotiateAuth(true);
client.Navigate( "http://localhost/site/test.txt", &navData );
int status = client.GetStatus();

Tom H
Friday, May 14, 2004

I don't know; perhaps http://win32.mvps.org/security/sspi.html

Christopher Wells
Friday, May 14, 2004

whoa! overkill alert.

If you use InternetOpenUrl (or any of the many libraries which use it to read files over HTTP) and don't do anything special, and you connect to IIS which is set up for integrated Windows authentication only, then the IIS process serving your request will magically be running as the user who is sitting at the client. That's all.

Joel Spolsky
Fog Creek Software
Friday, May 14, 2004

"That's all"

I'll get it another shot. Thanks for the help.

Tom H
Friday, May 14, 2004

or just use xmlhttp. really. it has an easier interface to deal with than wininet, unless you're already strongly tied to the 'file handle' model.

(or serverxmlhttp if you're running a server-side process. if you're running a server-side process you shouldn't use wininet anyway and will also have problems with authetication hops).

mb
Friday, May 14, 2004

*  Recent Topics

*  Fog Creek Home