to retrieve windows login-password via asp.net

Question

public Object IsAuthenticated()
{
    String domainAndUsername = strDomain + "\\" + strUser;
    ***DirectoryEntry entry = new DirectoryEntry(_path, domainAndUsername, strPass);***
    SearchResult result;
    try
    {
      //Bind to the native AdsObject to force authentication.         

      DirectorySearcher search = new DirectorySearcher(entry) { Filter = ("(SAMAccountName=" + strUser + ")") };

      search.PropertiesToLoad.Add("givenName"); // First Name                
      search.PropertiesToLoad.Add("sn"); // Last Name
      search.PropertiesToLoad.Add("cn"); // Last Name

      result = search.FindOne();

      if (null == result)
      {
          return null;
      }

      //Update the new path to the user in the directory.
      _path = result.Path;
      _filterAttribute = (String)result.Properties["cn"][0];
    }
    catch (Exception ex)
    {
        return new Exception("Error authenticating user. " + ex.Message);
    }
    return user;
}

In the above code segment, is there a way to retrieve the user's Windows login password so that the LDAP authentication works without asking the user his password another time? Can the value for "strPass",that is being passed when DirectoryEntry object is being created, be retrieved by any way?

Answer 1

The password does not exist anywhere. It would be a big security hole if it did.

Also, BTW, get rid of the try/catch block. It's doing nothing but hiding the reason for the exception.

Answer 2

Use the ActiveDirectoryMemebershipProvider - You can authenticate without writing code, thus eliminating the login scenario you currently have.

Answer 3

You could set up Windows Authentication in your ASP.NET app.

http://msdn.microsoft.com/en-us/library/ff647405.aspx Once you set this up, only authenticated users have access to the protected parts of your site.

This gives you access some key bits of information.

For example:

System.Web.HttpContext.Current.User.Identity.Name - gives the name (domain\username) of an authenticated user.

System.Web.HttpContext.Current.User.IsInRole("role_name_here") - will tell you if the authenticated user is in a given role.

Authentication can be tricky to do for the first time - please do not ask a user for their windows password - this is a security risk - allow IIS and the .NET framework take care of this for you. The article above may be a bit long and seem a bit complicated but it has a lot of good information in it.