GrahamY

I am writing a database app, for use over our network, I don't want to have to write a login screen, the user will already have logged in to the network, so I'd like to be able to detect who is the curently logged in user at this PC.

Then I can look them up in my database and apply appropriate security from there.

I can always add extra security for updates etc, can I reference the users Active Directory Password So they don't need to keep track of two Passwords



Re: .NET Base Class Library How do I check who is logging on?

Nicole Calinoiu

GrahamY wrote:

I am writing a database app, for use over our network, I don't want to have to write a login screen, the user will already have logged in to the network, so I'd like to be able to detect who is the curently logged in user at this PC.

Then I can look them up in my database and apply appropriate security from there.

What's the basic architecture of your application: client/server or 3+ tier Also, what database platform are you using

GrahamY wrote:

I can always add extra security for updates etc, can I reference the users Active Directory Password So they don't need to keep track of two Passwords

No, your application cannot access the users' Windows account passwords.





Re: .NET Base Class Library How do I check who is logging on?

GrahamY

The app is n-tier & SQL Server 2005

With WIndows 2003 Servers and 2000 & XP workstations.

We have Symantic Web Security which uses ldap to find users and passwords. Obviously I am not interested in getting at the actual password I only want to be able to do a comparison and see if it matches the one supplied.





Re: .NET Base Class Library How do I check who is logging on?

Jpmon1

This will give you the user executing the current Thread:

SystemInformation.UserName

 -Jon





Re: .NET Base Class Library How do I check who is logging on?

Nicole Calinoiu

Is this a web application or a Windows application I had originally thought Windows, but now I'm having doubts...

At any rate, you should avoid flowing the user identity from the client tier to the database as data since it would be trivial to spoof. A better approach is to either run under the caller identity all the way down to the database (impersonation/delegation model) or at least into the first "safe" backend server tier, after which the caller identity would be flowed as data to lower tiers (trusted subsystem model). If you're interested in comparisons of these approaches and/or more information on how they work, http://msdn2.microsoft.com/en-us/library/aa905320.aspx and http://msdn2.microsoft.com/en-us/library/ms998292.aspx might be good places to start.