How to grab AD credentials from client machine in a web application?

Posted on

Problem :

Is it possible to grab activedirectory credentials for the user on a client machine from within a web application?

To clarify, I am designing a web application which will be hosted on a client’s intranet.

There is a requirement that the a user of the application not be prompted for credentials when accessing the application, and that instead the credentials of the user logged onto the client machine should be grabbed automatically, without user interaction.

Solution :

Absolutely. This is especially useful for intranet applications.

Since you did not specify your environment, I’ll assume it is .NET, but that isn’t the only way possible of course.

Active Directory can be queried easily using LDAP. If you’re using .NET, you can do something like in this code example or my example below. You can also do it within SQL environments as well.

If you just need Windows to handle authentication, you can set, for example, a .NET Web app up for Windows Authentication. Be sure to turn off Anonymous Logins within IIS for your application. Once done, you’ll be able to access the user’s Windows logon name and use it to make further security checks (for example, their group/role membership in AD).

You can also simplify the whole mess using something like Enterprise Library’s Security Application Block.

Here is a short C# example: (convert to VB.NET here)

using System.DirectoryServices;

/// <summary>
/// Gets the email address, if defined, of a user from Active Directory.
/// </summary>
/// <param name="userid">The userid of the user in question.  Make
/// sure the domain has been stripped first!</param>
/// <returns>A string containing the user's email address, or null
/// if one was not defined or found.</returns>
public static string GetEmail(string userid)
    DirectorySearcher searcher;
    SearchResult result;
    string email;

    // Check first if there is a slash in the userid
    // If there is, domain has not been stripped
    if (!userid.Contains("\"))
        searcher = new DirectorySearcher();
        searcher.Filter = String.Format("(SAMAccountName={0})", userid);
        result = searcher.FindOne();
        if (result != null)
            email = result.Properties["mail"][0].ToString();

    return email;

You do not have to specify a domain controller. Performing the empty/default constructor for DirectorySearcher will cause it to attempt to look one up automatically — in fact, this is the preferred method.

Maybe .NET has a more direct way to do it, but with PHP I just access our Active Directory server as an LDAP server.

I’m not sure what adjustments to the server are required to do this. I didn’t setup the server, I just query it.
I’m not suggesting you use PHP either. I just find it easier to deal with LDAP then trying to tie directly into Active Directory.

Windows Integrated Authentication, user has to use IE, AND the site has to be in the user’s trusted sites. If these things are true, then IE will pass your windows security token to the web site and it will authenticate with it. We do this with SharePoint on our intranet otherwise it’s a pain to access anything restricted — you’d get prompted every time you click on a document.

No, of course not. Can you imagine the havoc that would result in random web apps being able to get your AD username and password?

Now, if you just want the username – that’s in REMOTE_USER if you’re using integated windows auth. And, windows auth will auto login the user to your site – assuming you share a domain (or trust).

Edit: IWA works in an intranet scenario, since IE – by default – includes intranet sites in the Intranet security zone. Also, a sysadmin can use GPO to set other trusted sites. Firefox also supports NTLM, as does Opera and Chrome. All in all, it’s not a bad way to setup an intranet.

Note, though – that you don’t get credentials. You negotiate a token with the client, which is what keeps IWA secure (and my above point relevant).

Leave a Reply

Your email address will not be published. Required fields are marked *