Re: Capturing Windows Login Name

Manuel Lemos wrote:
Hello,

on 02/03/2008 01:17 AM Jerry Stuckle said the following:
I know it is not possible to get Windows login name using PHP because
it is a server-side script, but I dunno whether anyone has tried using
This is not accurate, the Windows logon name is passed to servers by
several browsers (not just IE) when servers ask for Windows NTLM
authentication.

You just need to configure your Web server to require Windows
authentication, and you get the current logged user logon name using
GetEnv('LOGON_USER'); .

Forget Javascript, it would never work.

And which browsers are these? I want to ensure they are never installed
on my system. Such operation would be a tremendous breach of security.

Internet Explorer and Firefox support NTLM. Maybe other browser

NTLM is an authentication protocol. The client (the browser) does not
send passwords to the server. There is nothing insecure about this. The
browsers just send the hashed passwords to the server. The server just
compares hashes and tells if what the browser sent was correct.


Wrong. Access to my computer consists of logon id plus password. It is none of your business what my logon id is. And it is a security exposure.

If the authentication succeeds, the server allows the access of whatever
page (including PHP scripts).

This is a multi-step protocol. The user name is only passed to the
server in the last step, if the previous steps succeed.

The idea is to not make the user enter the same password again to access
a site under the same Windows controller domain, after he has logon on
his Windows machine account that belongs to the same Windows domain.


But it cannot be done by any website to any computer with no control by the user.

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@xxxxxxxxxxxxx
==================

.

Relevant Pages

  • SecurityFocus Microsoft Newsletter #154
    ... MICROSOFT VULNERABILITY SUMMARY ... ISS RealSecure Server Sensor SSL Denial Of Service Vulnerabi... ... Roger Wilco Remote Server Side Buffer Overrun Vulnerability ... available for Microsoft Windows operating systems. ...
    (Focus-Microsoft)
  • RE: Trend, IIS, Permissions, Exhaustion and close to very bad language :-) Heelp!
    ... I understand when you logon on Company web ... Does the IP address point your Windows XP clients or SBS Server? ... Is the IP address of the Windows XP client or server that in your network? ...
    (microsoft.public.windows.server.sbs)
  • SecurityFocus Microsoft Newsletter #49
    ... Subject: SecurityFocus Microsoft Newsletter #49 ... Microsoft Windows NNTP Denial of Service Vulnerability ... Microsoft IIS SSI Buffer Overrun Privelege Elevation Vulnerability ... Microsoft ISA Server H.323 Memory Leak Denial of Service... ...
    (Focus-Microsoft)
  • Re: Weird problem Asp.net, certain users, code behind
    ... I took a look at your site on 3 different machines, ... Windows Server 2003/IE 6: None of the links would show up. ...
    (microsoft.public.dotnet.framework.aspnet)
  • Kerberos logon failure - Windows Server 2003 RTM
    ... Domain controller with Windows 2003 RTM. ... Authentication server with Windows Server 2003 RTM (Proxy ... Users logon to the web site from the authentication server and are ... see Help and Support Center at ...
    (microsoft.public.win2000.security)