We have an extensive Ethernet network. We have a HPUnix Server running
Apache Web Page Server. When a user access the site we want to be able
to grab his Network Login Name so we can access his details in our
Informix back end database. We use tools such a perl for scripting our
dynamic web pages, but we have little or no knowledge of Java - just
enough to embed Java in our pages (like "bouncing" Text)

---

Request for Question Clarification by webadept-ga on 30 Oct 2002 03:58 PST

Are you using Apache to get the login name and password? If you are
this is pretty easy. Are you using an .htaccess file?

webadept-ga

---

Clarification of Question by colinparkeroffice-ga on 30 Oct 2002 05:54 PST

We are in the design stage so at the moment we are not using anything
to get the users network login name. We do have a backend database
which holds all the login name and full names and more for everyone
who will use the site. What we wanted to avoid (if possible) is asking
users to "login" to the site. If we could get the login name that they
used to login to the network we could validate that immediately
against our database and issue a "Welcome John Smith" message.
We do use an .htaccess file (I understand this tells the system where
the executable cgi files are held)
All this security business is all very well, but if one of our users
logs onto the network and uses a terminal emulator to login to a Unix
box to access one of applications, we can issue a "finger" command and
see their IP Address!!! I know this is not internet technology but it
goes to show that their PC's will give up some information
easily......
Thanks for your help

---

Clarification of Question by colinparkeroffice-ga on 30 Oct 2002 09:32 PST

client side stuff is out - our customer has their desktop screwed down
tighter than a very tight thingy. It would take us til the end of time
to implement such a strategy.

---

Request for Question Clarification by mmastrac-ga on 23 Nov 2002 11:16 PST

Are you running Windows on the desktops?

---

Clarification of Question by colinparkeroffice-ga on 26 Nov 2002 02:18 PST

Confirmed that we are using windows on the desktops

---

Request for Question Clarification by mmastrac-ga on 26 Nov 2002 06:59 PST

If you're running Windows on the desktop and IE as a browser, you can
use something called NTLM authentication for web browsing.  This is a
challange/response mechanism used by Microsoft to send the username
and password through the browser.  If you connect to a website running
NTLM authentication, your username and password are sent, and are not
prompted.

If you are running Apache 1.3, install mod_ntlm.  I found this by
searching for "apache ntlm" on Google.  You can get it at:

http://modntlm.sourceforge.net/

Please note that there is a module for Apache on NT/2000 with the same
name, but that will not work under Unix.  The one I have pointed out
is designed for Unix-based systems.

Once you have installed this module, you can then enable
NT-authentication for the pages you wish the user's to automatically
log into.  This configuration should do:

# Enable authentication
NTLMAuth on
# If they are not authenticated by NTLM, they cannot access the site
NTLMAuthoritative yes
# This is the domain
NTLMDomain your-clients-domain
# Domain controllers
NTLMServer your-PDC
NTLMBackup your-BDC
# All users that are authenticated can access this resource
Require valid-user

Once the code for your page starts executing, you will have the user's
NT login name in your CGI variables and you can validate against you
DB.

Let me know if this will work for you, or if you have any questions.

In any HTTP environment the server can only access information about
the client system which the client has chosen to send. In other words,
there is no way to "grab" the user's network login name (or any other
information) without the client having given explicit permission for
you to do so. Bear in mind that HTTP was originally envisaged to work
across insecure networks such as the internet rather than a trusted
intranet environment, and you can see why it would be explicitly
disallowed for servers to obtain a remote host's login details!

Regards
iaint-ga

May not help, but if this was an ASP page on IIS/Win2k, you'd set the
directory security to use "Integrated Windows authentication" and then
do something like...

dim strLoginName
strLoginName = Request.ServerVariables("Auth_User")

Your best bet will probably be to write a client-side ActiveX control
to grab the username and pass it as query data as part of a new
request, or to use IIS with integrated authentication as davedave-ga
pointed out.

I've had this question raised a number of times during design
meetings.

My answer to the client has always been the same:  It is not possible,
unless both the client and server are using windows based products.

This is because as iaint pointed out, the only information you have
access to from scripts running on the server is informtation which the
client has sent you.  Given that web clients are designed to be
sending information all over the internet, it's obviously a good thing
that they're not sending people's Network or computer login names
along with it.

Microsoft, with IIS has a proprietary authentication scheme, which
requests the session of the remote computer to be sent, and only
allows access if the person is logged into the domain, thus allowing
the server to look up the username, though this system does not work
unless the client and the server are both IIS/IE.

Given that your main userstore is in an Informix database, on the HPUX
system, your best course of action here is most likely to write a
login system independant of the HTTP authentication system, using
cookies to set a session ID - store that in the database, and then
look up the user's Information, including login name.  this type of
system can be designed such that the user will only need to log in
once to the Intranet,  depending on the cookie expiration time.

hth

re:-

"Request for Question Clarification by mmastrac-ga on 26 Nov 2002
06:59 PST
If you're running Windows on the desktop and IE as a browser, you can
use something called NTLM authentication for web browsing.  This is a
challange/response mechanism used by Microsoft to send the username
and password through the browser.  If you connect to a website running
NTLM authentication, your username and password are sent, and are not
prompted.
 
If you are running Apache 1.3, install mod_ntlm.  I found this by
searching for "apache ntlm" on Google.  You can get it at:
 
http://modntlm.sourceforge.net/ "
 
Thank you for your assistance in this.

We are running version 2.0.4 not 1.3 - will the same patch work, the
web site you implies not.