-1

Hey all I am needing to know if it is possible to check a users typed in password against the AD to make sire it's the correct password?

Reason being is that once they log in I need to use their user name and password to do some web service calls because the API needs both in order to perform the task.

Taken that no one in my company let's another know their password since that would be against policy I would just like to have the user provide the password securely and have the AD take care of finding out if its correct or not without me or anyone else knowing what that password is. So just really looking for a TRUE or FALSE when its checking their typed in password AND be able to store the password (in AES encryption) for later use with the REST API.

Hopefully that above makes since. If not, please let me know and ill do my best to explain it better.

EXAMPLE

The IBM REST service I am calling it needs both the user name and password in order to execute the API command. As an example the command i would be using via HTTPservice would be: 

--user <loginId>:<passwd> http://<host>:<port>/forms-basic/secure/data/dd34da19-15c4-4267-8f1e-9f12ece743d7/F_Form1?format=text/xml&sortBy=lastUpdated&order=DESC

Both the < loginId> and < passwd> are needed in order to execute that command using VB.net's WebRequest method.

VB.net example call code:

Dim request As WebRequest = WebRequest.Create(apiURL & appID & "/" & dataForm & "?format=text/xml&order=DESC")
Dim credentials As String = Convert.ToBase64String(Encoding.ASCII.GetBytes(Convert.ToString(userData_ID & Convert.ToString(":")) & userData_PW))

    request.Method = "GET"
    request.Headers("Authorization") = "Basic " + credentials
StealthRT
  • 129
  • 1
  • 9
  • 1
    `Reason being is that once they log in I need to use their user name and password to do some web service calls` - **once** implies that they've logged in successfully, which is proof that the password they used was correct. – joeqwerty Apr 02 '15 at 14:42
  • @joeqwerty **BUT** i need to use that password in order to fire off some web services that need both their username and password - that's why I am wanting to make sure what they typed in for their password is truly the correct password for them before I go out and call those services with that information. – StealthRT Apr 02 '15 at 14:48
  • If the password wasn't correct they wouldn't be logged in. If they're logged in then the password **must** be correct. – joeqwerty Apr 02 '15 at 14:48
  • 2
    Passwords shouldn't be passed in plaintext. I think you may be approaching the issue incorrectly. – Hyppy Apr 02 '15 at 14:49
  • 1
    You're definitely doing this wrong if you're trying to pass the user's password, instead of using a token or ticket or the like - why does Kerberos exist, if not for this very thing? – HopelessN00b Apr 02 '15 at 14:52
  • @Hyppy The password will be encrypted on the server side using AES with also SSL as well. – StealthRT Apr 02 '15 at 14:52
  • @HopelessN00b I am not using any ASP.net authorization login simply because it wont allow me to store the password to use later in my web service. I'm taking all the proper procedures to make sure the password that will be in a variable is encrypted and safe. – StealthRT Apr 02 '15 at 14:54
  • 1
    Encrypted or not, a password shouldn't be stored at all. You can store one-way hashes, tokens, tickets, or something else. It's really bad to store the actual passwords. You can certainly authenticate to multiple services with a Kerberos ticket or even NTLMv2. In this day and age, there are very very few reasons not to use some form of SSO. – Hyppy Apr 02 '15 at 14:57
  • 1
    Why do you think you need the user's password? It sounds like you _don't_ need it. – Michael Hampton Apr 02 '15 at 15:00
  • **to all above** I updated my OP with an example REST API call that I would need to do. – StealthRT Apr 02 '15 at 15:09
  • Based on your edit, your question was originally a little misleading (not intentionally). Originally you stated that you needed a True or False confirmation that the password is/was correct. Now you've stated that you need the actual password. Is that a correct assumption? – joeqwerty Apr 02 '15 at 15:40
  • @joeqwerty That is correct. Sorry. – StealthRT Apr 02 '15 at 15:50

1 Answers1

3

This is more a programming question than a ServerFault one.

That being said, Microsoft's documentation on LdapAuthentcation should get you started. It's pretty simple.

Belmin Fernandez
  • 10,629
  • 26
  • 84
  • 145
  • I tried that code.. however, it does not seem to work checking the password of the user. I ran it with my legit password and it came back true - then i ran it with a bogus password for me and **it also came back true**. – StealthRT Apr 03 '15 at 03:11