Skip to main content
A
Anonymous
June 24, 2009
Answered

NTLM Authentication

  • June 24, 2009
  • 2 replies
  • 4174 views

Hello. How do I get ColdFusion 8 to use an Active Directory in Server 2003/8 (NTLM) to authenticate users? I want users to login to the site using their domain information. The server runs Apache... Do I need IIS?

Thanks!

This topic has been closed for replies.
Correct answer ilssac

The <cfldap> tag isn't where I have the issue. I know how to get the information with the query.... but how do I combine <cfldap> with my login page to create an authentication mechanism? That is where I am stuck...

Thanks. :-)


I can not go much father with out me, or some other contractor, comming to your site and writing your code for you after interviewing your network adminstrator of the correct data.  The usual rate for that type of work is $100 US/hour plus travel expenses and up.

<cfldap action="query"
        server="{name or IP of AD server}"
        name="returnQry"
        start="{starting branches of LDAP tree to search}"
        filter="{filterString}"
        username="{domain}\#FORM.USERNAME#"
        password="#FORM.PASSWORD#"
        attributes = "{attributes}">

<cfif returnQry.recordCount GTE 1>
  <!---- user has been authenticated against the active directory do something about it. --->
<cfelse>
  <!--- user has failed to authenticate against the active directory do something about it. --->
</cfif>

The ColdFusion documentation has sample code very similar to what is being provided here.

2 replies

T
TLC-IT
Inspiring
June 30, 2009

NTLM security support is available under Apache.  "mod_ntlm" (or "mod_auth_ntlm") can be installed to do it.

It is certainly true, however, that if you have IIS readily available (as you probably do), and if it will work just-as-well as Apache in your case, it does make good sense to "do as the Romans do."  An academic exercise, while interesting, is also unprofitable.

In any case, this module (like mod_auth_ldap) can be used to secure the entire site "in one swell foop."  If the user manages to get into the site at all, he has passed authentication and his Windows credentials are known.  This is "the way to go" for intranets.

J
JR__Bob__Dobbs-qSBHQ2
Inspiring
June 30, 2009

I agree with " If the user manages to get into the site at all, he has passed authentication and his Windows credentials are known.  This is "the way to go" for intranets." as stated by TLC-IT.  If you decide to use Windows integrated authentication with IIS this Adobe technote may be useful to you.

http://kb2.adobe.com/cps/185/tn_18516.html

ilssac
ilssac
Inspiring
June 24, 2009

IIS is the normal web server to use 'windows integrated security'.  I have seen NTML modules for Apache, but I have never used one.

A
Anonymous
June 24, 2009

OK. So if I reconfigure the web server to use IIS, how do I setup CF8 to use the AD for authentication? The AD is on a separate machine, but same network.... Do you have an example?

Thanks a lot!

ilssac
ilssac
Inspiring
June 24, 2009

ColdFusion has little knowledge or care of the Active Directory server.

This is all handled by the web server.  Once you have IIS set up using Windows Inegrated Security.  It takes care of all the work.  Populates the cgi.AUTH_USER variable and passess everything to ColdFusion.  So the minimal CFML code is simple this.

<cfoutput>

#cgi.AUTH_USER#

</cfoutput>

<cfif listLast(cgi.AUTH_USER,'\') EQ "iskinner">

   YOU ARE IAN SKINNER YOU CAN'T SEE THIS PAGE

   <cfabort>

</cfif>

If you want to use more information from the active directory data store the <CFLDAP...> tag is the natural extension of this funtionality.  The documentation has plenty of information on how to configure and use it.  With this tag, you can get user groups, check their password, find full name, phone numbers and whatever else you may be stroring in your Active Directory tree.

Terms & ConditionsAccessibility statement
Using the community Terms of use Privacy Cookie preferences Do not sell or share my personal information ad choicesAdChoices