AD domain login passes to ColdFusion App

All: I am creating an application that requires user login. Users are all the employees within my organization, but not every user would use it; only some would. I would like to take advantage of the users' existing AD domain network logins so they don't have to keep track of another account. What they do is to login our organization's AD domain (different sever, different language) and AD would verify it and pass some kind of ID/token to my CF app. Is this possible and how can this be done? Any pointer is really appreciated. Thanks. Nathan Chen

> I am creating an application that requires user login. Users are all the employees within my organization, but not > every user would use it; only some would. I would like to take advantage of the users' existing AD domain network > logins so they don't have to keep track of another account. What they do is to login our organization's AD domain > (different sever, different language) and AD would verify it and pass some kind of ID/token to my CF app. Is this > possible and how can this be done? Any pointer is really appreciated. Thanks. If the web server is a member of that domain, and if it's running IIS, you can do this very easily using Integrated Windows Authentication in IIS. You'll need to set filesystem permissions accordingly, and if you want users to authenticate silently they'll have to have their browsers configured to do this. Within your CF code, you can then look at the CGI.AUTH_USER variable - at least, I think that's the right one, but you can just dump the CGI scope and see for yourself. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ http://training.figleaf.com/ Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on GSA Schedule, and provides the highest caliber vendor-authorized instruction at our training centers, online, or onsite.

or you could use CFLDAP to authenticate them via CF instead, but remember, cf authentication only protects cfml pages, nothing else, so use a native server side solution is better, as Dave suggests. ----- Excess quoted text cut - see Original Post for more -----

We use a combination of both the CGI.AUTH_USER and CFLDAP.  The part that uses CGI.AUTH_USER is for our SSO so that they do not have to key in their username/password.  The CFLDAP part is for querying out credentionals from LDAP/AD to then verify against a local users table that then houses application specific application rights.  The integrated windows authenticaiton piece is actually only set for one specific CFM page but part of that reason is we have many AO domains and the IIS server is not a member of all of those.  So if our SSO fails we have a fail back keyed in login screen. ----- Excess quoted text cut - see Original Post for more -----