Using Windows Authentication

  • Thread starter Thread starter Guest
  • Start date Start date
G

Guest

This is probably pretty simple, but I've spent too much time trying to figure
it out on my own.

I'm using Access 2007, SQL Server 2005 (Windows Authent), Windows Server 2003.

Multiple users share computers, so I need to create a login feature in
Access that will verify the users through their Windows account. If the
authentication fails, I need to deny them access to the database - and they
need to NOT be able to bypass the login (i.e. hold shift key to open db).

SQL is set up for Windows Authentication because my users already have 3
different accounts they have to manage passwords for - I'd hate to give them
one more.

Thanks for any help,

BA
 
Radtherapy said:
This is probably pretty simple, but I've spent too much time trying
to figure it out on my own.

I'm using Access 2007, SQL Server 2005 (Windows Authent), Windows
Server 2003.

Multiple users share computers, so I need to create a login feature in
Access that will verify the users through their Windows account. If
the authentication fails, I need to deny them access to the database
- and they need to NOT be able to bypass the login (i.e. hold shift
key to open db).

SQL is set up for Windows Authentication because my users already
have 3 different accounts they have to manage passwords for - I'd
hate to give them one more.

Thanks for any help,

BA

Access cannot use Windows authentication, but if you are using that for
permissions on the server tables then that should be all you need.
Non-authorized users will be able to open the Access file, but if they have
no permissions on the server all they will get is errors.
 
The problem is that the person logged in to Windows may not be the person
opening the database - so I need the user to verify who they are before they
hit SQL.
 
BTW - Thanks for responding Rick.

What I want to accomplish is a way to have my user enter a user name and
password and then verify that account through AD.

After that, I can programmatically control their permissions.
 
Radtherapy said:
The problem is that the person logged in to Windows may not be the
person opening the database - so I need the user to verify who they
are before they hit SQL.

I don't understand. You indicated that you are using Windows authentication
for the server and that you want to use Windows authenticaton for the Access
file. Even if the latter was possible it would require that the person
opening the file BE the person logged onto Windows. If it were not then by
definition you would not be using Windows authentication.

If you mean you want to allow the person to enter some other Windows
authentication besides the one currently in use on the PC then they would
still be accessing the server based on the Windows login of the PC. That
would seem to me to be a bad combination. Your Access app would recognize
them as one user and the server as another.

You can set up Access User Level Security and give all users the same login
names as they use for Windows, but you cannot make it automatically track
and use their Windows account. You would have to allow them to manage their
own Access passwords so they could keep them in synch with their Windows
password (probably not a great idea anyway since Access security is easily
hacked).
 
Radtherapy said:
BTW - Thanks for responding Rick.

What I want to accomplish is a way to have my user enter a user name
and password and then verify that account through AD.

After that, I can programmatically control their permissions.

I think that might be possible, but just about anyone interested in the
security of your network would tell you that NO program should ever ask a
user for his Windows name and password. That is valid for the operating
system ONLY. Another program could do anything with that information once
the user provides it and almost all of it would be insecure.
 
How would this be different that what SharePoint does? Or ISA? Or a VPN
connection? All of these authenticate the user based on their windows
credentials.

I think doing this is actually safer than just allowing someone to walk by a
computer and open Access without any kind of verification that they are an
authorized user.

Am I missing an important point?
 
Radtherapy said:
How would this be different that what SharePoint does? Or ISA? Or a
VPN connection? All of these authenticate the user based on their
windows credentials.

I think doing this is actually safer than just allowing someone to
walk by a computer and open Access without any kind of verification
that they are an authorized user.

Am I missing an important point?

Well if people allow others to walk up to their unattended computers and do
stuff then your network has bigger problems than your Access app.

We use a system sort of like your describing to secure our web applications,
but we have Windows pass us the credentials via ntlm. We don't ask the user
to re-enter them.
 
While I agree with Rick that this probably shouldn't be necessary, Randy
Birch has code to use the NT Challenge procedure to validate a user at
http://vbnet.mvps.org/code/network/acceptsecuritycontext.htm

(Obligatory warning: Randy's site is aimed at VB programmers. There are
significant differences between the controls available for us on forms in VB
and in Access. Because of this, many of his samples will not port directly
to Access. Looking quickly at this particular example, though, I think you
should be okay)
 
The computers aren't unattended - they're in a communal (clinic) area where
they are shared by multiple users.

I really appreciate your input, but I think you're misunderstanding what I'm
trying to accomplish.
 
Radtherapy said:
The computers aren't unattended - they're in a communal (clinic) area
where they are shared by multiple users.

I really appreciate your input, but I think you're misunderstanding
what I'm trying to accomplish.

You have multiple users operating the same PC but without each of them
individually logging onto that PC and yet you want to use windows
authentication on each user before they open your file.

To me the bigger problem is that each user *should be* logging onto the PC
if you want to treat them as individuals in the programs that run on that
PC.
 
Back
Top