Hi Dmitry,

A DN uniquely identifies a single user.

In our app we have a table of users (who then get tied to business transactions). In that table, we store the DN associated with that user.

A user logs in. We get the username from sys(0) and then query (LDAP) the AD for the DN of the current user. We match that with what is in the User table. We now know who is logged in.

If we do not find a matching DN, we show a message that they are not authorized and they never get past the front door.

One of the big benefits of this for us: user identification security is entirely on the organization that is our customer.

Hank

>Hi Hank,
>
>What do you mean by "via a stored DN"? Please clarify.
>
>Thanks.
>
>>Hi Dmitry,
>>
>>Just to be clear: using AD Authentication kogin via a stored DN means the user does not login: they are validated using AD Auth.
>>
>>Hank
>>
>>>>>>>Thank you for your message.
>>>>>>>Now - just this morning (since the customer is in Europe) - I received a new requirement. Now the customer wants a user to enter both the AD username and AD password into my VFP application. And my VFP application to check if this is a valid user. Initially I thought that they would not want a user to enter his/her password into the VFP application.
>>>>>>>So, I am back to Tamar's link where the VFP application should create a query to the AD and validate a user.
>>>>>>>I will need to find the name of the AD/SQL Server DB to do that.
>>>>>>
>>>>>>I question the need for this. If the user has already signed in to a domain-joined computer. their session is already authenticated. Why should they need to authenticate again from within your app, with the same credentials?
>>>>>>
>>>>>>If access privileges within your app depend on the AD username, you already have that, and you know they've already successfully authenticated against AD using that username.
>>>>>
>>>>>They have what they call "shared PCs". So, they would like various users to log into my application with the same username and password they use for their AD log in. So that each user will only have to remember one username and one password.
>>>>>So, I will have to build a feature where the application will validate if this or that user is already in the AD.
>>>>
>>>>Multiple users can sign in (one at a time) on a "shared" computer - one signs out, another signs in.
>>>
>>>This is not what the customer wants. They simply want to synchronize the username and password used for the PC/AD and the VFP application to be the same. This way, the users only need to remember one.
>>>So far, I sent them a quote for what I need to do to change the application.
>>>@Hank Fay. If I have to implement this modification, I will not store the AD password anywhere in the VFP DB. Only username.
>>>I still have not ironed out how my app will validate a user based on his/her AD username and password. I will have to look at the code Mike Gagnon wrote. And understand every line so that I can ask the customer the right questions.
>>>Personally, I hope they won't go with this change. I know that this will create somewhat of a maintenance headache. And at this point in my life/carrier, this is not my preference.
>>>Thank you all.