windows-username as restriction for registration

Hi there folks,

in the security concept for my project - in the end to be used in a company-intranet - i would like to have the restriction, that registration to application is only possible with the same credential-username as the actual windows-account has.

In development with testserver on my own pc, this wasn`t a problem.

Actually I´m getting the needed data for comparison by

if request.POST['username'] != os.getenv('username')

So, in the next step I started some testing by hosting my project on pythonanywhere.com and any of you who is more experienced than me knows, what followed: it didn`t work.

So is there a way to get the remote users`username for my purpose ?

I tried it already with this:
How to authenticate using REMOTE_USER (DJANGO Docs)
but there is no “REMOTE_USER” in the request.meta after applying these changes

THX for any help

You can’t - at least not definitively with any server that is not part of the Windows Active Directory Domain.

If your web server is part of that domain, you can use SPNEGO to get that information.

Or, you could use one of the “sso-style” protocols to get a token that can be validated with a system that is part of the domain.

But unless you’ve got some method to coordinate the transfer of information between your web server and the domain, you must not blindly trust anything that you get from the browser.

(REMOTE_USER handles a slightly different situation.)

So, my current situation is a test drive on a real web-server (pythonanywhere.com).
Do I have better options, when running the application in target structure of company-intranet ?

And I am talking about a intranet strucure, where the server and the clients are placed in same location. So - physically in same place and everything is handled in a LAN.

Then your server should exist in that same infrastructure - because once you deploy outside your corporate network on any “cloud-based” service, it’s no longer an “intranet structure”.

You’ll want to provision a real server and deploy your application on it.

But if i do so, and the network is physically connected without any cloud services…i would still need something like this:
SPEGNO
to achieve this goal? Did I get You right ?

It depends upon how you want to handle authentication. Implementing SPNEGO would allow your Django application to authenticate users with AD.

Or, if you deploy behind nginx, you could implement the nginx SPNEGO module and allow it to handle the authentication - in which case you could combine that with Django’s REMOTE_USER support to allow nginx to supply the name of the user. (Note: I’ve never used this module. The last time I had to authenticate users to AD, we were using Apache and had implemented the Apache SPNEGO module.)

Or, you could deploy behind IIS and allow it to natively authenticate users (also using REMOTE_USER.

These options above avoid the need for the users to enter an ID and password, since they’re already authenticated to the domain.

Depending upon the configuration of your domain, if you want the users to enter credentials, you may be able to use the LDAP interface to validate those credentials.

1 Like

Hmmm…seems it is an interesting but not easy topic. I thank You for all Your given Input…I will have to think about how to deal with this…

It’s definitely not an easy topic. And unfortunately, you’re going to be at the mercy of your technical support department that manages your domain for it to work. This is not something you can implement on your own - the work requires steps be done by a domain admin. If you don’t have knowledgeable staff on that side, it will be a very frustrating experience.

1 Like

I see…than I have to rethink this part of my plan carefully it seems!
But I thank You for trhis input and clarification!!! :slight_smile: