0

We are building a javascript-client in reactjs within an intranet. The intranet site uses an automatic windows authentication. I have to confess that we don't know the exact details of how this system works, only that the users are stored in active directly and that we can retrieve the list of kerberos tickets using the klist command in the windows command prompt. Our application is supposed to be embedded in the intranet site and should retrieve the username of the authenticated user. This username will be forwarded to a backend system which we built and will be used to query the active directory for the user's details. We have no control over the intranet site and do not know how this was built.

To my question now. Is it possible, using only javascript in the browser, to retrieve the Kerberos tickets of the authenticated user, which we can then use to extract their username? Is there some other possibility to access the username of the authenticated user?

Awemo
  • 875
  • 1
  • 12
  • 25

2 Answers2

0

Client scripts cannot request security tokens otherwise this takes you down a weird security rabbit hole.

What you really need to do is have the server send a WWW-Authenticate: Negotiate response header with a 401 error code. The client will send a Authorization: Negotiate XYZ request header. Your backend framework would then have to convert that into a usable identity.

Steve
  • 4,463
  • 1
  • 19
  • 24
  • Thank you for your answer. Our application, however, resides on a separate server which is not within the Kerberos network. I do not know if such an Authentication negotiation is possible. – Awemo Aug 26 '19 at 13:04
-1

This is only possible in Internet Explorer using an ActiveX control which will prompt the user if they want to allow. You can see the code here:

var objUserInfo = new ActiveXObject("WScript.network");
document.write(objUserInfo.ComputerName+"<br>"); 
document.write(objUserInfo.UserDomain+"<br>"); 
document.write(objUserInfo.UserName+"<br>");

No other browser will let you do that.

The server code will have to inject the username into the JavaScript sent to the browser.

Gabriel Luci
  • 38,328
  • 4
  • 55
  • 84
  • To be clear this is dangerous for all sorts of reasons and should not be relied on for any security decisions whatsoever. – Steve Aug 23 '19 at 15:44
  • @Steve I agree. I didn't say it was a good idea. I was hoping that "will prompt the user if they want to allow" would make it clear that it's a silly idea to rely on, besides only working in IE. – Gabriel Luci Aug 23 '19 at 16:00