// you’re reading...

Plugins / Extensions

Accessing the Windows Integrated login system from RQL

As you may well know you can configure your CMS to utilise Windows Integrated login. This SSO process will take the login credentials supplied by your browser and use them to automatically log you into the CMS.  Works out of the box in IE when you’re in the Intranet Zone, and can also be made to work in other zones too.

Let’s say you have your CMS setup with this feature, and you have some RQL that you use that runs outside of the normal plug-in architecture.  Not particularly uncommon, we have lots of it, but in this scenario you need to use RQL login commands before you can do anything productive.

If this has happened to you the first place you have looked is the RDCMS.log file to see what the CMS does to perform an integrated login, and this is what you would have found:

  <ADMINISTRATION action="login" languageid="" sessionid="12345678" useragent="Mozilla/4.0
  compatible; MSIE 8.0; Windows NT 6.1; WOW64; *snip*)" loginkey="" reddottop="top" loginguid=""
  cmsvalidationkey="3546593841743767706E614D1234566F30714542533D" ssohandlerguid=""
  name="" password="********"></ADMINISTRATION>

Exciting, isn’t it!  Except that I have worked out where the cmsusertoken and cmsvalidationkey attributes come from, and trust me when I say you can’t make them yourself.

So what now? Glad you asked.

I created a dead simple plug-in asp page that looks like this:

dim oWinAuth, sUserToken, sKey
Set oWinAuth = CreateObject("RDCMSWinAuth.RDWinAuth")
sUserToken = oWinAuth.getUserToken(sKey)
Set oWinAuth = Nothing
Response.Write sUserToken & "|" & sKey

which simply returns the cmsusertoken and cmsvalidationkey attributes in pipe separated format, that can then be plugged into your RQL.  Note this only works if the process executing the web page call has an integrated login account in the CMS and you have to call it each time you want to log in because the values have a built-in expiry system.  The name and password attributes are not required, and you should pass “script” as the value for the useragent attribute.

In my .Net app I simply call it like this:

string ret = new WebClient().DownloadString( pluginUri );

then parse out the result.

Share and Enjoy:
  • Print
  • email
  • Twitter
  • Digg
  • Reddit
  • StumbleUpon
  • Google Bookmarks
  • del.icio.us
  • MisterWong
  • Facebook
  • LinkedIn

No related posts.

About the author:

Richard Hauer Richard is a Solution Architect with 5 Limes in Sydney, Australia. Richard has delivered CRM, .Net and RedDot solutions to many household name companies including Microsoft, Coca-Cola, Rothmans, Nestle, Tourism Australia, Network TEN, Australian Wool, Panasonic, the Royal Agricultural Society, Perpetual, and Challenger.


15 comments for “Accessing the Windows Integrated login system from RQL”

  1. so would this work for previewing pages outsite of reddot?

    Posted by Shawn | December 5, 2009, 1:14 am
  2. In a word, yes.

    But it won’t be a single step process. You still have to log in, then generate the preview (and display it). But if you are using RQL then at least you don’t need the user to log in to RedDot, presuming you have integrated login enabled already.

    Posted by Richard Hauer | December 5, 2009, 5:54 am
  3. ok ,I don’t know what integrated login is, sorry.. But I am able to use RQL to login and retrieve a loginguid,sessionguid,projectguid and page guid from outside the reddot web interface, but when I ask for preview the system starts a multi-threaded process that I’m unable to tap into.. I can get the HTML back but am unable to get the browser to resolve the links to the style sheets or anything for that matter. Will this “Windows Integrated login” solve this problem? And if so then can u please show me an example of how I would apply it in code as I am unsuccessful in just running it the same as a login.
    Do I fire it before the login? Or after…
    What does this “Windows Integrated login” do anyhow?
    is it giving the use a higher level of authentication?
    So many questions I’m sorry. I’m new to reddot/RQL.

    Posted by Shawn | December 5, 2009, 8:36 am
  4. oh sorry.. i forgot to say thanks in advance..also i wanted to let you know that the plugin is working and I’m getting the “Pipe” seaperated values back for that so now I guess its just a matter of all the pices falling into place..

    Posted by Shawn | December 5, 2009, 8:39 am
  5. Integrated login is a function of IIS – it means that Kerberos or NTLM is being used to authenticate you on a web site. Essentially your browser passes a token it gets from Windows to the server which then authenticates the token against a domain controller which tells the web server which network login is associated with that token. RedDot then looks up the user name in its internal user database to log you in silently.

    Getting the preview code, as you have discovered, is only half the task. You will need to resolve all the links OR load the preview page from the CMS into an iFrame (which will be tons easier).

    I’m glad your plugin is working – note that if your IIS/RedDot configuration is not right you will still get values on the plugin page, except they will be for the Anonymous user who won’t have access to RedDot. The real proof is that you can call RQL apis and not get an error.

    Posted by Richard Hauer | December 5, 2009, 8:43 am
  6. To be clearer, I would simply have a page which loads up an ASP page which uses RQL to log into RedDot and get the GUID I need to form the regular RedDot preview URL.

    That way the preview links will work properly.

    E.g. a sample preview URL from one of my RD10 projects looks like this:


    The page you want to preview is the PageGuid value. The LinkFromGuid provides additional context, since pages can be attached in multiple places. Some of the other stuff isn’t needed.

    If you don’t have the 2 Guid’s you could use additional RQL for that.

    Simply redirect the page to the URL (as above) you have formed. If the user has been logged in with integrated login it will just work.

    PS. As a side note, if your users normally have integrated login and you have all the GUIDs by some other means then the above URL will work without the plugin, you only need the plugin if you need to execute RQL on the user’s behalf because RedDot insists you log in first.

    Posted by Richard Hauer | December 5, 2009, 8:54 am
  7. ummm.. ok your loosing me here.. i need you to dumb it down a bit for me here.. lol .. if i have all the guids i need from the system and i dont have access to the IIS so i cant tell if the Windows Integrated login is even turned on. do i just capture the URL for the preview string and have a browser load that .. cuz that dosnt work for me. .. so i have all these GUIDs and keys i just dont understand how to get reddot to handover the assetts as well, or do i just need to make teh right function call.

    what if Windows Integrated login is not turned on. can this still be done ?

    Posted by Shawn | December 5, 2009, 9:08 am
  8. Do you see a login page when you navigate to http://server/cms ? If so, you aren’t using integrated login. If you were you would just see the home page straight away.

    Without integrated login turned on none of my previous instructions will work. Not the plugin, not the preview, none.

    It is still do-able however.

    I will make it a new blog post…

    Posted by Richard Hauer | December 5, 2009, 9:19 am
  9. Thank you so much for all this help. no I can’t see the page so it’s not active. Can you please let me know the address to the new blog post I’m on pins and needles in anticipation!!

    Posted by Shawn | December 5, 2009, 9:31 am
  10. Is there an email address I can get you at for this as I seem to have less info about what I’m trying to do then I though. Is this problem that I’m facing a threading problem or is it more complicated then that?

    Posted by Shawn | December 5, 2009, 11:24 am
  11. If you want to add this function to the RustyLogic RedDotNet library, add RDCMSWinAuth.dll to your project and then insert the following code into Session.cs

    public static bool Login()
    object cmsValidationKey = null;
    RDWinAuth auth = new RDWinAuth();
    object cmsUserToken = auth.getUserToken(ref cmsValidationKey);
    string rqlStatement =
    “” +
    “” +
    XmlDocument document = new XmlDocument();
    document.LoadXml(Execute(rqlStatement, Info.None));
    _loginGuid = new Guid(document.GetElementsByTagName(”LOGIN”)[0].Attributes.GetNamedItem(”guid”).Value);
    return _loginGuid != Guid.Empty;

    Posted by RustyLogic | December 14, 2009, 1:14 pm
  12. Ooops its stripped out some of the code, I expect you get the idea tho … something like this…


    Posted by RustyLogic | December 14, 2009, 1:17 pm
  13. Afternoon,

    I’m trying to reference the RDCMSWinAuth.dll file in Visual Studio 2008 but I’m being told it can’t be referenced. “A reference to ….\RDCMSWinAuth.dll’ could not be added. Please make sure that the file is accessible, and that it is a valid assembly or COM component.”

    I’m using the file:
    c$\Program Files\RedDot\CMS\ASPDll\RDCMSWinAuth.dll which has the version 10.00.0086.

    Any ideas what I’m doing wrong here?

    Thank you.

    Posted by Ian | January 8, 2010, 4:28 am
  14. It’s definitely COM as I can open it in OLE/COM Viewer and see all the interfaces.

    I ran a dependency walker on the file and apparently it has dependencies on GPSVC.DLL and IESHIMS.DLL that you may not have registered on your dev machine which would stop VS from adding the reference.

    Note: my instructions don’t call for referencing the DLL in a project. I believe it will be necessary for the COM component to be running inside the core RedDot application for the values to be generated correctly (hence the ASP implementation), but happy to be proved wrong.

    Posted by Richard Hauer | January 8, 2010, 8:03 am
  15. Thanks Richard, I actually don’t need to use the windows authentication login call which uses this DLL so I just removed that piece of code and it works ok now.

    Posted by Ian | January 13, 2010, 4:02 am

Post a comment

Stay up to date! - Get notified about followup comments

If you don't feel the urge to comment but wish to stay in the loop:
Just enter your email and subscribe to new comments.

Subscribe without commenting

Recent Tweets

  • RT @AirKraft: Transport Canada breakout: they manage 80K pages and 300K assets with WSM(RedDot). Wow! #OTCW 2010-11-11
  • The RedDot usergroup session 'Future of WCM' is in National Harbor 7, now. See you there! #otcw 2010-11-11
  • RT @yttergren: @AirKraft: Calling all WSM(RedDot) devs: share your solutions on http://bit.ly/bgPIof EVERY solution can win an iPad #OTCW 2010-11-10
  • Come to the Solution Exchange session. Enhance your (#reddot) CMS project! Chesapeake 12, 3:20pm #otcw Looking forward to see you there! 2010-11-10
  • More updates...