Latest version of Microsoft Office block MS-OFBA requests - webdav

In regards to the following message in Office 365 (and Office apps):
To help provide additional security coverage, we are changing how
form-based authentication in Office applications is handled.
Forms-based authentication is a legacy authentication method for
Office resources that are not protected by Azure Active Directory
(AAD) or Microsoft account (MSA).
A new update was recently rolled out across the suite which impedes users from accessing servers which implement MS-OFBA, citing it as insecure.
If this is the case, what is the preferred way of authenticating users against a WebDAV service?

Unfortunately, we do not know any solution for this issue currently. Authentication against Azure AD does not help - this message appears anyway. Also, Microsoft did not provide an alternative for MS-OFBA as war as we know. Fortunately, you just need one click and this message does not show any more.

Hmm, there must be a way around this problem.
If we use Azure AD to authenticate against our WebDAV-server (such as IT Hit WebDAV), then isn't this exactly what we have when we use Office apps against documents stored in SharePoint Online (which in a sense is a webdav server protected by Azure AD)? And in that case, there is no warning.
I believe that it must be possible to do what Microsoft does here, I don't think they have legal rights to use "back-doors" to implement things that other companies can't. Have you investigated this, IT HIT?

Related

ASP.NET Identity and mobile clients

The latest version of ASP.NET includes the new authentication framework ASP.NET Identity, which should be the core building block for user management in all new and near future ASP.NET projects and websites.
I have seen that it can integrate with the WebAPI quite nicely, but haven't seen any example of integration as authentication for mobile client devices. For example - suppose I have a ASP.NET website with Identity implemented in use. Now I want to build client applications for Windows 8.1 and Windows Phone 8. I see two main issues that are limiting this.
Firstly - ASP.NET Identity apparently issues only short-lived auth. tokens, which is quite a bad user experience for mobile applications. I have seen some attempts to create a refresh token mechanism - http://leastprivilege.com/2013/11/15/adding-refresh-tokens-to-a-web-api-v2-authorization-server/ . This is quite a nice approach, but it would still be more interesting to see a really built in solution.
Second - and maybe more important - external authentication provider support. On the ASP.NET Identity website it is quite clear and easy to see a way to authenticate via WebAPI, but I haven't seen this in use with external authentication. How is it possible to get the authentication URLs for Facebook, Microsoft and Twitter and how can the authentication flow be completed from within the app?
Has anyone some experience with this? It would be great to find a complete walkthrough, I will gladly reward the correct solution with some bounty points :-) .
The problem is that security is complicated and that Microsoft's solutions only address the simple scenarios.
Also, you're consing terminology (which increases everyone's confusion, including your own). ASP.NET Identity manages users' credentials stored in a database. It's unrelated to the type of application that needs to validate credentials (mobile, api, browser, desktop, etc).
Katana middleware is what allows an application to authenticate the caller. There's cookie middleware for browser applications, external middleware for google, facebook, WS-Fed, etc, and then there's OAuth2 for API applications. Each work differently based upon the nature of the application. Some of them interact as well, depending on the requirements of the application.
I don't mean to pick on you -- this is more of a complaint about Microsoft's lack of education/documentation in the frameworks they provide. And I suppose this is an answer to your question -- Microsoft doesn't have what you're asking for. They have bits and pieces, but you're left to connect the dots.
Some links that might help:
http://www.asp.net/identity
http://www.asp.net/web-api/overview/security
http://www.asp.net/vnext/overview/authentication
http://brockallen.com/category/owin-katana/
http://leastprivilege.com/category/katana/
http://leastprivilege.com/category/webapi/
HTH

Can I receive SAML 2.0 message in ASP.NET without WIF?

We are planning to receive a SAML assertion from another website into ours (ASP.NET). No one here has ever worked with SAML. We simply need to verify the signed assertion, decrypt the token containing a user id and if we can verify it, log them into our site (authenticate/authorize). We are using Forms Authentication for all other authentication. I would like to avoid installing WIF if possible because my understanding is we'd have to install the runtime on all the developers machines and servers. Our machines are locked down by policy such that it would be a lot of paper work to get it installed. Are there alternatives to WIF and are they realistic to use in an enterprise environment? If so, can someone point me in the right direction, a good tutorial, video, book or anything with examples would be helpful? I looked at some third party components but I'd have the same issue as with WIF on our servers (not to mention dealing with procurement).
Thanks
Is this internal or an external facing application? You may want to checkout PingOne.com Application Provider Services (APS) [Note: I work for Ping]. PingOne handles all the SAML protocol stuff for you and provides self-service capabilities, reporting, etc. No need to install WIF... just a few lines of .NET code (or whatever) to integrate with the RESTful service that PingOne provides.
HTH - Ian

what do you need to do for RSA securid integration into your web application?

We have clients who have RSA securid deployed within their premises and we want to sell our product to them. We need to integrate with their 2 factor authentication setup for authentication into our product.
We have an asp.net (C#) web based application that is exposed to the clients and which needs to support authentication using their own securid setup.
Can someone please help me in getting this support implemented? Pointers to existing documentation are also welcome.
I searched through the queries on this forum and found that most are talking about giving token generation mechanism on your web application itself but I don't think that is the approach that is required for our use case.
have you checked out the web sdk from RSA?
http://www.emc.com/security/rsa-securid/rsa-securid-software-authenticators/web-sdk.htm

How to migrate applications from Classic ASP to ASP.NET MVC?

Currently, we have many web applications (external & internal) developed using Classic ASP through .NET 2.0 technologies. Each of those web applications have their own login screen authenticating against their own custom database or using Windows authentication. Users have access to one or more of these applications, meaning they have to log out and log back into applications that they would like to access. All applications share some part of the back-end data sources. Also, the business logic is embedded in the UI in addition to being duplicated across applications because there is no code/business logic sharing. Screenshot #1 gives a brief idea of the existing architecture.
Screenshot #2 shows the suggested architecture, which I hope will help in faster development, code/business re-usability and may be simpler maintenance. Users will access either external or internal url. In external, users will provide credentials and will be authenticated against custom database. In internal site, users will be automatically logged in using Windows authentication. After creating some samples, I have begun to like ASP.NET MVC 3. It keeps business logic separate from UI and I also like the unit testing capabilities.
Here are my questions:
Based on what I have found on the web so far, multiple authentications are not feasible within a single website. My understanding is that I have to host one website for each type of authentication (Forms and Windows). How do I redirect users to common landing page after they are authenticated so they can see the modules (links/menus) that they are authorized to access? Should I have to publish the same code set (dlls and content) to both the websites?
Has anyone faced a similar architecture problem? If yes, could you please share the challenges that you faced and how you tackled them? What are the industry standards in designing applications of this sort?
Does the suggested architecture make any sense or is it a really bad design? Are there any drawbacks in doing this in ASP.NET MVC 3?
I would really appreciate your inputs.
Thanks in advance.
I would set up a seperate web site which only handles the windows authentication. I would then rely on something like OpenID and/or OAuth to ask for credentials/token to make sure to user has proper access.
The user that want to sign in using windows credentials go through that process because you are right in that a IIS server running windows authentication is hard to mix with other stuff.
You can set up some kind of claim based network of thrust in which you applications get thier credentials from trusted sources and through that process you can negotiate and control access privileges cross many web sites. As long as your not doing custom hosting or white label branding you can have everything in one place (or even if you did you could design it so that you have a central solution of handing out authentication tokens).
Keep in mind the difference between Authentication and Authorization. You presumably want a single authentication mechanism (or maybe two, one for internal and one for external users). There is a similar post here that lays out some pretty good guidelines: How to allow multiple authentication methods in ASP.NET?
On one project we built a common controller class used in every page of the site. It handled authentication and access control. When a user tried to access any page it checked to see if they had a session identification cookie. If they did not they were required to authenticate(login). A challenge was doing a good implementation of the security. Current browsers have many flaws that make this difficult.

UAG (Microsoft Forefront Unified Access Gateway) authentication for .NET website

Help!
I am absolutely clueless on this. I've been told that the web application I'm building (.net 4 / mvc3 / c# / sql server) will be "sitting behind UAG so we can silently authenticate". I've no idea now how to approach the authentication part of the build in my dev environment.
Should I just use "windows authentication"? Will that be the required setting when the application goes live? How do I test the authentication?
The people asking me to do this are currently just getting started with UAG too do so any help, pointers, explanations or suggestions will be very much appreciated.
To put the situation in context, this application will be accessible via the company network internally, and also via the web externally (via UAG portal, of course). The company is on Active Directory, and all I actually need to "pull through" to the application to get further people entity data is the AD username.
Thanks in advance..
:)
Which authentication method you use depends completely on your application. I wouldn't worry too much about the UAG, as the idea should be that an existing web application can sit behind this product, rather than we have to customise our web application to sit behind this product. UAG should do the authentication/credential creation heavy lifting.
So in that regard, what is your user model? Do you want people to have to log on, or should their Windows credential be sufficient? Do we want Forms Authentication or Windows?
As an aside, we used the product when it was IAG, and it wasn't the greatest. If there was one thing it definitely did NOT enable was silent authentication. We had more problems with it than the problems it was trying to solve!

Resources