I have 2 sites(let me call them siteA, siteB), Both of them are windows authentication. A iPad user can access siteA through a prompt dialog to input username and password. but when the iPad user is redirected to siteB, the prompt dialog show again to let user input username and password. Is there any way to share the credential between the 2 sites?
of course, if you want pass windows authentication without prompt dialog, you must set a authentication header in your http request.
So, if you are in Site A, then be redirected to site B, you must manipulate http request to site B, add authentication header to it, but HTTP headers are valid only for the current response. so you can not deal by this way.
Another alternative solution is using some extension on your browser, that pre-config user/password for each site has windows authentication.
Related
I've a sub-application that I want to use windows authentication.
I want that login box pops up even in the domain when the person first reaches the page.
When I turn off Kernel-mode authentication, the login box pops up, but fails with error 401 Not Authorized after 3 login attempts.
If I turn this on, It doesn't even asks for the password,I believe this is due the computer is in the servers domain and the credentials are passed automatically.
Is there any possibility to show login form for all users, including domain users?
In the image below are my server configs.
Windows Authentication is normally handled by IIS. This is the way it works:
Client requests the page.
IIS returns a HTTP 401 response, with a header saying that it accepts Windows auth.
The client's browser automatically resends the request with the users credentials (as long as the site is trusted).
IIS verifies the user and passes the credentials to the application.
This is all designed to be seamless.
If you want the user to be prompted for credentials all the time, then either:
Make sure your site is not trusted (not in the Internet Options Trusted Sites or Intranet Sites). But you may not be able to do that.
Don't use Windows authentication. Uses Forms authentication and make a login page where the users can enter their credentials. But that means that you will have to verify the credentials against Windows or Active Directory yourself in your code.
If you use #2, then also make sure to use SSL on your site since passwords will be sent in plain text.
You can use Basic authentication. It will prompt the user for credentials and once entered, it will give you a seamless experience.
However, the disadvantage with basic auth is that it sends the password in plain text to the server. You can use SSL certificate to encrypt this information.
I am developing a website using WIF-ADFS technology to achieve single sign on (SSO).
As such, the page will first automatically redirected to the ADFS Page, however the users will then need to input their ADFS Login Credential.
If ADFS-Login is successful, the page will then redirect back to my site with the claims.
The questions are:
Can I omit the ADFS-Login step? regardless of my device and my working network?
If yes, what response should I expect if the user is not recognized by ADFS? will there be no claims sent?
You can not omit the ADFS login step.
If everything is configured correctly in ADFS, IE and Chrome will likely do automatic logon. Firefox won't, Mobile devices won't and Linux machines won't also.
If a user is not authenticated ADFS will never send him back to your application. If a user accesses your application without being authenticated, he will be redirected (or the access will be denied).
I'm trying to add LDAP support to an existing ASP.NET website that uses Form Authentication. This is not a big problem, I just build a simple login dialog (ordinary HTTP POST), query the LDAP directory and log the user in via Form Authentication ticket.
It would be extremely nice to automatically get the users credentials via NTLM (Integrated Windows Authentication) without the need for a login dialog (like what you get when using ASP.NET Windows Authentication with computers in the same Active Directory). Is there an easy way to do this (keep in mind, I can't use Windows Authentication for my ASP.NET app and the server is not in an Active Directory Domain, I need to be able to query LDAP directory manually)? Or would I have to manually do all the LDAP handshaking / challenge/response thingy?
Thanks for your help,
~ saxx
I do just this on my intranet here. These are the steps I use...
Create a login page (login.aspx seems good) & set the web app up for forms authentication. Set authorisation as deny anonymous. These means any attempt to use your app will cause the user to be redirected to your login page if they don't have a auth ticket.
Now the important step. In IIS, set the app to allow anonymous only. On your login page change this to only be Windows Integrated. Now what happens is when the user is bounced to your login page, IIS forces an NTLM authentication. We now have the users name in the headers.
2nd important step. in the page_load method add:
FormsAuthentication.RedirectFromLoginPage(Request.ServerVariables["Logon_user"], false);
What this does is take the username IIS will always give us and put into a forms auth ticket.
There's of course a certain amount of tidying up you may want to do, perhaps adding a logout feature, or stripping the domain name of the username.
Simon
I need help on authenticating users based on their location. The problem is this: If the users come to the web site out of domain then the user must fill a login page and the credentials he provided must be authenticated from a custom credential store. If the user is an Active Directory user, he must be directed to the resource he wants without asking for credentials.
If I enable both Anonymous Auth and Windows Auth for the web server, Anonymous Auth comes first and even the user is an Active Directory user I can't access his domain information.
Anyone can help?
One way I know is to set a single page, like AdLogin.aspx, to deny anonymous users and have that page log them into the Forms Authenication module. You then have to create a custom 401 error page that redirects to your Forms login page from your AdLogin. The one thing I don't like is that AD users try to login through the Forms login page all of the time, and it's hard to bookmark the AdLogin page because it just does an automatic redirect. I also don't like that it's so dependent on a custom IIS configuration.
See my answered here for details: ASP.NET Application to authenticate to Active Directory or SQL via Windows Authentication or Forms Authentication
How about publishing the website with 2 different Webapplications?
You could configer the internal one to use Windows Auth, and the external one to use Anonymous. If the user requests a site that requiers auth, you allow them to authenticate.
You can also post an "Login" Link on your (external) webpage, that will allow the user to manually log in on the external site. But if you allow a Page to use anonymous, then you have to consider that you wont know who the user is currently.
Is it possible to programatically authenticate a user using NTLM (on asp.net)?
I would like to have control over the look and feel of the website where I would have a form that users enter their username/password. I would then query NTLM to validate the provided information and if valid, redirect them to a virtual directory?
NTLM is the protocol the web browser would talk directly to the web server (e. g. IIS) to authenticate the user, without your application being involved. That's what you want to avoid, because you want to present a "nice" logon form.
So what you need to do is: prompt for user name and password in a form, and validate these credentials against Active Directory yourself. Here is a Microsoft article describing how to do it in ASP.NET: http://support.microsoft.com/kb/326340/en-us
However please remember a few points:
Don't forget that, unlike in case of NTLM, user's passwords will be transmitted in clear text unless you use SSL to publish the web site. You never should users allow to enter their AD password on an unencrypted web site.
If some of your users were automatically authenticated (transparent login, no prompt for password at all) before, which should be the default behavior in an Intranet scenario, these users won't like your login form, no matter how nice it looks...
The default behavior in IIS6 would be that only pages generated by ASP.NET would be protected; as you would have to configure IIS to allow anonymous requests to the applications, static files could be requested by any user.