If a user has installed a pfx user certificate on an Android device, chrome browser sees and asks permission to use users client certificate to access a server that accepts such certificates.
What is the Xamarin forms equivalent ?
How can we access these certificates in Xamarin form apps for Android.
Under windows (UWP) Accessing user certificates is just
httpClientHandler.ClientCertificateOptions = ClientCertificateOption.Automatic;
httpClientHandler.UseDefaultCredentials = true;
Under Android we are trying to use Custom version AndroidClienthandler
MyAndroidClientHandler clientHandler = new MyAndroidClientHandler();
In a Custom AndroidClientHandler There are 2 problems to solve
1) how to get a certificate from the users certificates from the keychain ?
Something like this post perhaps? Client Certificates on Android
2) How do you add that cert to the ClientHandler?
Can I simply do this
clientHandler.TrustedCerts.Add(cert);
or more likely
Add certificate to SSL Context
Has anyone ever managed to do a HTTPS call using an already installed client certificate from Xamarin forms ?
Looks like Android didn't provide a direct way to use a default credential, but Android provide developers with some choice to use system-wide credentials or app's private credential.
KeyChain may help to launch a system dialog for user to choose a certificate/enter the password. Refering to earlier post.
And extend AndroidClientHandler as posted here is what I found to use the client certificate.
Hope it helps.
Related
Our UWP application will be released outside of the Microsoft Store since it is a Line-Of-Business application. I scoured the internet for references and what I have gathered is that for users to be able to install our UWP application, it needs to be signed with a Trusted Certificate.
A trusted certificate can be obtained from any Certificate Authority(CA) by submitting a Certificate-Signing-Request(CSR) for code signing cert.
Now I haven't tried to get a certificate yet, as it involves payments. So, I want to be sure if I can get a .pfx certificate from the Certificate Authorities for signing our UWP application?
Will CA have the provision to select a Code signing certificate for UWP? and NOT an SSL certificate?
Yes, you should sign your app with a code-signing certificate that is trusted on each device to which you deploy the app.
You would typically use a certificate that is provided by your organization if you belong to one. The other recommended option is to purchase a certificate from a third-party provider whose public root certificate is already trusted by Windows.
If you do a Bing or Google search for "code signing certificate", you should find some trusted providers.
I have installed the Trusted Credentials / CA certificate in my android device manually. Is there any way to read this certificate through code using Xamarin Android.
While reading some Android article I am getting a feel that it is possible. But not sure how to implement this. Please help.
It is impossible to achieve this.
You can't just read a certificate from an installed profile. If you install a new root certificate then you can use that certificate to sign something and then verify (within your app) whether that signature is valid, using the installed root certificated. But you can't read the certificate outright.
I have already developed front-end application in Angular2 and back-end in ASP.net web APIs. I had used Windows authentication as enabled because I want to detect requesting user. Both applications are hosted in IIS server(Windows Server 2012).
When I load angular app it load login prompt and when give correct user credentials data loading happen correctly.
But I want to know a way to load them without login prompt, authenticate automatically.
This is the way I detect request user in web APIs.
string user = HttpContext.Current.Request.ServerVariables["LOGON_USER"]; //Get the current user...
userID = user.Split('\\')[1];
This is a sample TS script send request to Windows Authenticated Web APIs from Angular Services.
getPersonalInfo(): Observable<IPersonalInfo> {
return this._http.get(localStorage.getItem('WebApiURL') +"api/PersonalInfo/" , { withCredentials: true })
.map((response: Response) => <IPersonalInfo>response.json())
.catch(this.handleError);
}
When restart the browser this login ask every time.
I want to access them with out this login...
Actually, this login prompt occurs because there is communication between two technologies (ASP.net & Angular 2) by passing windows windows credentials. So it need shake-hand authentication when call windows authenticated API.
I was lucky to find a solution by changing privacy settings through browser. So I got ability to call API's without login prompt.
Here is the way to do that.
Settings -> Open Proxy settings -> Privacy ->Sites
In here you can add domain where your back-end APIs are already hosted as in example.
After that it take as trusted domain and further more there is no any login prompt accruing.
I have spent a lot of time on this, and I'm not sure it can be done. If you enable Anon Access then the [Authorisation] on the controllers works fine. But you can't detect the username.
If you disable the Anon Access then you can obtain the username NETWORK//USERNAME but if you access a method with the [Authorize] attribute then you get the popup dialog you have got.
I really don't want to go back to a username/password solution but it is looking like I am going to have to.
Can the CordovaApp.pfx in res\native\windows be used to create a .aetx token?
Signing is handled automatically with VS2015 community + Cordova when deploying a package for release.
Sample CordovaApp.pfx https://github.com/dbiele/TypeScript-Cordova-SystemJS-Angular2-beta/tree/master/res/native/windows
Here's instructions on how to create .aetx from .pfx = link
All I get when trying to convert is: Invalid certificate or password
An .aetx token can only be created if a Enterprise Mobile Code Signing Certificate from Symantec Corp has been purchased. Without the certificate, AetGenerator.exe is unable to create an .aetx from the .pfx.
Explanation on how to use AETX and Mobile Certificates.
https://msdn.microsoft.com/en-us/magazine/dn296515.aspx
Download Root Certificates
https://knowledge.symantec.com/support/code-signing-support/index?page=content&id=SO20770&actp=search&viewlocale=en_US
Instructions on how to sign an app
https://msdn.microsoft.com/en-us/library/windows/apps/jj735576(v=vs.105).aspx
I hope this helps!
I have an Intranet application with Windows Authentication. Everything works fine. However, for some sensitive operations (it could be approving AP check, or grading a student) I need to get user's id and password. The goal is to prevent somebody walking to unattended terminal, and generally for non-repudiation. Trivial with forms authentication - but I can't figure out how to do it with Windows authentication.
I don't think it matters, but it's MVC application and authentication is done against Active Directory
Typically, server application needs to issue HTTP Status Code 401 to tell client for authentication information. However, in case of windows authentication, once user is authenticated, the token is cached by client system or browser and used subsequently whenever needed. So in your case, even if you issue 401, client will send the same token again - so your main problem of abusing unattended terminal will not get solved (as user already logged in there into the system).
One of the way could be simulate forms authentication from the application - i.e. on sensitive operations, prompt user for his/her windows password again (note that you will be already having user's name(identity) if you are using windows authentication) and then re-validate that password using active directory API (or logon user windows API).
Personally, I feel that you are trying to solve the problem at server which is wrong end - I would rather have a IT policy that prohibits unlocked unattended terminals - either user should lock the workstation or have a password protected screen saver. Typically, these things can be somewhat enforced via group policy.
In my webforms app I've got one page set as only allowing Windows Auth and no others, and then to get the username (since they have to have already done the 401 auth procedure via the browser) I get their username like thus:
string username = Request.ServerVariables["LOGON_USER"];
and then I can query the Membership provider to get the user information from the infrastructure.
Or are you trying to manually do the 401 auth process?
how to manually authenticate user in asp.net windows authentication