I have implemented SSO into my ASPX application and set the authentication mode as follows:
<authentication mode="Windows" />
Is it possible to enforce a session timeout for applications which use the authentication mode from above?
Related
I have implemented SignalR in my ASP.NET WebForms application and am successfully connecting to the hub. However, when a call is made to the database (SQL Server) I get Login failed for user 'MY_DOMAIN\MY_PC_NAME'. Note that the user being failed is the PC name and not the user I am impersonating (see below).
My Web.Config is set to impersonate a user who does have access to the database and this works for all calls made to the database that are not via SignalR processes.
IIS is set to use Windows Authentication for the application (and also has ASP.NET Impersonation enabled).
During debug of the SignalR process, the Context.User.Identity is the user that is authenticated in the browser session.
Is there a way to ensure that the impersonated user in the Web.Config is honored by SignalR when making SQL calls?
For reference:
Impersonate Tag in Web.Config: <identity impersonate="true" userName="MY_DOMAIN\MY_USER" password="MY_PASSWORD" />
Connection String in Web.Config: <add name="SiteDatabase" connectionString="Server=SERVER_NAME; Database=DATABASE_NAME; Integrated Security=SSPI" />
I changed the AppPool identity in IIS from LocalSystem to use the same user as that set in the impersonate of the Web.Config file and the SignalR process successfully connects to the database!
I don't know yet if this is the perfect solution or why SignalR won't honor the Web.Config impersonate, but it at least gets me going...
I have a web app, in the web.config, I have following settings:
<authentication mode="Windows"/>
<identity impersonate="true" userName="domain01\user01" password="***"/>
I deployed the app to Windows 2008 (IIS 7), the Identity of the application pool is domain01\user01, and in the Authentication of the app, I have following set:
Anonymous Authentication Disabled
ASP.NET Impersonation Enabled
Basic Authentication Disabled
Digest Authentication Disabled
Forms Authentication Disabled
Windows Authentication Enabled
Now I need to get the user name who is currently logged on the machine, could be any authorized user with different domain. But no matter what I tired, I always got the impersonated user domain01\user01. I tried, HttpContext, WindowsIdentity, etc. Does anybody know how do I get the correct user name without changing my settings?
You are specifying domain01\username as the identity that you want to impersonate. That is why the current user is always that. If you remove the configured identity you will get the actual logged in user.
<identity impersonate="true" />
This is documented here:
http://msdn.microsoft.com/en-us/library/xh507fc5(v=vs.85).aspx
I'm using Forms Authentication in my current ASP.NET Web Application (not MVC) and my IIS 6 server is configured with the following options:
in the [directory security tab] -> [Authentication Methods] I have:
the anonymous access Enabled
Integrated windows authentication Enabled
Do the above options prevent Forms Authentication from working properly? In other words, what is the proper IIS 6 configuration for Forms Authentication?
EDIT
I just made test with the two options above enabled and the Forms Authentication session expired and redirected me to the login page, but all the answers so far advise that [Integrated windows authentication] should be off!
Here is a check list for using ASP.NET Forms Authentication on IIS6
Configure IIS:
In IIS, Site Properties -> Directory Security -> Authentication and Access Control
Enable Anonymous Access
Disable all Authenticated access methods
Configure Forms Authentication:
Configure Forms Authentication in your site's web.config:
<authentication mode="Forms">
<forms name="MySite"
path="/"
loginUrl="~/logon.aspx"
protection="All"
timeout="30"
slidingExpiration="true" />
</authentication>
Your name and loginUrl may vary. The slidigExpiration attribute is used to keep extending the forms authentication cookie lifetime rather than just kicking the user off of the site after the timeout has expired. The timeout value is in minutes.
Configure Session Timeout:
You need to configure your session state timeout to be longer than your Forms Authentication ticket expiry. If you don't do this then an idle session can time out the session but leave the user logged in. Code that expects Session values to be present will throw exceptions because they are gone even though they are still authenticated. The timeout value is also in minutes.
<sessionState mode="InProc" timeout="40" />
Because forms authentication does not rely on IIS authentication, you should configure anonymous access for your application in IIS if you intend to use forms authentication in your ASP.NET application.
See here http://msdn.microsoft.com/en-us/library/ff647070.aspx for more information.
The anonymous access should be enabled, I don't think integrated windows authentication makes a difference but if you're not going to need it then it's best to turn it off. The important thing to remember is to make sure it's turned on in web.config:
<authentication mode="Forms" />
Here's a basic tutorial that might be useful:
Overview of Forms Authentication
Anonymous access -> checked
All other option on the security tab -> unchecked
Note, forms authentication is done by .NET - not by IIS. Also, Windows Authentication MUST be off as well.
Rather technical explanaitions by MS.
In my website, I am not using any authentication or authorization. I've created login page to capture the user credentials and check against database. If the user successfully authenticates, it's storing the user data in session and navigating to other pages.
How thinking of implementing Forms Authentication, but my concern is how to secure the authentication token in client browser for security reasons. Does anyone have any ideas how to secure the authentication token?
Session:
Fast, Scalable, and Secure Session State Management for Your Web Applications
Authentication:
How To: Protect Forms Authentication in ASP.NET 2.0
Step 1. Configure
Ensure that your forms authentication
tickets are encrypted and integrity
checked by setting protection="All" on
the element. This is the
default setting and you can view this
in the Machine.config.comments file.
<forms protection="All" ... />
Step 2. Use SHA1 for HMAC Generation and AES for Encryption
<machineKey
validationKey="AutoGenerate,IsolateApps"
decryptionKey="AutoGenerate,IsolateApps"
decryption="Auto"
validation="SHA1" />
Step 3. Protect Authentication Tickets with SSL
<forms loginUrl="Secure\Login.aspx"
requireSSL="true" ... />
Environment is IIS 7 integrated pipeline, ASP.NET 4.0. I have a .aspx page configured without anonymous authentication and with windows authentication:
<location path="auth/windows">
<system.webServer>
<security>
<authentication>
<anonymousAuthentication enabled="false" />
<windowsAuthentication enabled="true" />
</authentication>
</security>
</system.webServer>
</location>
When I request the page, a normal Windows auth (NTLM/Negotiate) challenge response happens, and ultimately the page is returned.
I have an HttpModule in which I handle the PostAuthorize event. As expected, this event is only raised once the challenge-response authentication has succeeded and access to the page has been authorized.
However, the Request.IsAuthenticated property is false; and HttpContext.Current.User.Identity reflects an unauthenticated user (.Name returns the empty string). Interestingly, Request.ServerVariables["LOGON_USER"] does return the value of the authenticated Windows user.
I'd have thought that once the user was authenticated (and authorized, for that matter), the request would reflect being authenticated; and the User / Identity for the request would have been properly set.
Any thoughts on why this is not the case?
Thanks,
Donnie
It turns out that the native handling of Windows authentication works when you have Forms authentication enabled in Web.config. But the managed part of Windows authentication - associating the authenticated Windows user with an IIdentity-derived object representing that user - only happens if Windows authentication is enabled in Web.config. Looks like I'll have to rely on the Request.ServerVariables["LOGON_USER"] value.
windows Authentication is enabled in IIS and authentication mode set to windows in my web.config file.
<authentication mode="Windows">
</authentication>
My site is asking for credentials and it's working fine. but when check using
HttpContext.User.Identity.Name
is empty string
Or
HttpContext.User.Identity.IsAuthenticated is false;
I used Request.ServerVariables["LOGON_USER"].Tostring(); to get logged in user credentials.
It worked for me, Thanks for Posting soccerdad.