My Situation
I have an intranet MVC application which uses, by mandate, integrated Windows Authentication. It hosts both a business UI and some WebAPI endpoints. I have an endpoint which must consumed by a SAP PI (Process Integration) REST adapter, which is hosted in Java. The SAP developer has only option for authentication: basic.
The Question
How can a SAP or any Java client authenticate to a Windows web application? My company really demands that this call eventually resolves to a Windows account, so mixed forms auth wont fly here. Any suggestions?
My Ideas
One thought I had was to have them encrypt windows credentials in a string and drop them in the headers or in the body of the message. I could then decrypt on my end, impersonate, and, if valid, execute the POST. This seems pretty bad to me, but I could get it to work. However, I think there must be something better out there.
Related
I have a ASP.Net WebAPI service that is used by my AngularJS front end and I am making use of Owin and bearer token.
Now there is a need that we need to install an agent on the few of the client machines (developed in .Net core mostly) that is able to connect to our application and make similar calls. I can create a separate controller for this need, but want to host it in the same website.
How can I create a secure connection between this agent and the ASP.Net server hosted on Azure?
Currently I am looking at generating a Token during the agent installation based on the client MAC address and giving it with each call, but I am checking if there are any better way to address this need.
Any help in this direction is welcome.
Regards
Kiran
It seems that you’d like to enable only valid “agents” that installed on the client machines to communicate with your server, if that is the case, Azure AD provides Native Application to Web API authentication scenario (a native application that runs on a phone, tablet, or PC needs to authenticate a user to get resources from a web API that is secured by Azure AD), you could refer to it.
I am being driven slowly and inexorably mad by the setup of IIS to allow access to Exchange Web Services from ASP.NET website that uses Windows Authentication. I have found literally dozens of articles on how to set this up, each of which seems to say something different, or else describes a process to me that fails when I duplicate it, presumably by there being some assumed knowledge on my part.
Application uses windows authentication to identify the user.
Application sends emails using EWS such that the email ends up in the users "sent items"
Exchange is hosted on a separate server than the web server, so I am assuming the "double-hop" I have read about issue is occurring. I am not a sysadmin, so I do not really understand this.
Is there some clear way for me to setup this up to work, and then potentially troubleshoot the problem?
Yes, from your description it certainly looks like a double-hop problem. It's non-trivial to fix, basically you need to setup delegation between the web server and the exchange server to for the web server to be able to use the kerberos ticket issued when the user logs in to the web server.
I have yet to deploy a single solution that actually does that. We have always ended up either using a service account (with appropriate access rights to exchange, mailboxes etc.) or place the web application on the exchange server. Neither option is particularly elegant, but in most cases operations teams have been unwilling to set up delegation or known how to do it properly.
I have an ASP NET web app that uses identity impersonation. However, there is an SQL connection string that I must use with SQL Server to retrieve data that relies on a Trusted Connection. Is there any way I can specify a Windows account to communicate with SQL, but still use impersonation in the rest of my web app? If it makes a difference, this application uses .net 4.0, connecting to SQL 2008.
I've read several posts already on SO (including this one - When using Trusted_Connection=true and SQL Server authentication, will this effect performance?), but I haven't found a cohesive answer to my question.
Ultimately I wanted to be sure that the same rules apply now, that Identity Impersonation on a web app will pass user credentials to a sql database using Windows AD authentication. Based on the comments above, that seems to be the case. Thanks everyone for their time, should any future readers see this Q&A and say "Eric's wrong and he's an idiot!", please feel free to correct me accordingly
I have an asp.net web app which works fine in Windows XP machine in a domain. I am porting it to a Windows 7 stand alone machine. The app uses a web service which makes a call to sql server. The web server (IIS 7.5) and SQL Server are on the same stand alone machine.
I enabled Windows authentication for the website and web service. The web service uses a trusted connection connection string. The web service credentials uses System.Net.CredentialCache.DefaultCredentials. I noticed username, password and domainname are blank after the call! The webservice and web site use the 'Classic .NET AppPool' with NetworkServices identity.
I am getting an exception "NT AUTHORITY\ANONYMOUS LOGON" in the database call in the web service. I am assuming it's related to the blank credentials.
I am expecting ASPNET user to be the security token to the database. Why is this not happening? Did I miss a setting?
(Usually this happens when sql server and web server are on two different machines in a domain, delegation & double hopping, but in my case everything is on a dev box)
It sounds like you're experiencing the "double hop" problem. It basically means that you're not allowed to forward the clients privileges to a third party, usually a sql server on another machine.
I've answered this before, perhaps that answer will help you further.
Your problem seems to be related to the web service passing the correct credentials to SQL server.
There are a few layers of security for you to check. But the first and easiest is to make sure you have disabled any security other than Windows Integrated. IIS will always use the simplest security protocol. So if you have Anonymous and Windows Integrated enabled then you web site will always choose Anonymous.
Next each site in IIS7+ runs under an app pool which can have separate security. Then under all that the IIS Windows Service runs under a specific account.
Buy default you shouldn't really have much problem with app pool and IIS security as it pretty much works out of the box, but it's worth checking.
One more thing I would check is the named pipes in SQL. My knowledge isn't vast but I know that named pipes can be used for communication on the same server between various applications, IIS and SQL being two of them.
If names pipes is disabled through the SQL configuration manager then I would have expected a different error, but it's worth enabling.
Hope this helps.
Mike
I have a fairly complex business application written in ASP.NET that is deployed on a hosted server. The site uses Forms Authentication, and there are about a dozen different roles defined. Employees and customers are both users of the application.
Now I have the requirement to develop a Windows Mobile client for the application that allows a very specialized set of tasks to be performed from a device, as opposed to a browser on a laptop. The client wants to increase productivity with this measure. Only employees will use this application.
I feel that it would make sense to re-use the security infrastructure that is already in place. The client does not need offline capability.
My thought is to deploy a set of web services to a folder of the existing site that only the new role "web service" has access to, and to use Forms Authentication (from a Windows Mobile 5/.Net 3.5 client).
I did see this question and I am aware of the limitations that Forms Authentication poses. Since security is not my primary motivator (I use SSL and can restrict access by IP address), but rather using existing user accounts and roles, my decision tree is somewhat different as well.
Can I do this, is it a good idea, and are there any code examples/references that you can point me to?
I ended up with a combination of things. First, forms authentication does not really work in this scenario, because of the redirects that you get when a users is not logged in or the credentials are incorrect.
Because I want to use the user accounts from the web app, I worked around this by just calling Membership.ValidateUser prior to processing each service call on the server.
A user is prompted for an id and password when logging on to the client. I store both values encrypted in the proxy class and pass them transparently with each call using a host header, so that the application does not have to bother with this once the user is logged in, i.e. the credentials were validated once by calling the Login() service method (which only calls Membership.ValidateUser).
I use the CryptoApi on both the server and the client side.
I understand that host headers are somewhat outdated for security applications, but since I use strong encryption AND SSL, it is perfectly adequate.