I am currently maintaining web applications available from a secure network. My users connect to the network within a VPN connection using L2TP/IPSec, to which they authenticate using their user id and password. When they access the web application, they also have to authenticate again with the same user id and password.
Since they have authenticated once to the VPN already, is it possible for the application to verify their authentication status and get their identity from the VPN?
Thank you!
It really depends on your VPN server and the capabilities of your web app. If your web app can access the VPN servers logs, current connections or API than yeah you might be able to set something up.
George
Related
We have developed a web application to display sensitive information over our company's intranet. We had initially planned to implement sufficient security to allow remote access via the intranet to the application through a browser. But, due to an unforeseen requirements from our security team, we have decided not to allow remote access. We would still like a small number of users to be able to access the application, so here's the question. How can you host a web application in IIS visible only to users logged into the hosting machine? (The machine is both the host of the web app, and the only machine where the web app would be visible.)
I'm relatively new to IIS, so please speak as plainly as possible.
It seems like their must exist some setting in IIS to limit incoming and outgoing requests to the current machine.
It's possible to block all IP addresses with the following:
Which can be found in IIS 7 at this location:
We are migrating from a dedicated server with a local virtual SMTP server to Windows Azure. As far as I can tell Windows Azure does not allow a local SMTP server to be setup in IIS. The SMTP Server option in the management console is missing. How would I setup an email relay so that I can have a .net web application send emails from a Windows Server 2012 virtual machine in Azure?
This is more like corollary to what #mcollier has stated. Given that you are already on Azure and you get 25,000 free emails (there are higher plans as well) with your subscription as well.
You can configure a Virtual SMTP server which relays to the sendgrid services. For the development perspective you will have the view of using your own SMTP server / service. Setting up a sendgrid based service is explained in this link.
I have used sendgrid earlier and my experience with this was amazing. As #mcollier has pointed out, using services like Sendgrid will give good chance of staying away from spam problem, if you try to setup and use the SMTP service of your own because of the reverse lookup etc.
PS: The above Virtual SMTP Server can be replaced with Amazon SES, which is equivalently a good service. Check out more info here.
First, assuming you're using a Windows Azure IaaS VM. Correct? If so, I think you need to enable that role/feature in Windows Server.
Second, why the need to send emails from that specific server? Would a service like SendGrid work? One problem people sometimes have with email servers in Windows Azure is the domain of your service (something.cloudapp.net) does not match your vanity domain when a reverse DNS lookup is performed. This could cause the email to be flagged as spam (since you don't technically own the sending domain, something.cloudapp.net).
I developed an direct relay application using the normal RFC email commands and lock that on my application, but strange that some test emails get delivered using the relay on windows AZURE VM, and all other mails are not getting any bounce response, and making a sense that every email is being delivering,
This is strange behaviour on azure vm.
so it means you can't send email using azure vm as a smtp mail server, if like to test then simply download promailer marketing manager from jsmtp.com
We have a windows domain and we are starting to deploy applications onto external servers outside of the network, to simplify authentication we would like to capture the users network username to achieve authentication.
Is there any way of capturing this from an ASP.Net website hosted outside of our network? If so, is this straightforward?
We have a web site that we have moved to LDAP authentication. But we are getting many "server not available" LDAP errors, even though the LDAP server remains in service. Do I need to worry about multiple users, each in their own thread causing concurrent authentication requests to the LDAP server and or causing too much authentication traffic for the LDAP server?. Does an (OSI) application accept multiple connections on the same incoming port at the same time or does it have to process them sequentially? Does it accept multiple connections from the same client (my web server) at the same time? If either of these are concerns, how do I architect my solution to overcome them? Should I be creating an single authentication object that is attached to the application object? Or is it o.k. to create it in each individual session/thread?
The FirstClass email system can provide LDAP services on port 389 out the 'front' of the application, and out the back, it can retrieve data from a different LDAP server.
What I would suggest is find out if there is a back end LDAP server and ask for permission to use that directly instead of proxying through FirstClass.
Man its been a while since I last saw FirstClass! Good to see they are still around!
Here's the desired setup:
Service with wsHttpBinding is on IIS 6 on Machine 1 behind the firewall.
Client is front end website on IIS 6 on Machine 2 on a DMZ.
We are currently able to authenticate the client using Windows authentication, but with impersonation
<identity impersonate="true" userName="OurCompany\Me" password="Blahblahblah" />
since the website would use the "ASPNET" as username, which is not in the domain.
We now want to move away from this method, because of safety issue; we don't want to expose this kind of info on the DMZ.
Is there any way to get authenticated properly without using
the impersonate on the client
config?
If we changed so that we use
certificate authentication, would it
affect service operations that
require impersonations (needed
impersonations for file access on
the network for example)?
thanks.
This has been resolved now, and I think it'd be constructive to share the solutions.
In terms of my original question - whether it's able to do impersonation without setting it explicitly in the config or in the front end code. As mentioned by the above, the App Pool method does work, but only when both the client and server are on the same domain.
Since the web site client being situated in the DMZ has no access of the local network at all, meaning we are unable to impersonate any network user (this is a flaw in my original question, saying the impersonation works - it was actually not working).
So the only way to go was using certificate. Since this is internal communications, I have generated a test certificate on each of the server / client sides with the makecert. Using peer trust certificate authentications, I am able to get the communication working between the client and the server. This will ensure that no Windows / network user account information is presented in the DMZ zone.