I am developing an intranet application and would like to use the existing organisations Active Directory for user authentication and policy based role authorisation.
Can someone point me in the right direction? I am getting a bit confused (well actually a lot confused).
Thankyou
Per Authentication and Autorization resources under http://docs.asp.net/en/latest/security/index.html
First start a new ASP.Net Web Application project, Pick the Web Application template then on the right pane press the "Change Authentication" button and pick "Windows Authentication".
You can now use [Authorize] on a class or method to check basic authentication vs active directory as of RC2 you can simply use the group names ala [Authorize(Roles=#"DOMAIN\GROUP")]
The now obsolete and cumbersome alternative (still works):
If you look at User.Claims you can see the groupsid keys exist for each of the user's groups. Building off that you can do something like [Authorize(Policy="FOOBAR")] and define it in your Startup.ConfigureServices method via
services.AddAuthorization(
o => o.AddPolicy(
"FOOBAR",
p => p.RequireClaim("http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid",
"ENTER GROUP SID")
));
Note that the second param to RequireClaim is a string array to allow for multiple groups.
Also note to figure out group ids via this command line magic dsquery group -name “ENTER GROUP NAME” | dsget group -sid
Related
I'm having trouble adding a connection in the Kusto.Explorer desktop app 1.0.3.949. I can login via Web UI but in the desktop app it gives me this error:
This normally represents a permanent error, and retrying is unlikely to help.
Please provide the following information when contacting the Kusto team # https://aka.ms/kustosupport :
DataSource='https://m1explorer.westus.kusto.windows.net/v1/rest/mgmt',
DatabaseName='NetDefaultDB',
ClientRequestId='KD2RunCommand;5723fa83-9dd5-48fe-a1ee-5d4ddb7f9cd9',
ActivityId='74b41f5e-be7c-46be-88f5-dae1a6d35c30,
Timestamp='2020-08-02T18:48:13.6846740Z'.
In other applications such as the Kuskus VSCode extension or even the Web UI, the problem seems to be that it uses the "common" tenant/authority id as a default. Is there a way to specify the tenant id when adding the connection? It says you can import an .xml file but I'm not sure where or how this can be generated.
Thanks,
Steven
Please try approach described at:
https://learn.microsoft.com/en-us/azure/data-explorer/kusto/tools/kusto-explorer#control-the-user-identity-connecting-to-kustoexplorer
The default security model for new connections is AAD-Federated
security. Authentication is done through the Azure Active Directory
using the default AAD user experience.
If you need finer control over the authentication parameters, you can
expand the "Advanced: Connection Strings" edit box and provide a valid
Kusto connection string value.
For example, users with a presence in multiple AAD tenants sometimes
need to use a particular "projection" of their identities to a
specific AAD tenant. Do this by providing a connection string, such as
the one below (replace words IN CAPITALS with specific values):
Data Source=https://CLUSTER_NAME.kusto.windows.net;Initial Catalog=DATABASE_NAME;AAD Federated Security=True;Authority Id=AAD_TENANT_OF_CLUSTER;User=USER_DOMAIN
What is the best practice way to handle changes to configuration parameters (kept in yml) that have to happen at runtime?
I am working on a site where the owner wants to change various settings in his admin back end.
For example, enabling/disabling the confirmation email and link sent by FOS User bundle when a new user registers for an account.
Thanks for your time
For those operations you need the use Compiler Pass.
https://symfony.com/doc/current/service_container/compiler_passes.html
Here sample Custom Compiler pass;
https://symfony.com/doc/current/components/dependency_injection/compilation.html#creating-separate-compiler-passes
Here is a good example for compiler passes; ( Usually using with service tags )
https://symfony.com/doc/current/service_container/tags.html
I'm currently finishing my website in ASP.NET MVC with azure AD login.
For this website, some pages are only accessible by admins. For this, I made a new group that's named testAdmins and when I check if the user can access to a page, I use this :
ClaimsPrincipal principal = User as ClaimsPrincipal;
if (principal.Claims.Any(x => x.Type == "groups" && x.Value == "id of testAdmins")){ //code }
And it's working fine with my user witch is in this group.
But when I change the id of testAdmins with the value of the real group of admins (Admins) I'm going to use when the site will be deployed and witch I'm not in, the server is not showing anything for 40 sec and then I got this message :
An exception of type 'System.Web.HttpException' occurred in
System.Web.dll but was not handled in user code
Additional information: Unable to connect to SQL Server database.
Can someone explain me what's going on ?
Thanks in advance
PS : I made some more test... When my user is in the group it works fast but when it's not it takes 2 min and do the error message... if someone as no idea what is the problem, did anyone have a way to make different access from user wich are in a special group from Azure Active Directory ?
Provide the whole stacktrace and relevant source code line (the full stacktrace includes file names and line numbers!). The issue you are facing is very common for on-boarding developers (on-boarding to ASP.NET 4.0+).
Your project is based on the default project template for ASP.NET 4.0 (or later), which by default creates the website with "Local User Accounts". This template creates an Entity Framework db context and local models for the user authentication / authorization. This also creates some settings in your web.config to define connectin strings (or instruct the default one) for the EF.
On top of that template you added the neccessery Azure AD authentication details - either through the right click menu (Configure Azure AD Authentication - available in VS 2015) or manually by including a bunch of NuGet packages. Thus you (without knowing) created a nasty mix of FBA (Forms Based Authentication) - dictated by the local accounts, and OpenID Connect - dictated by Azure AD authentication.
The SQL Server error comes from that FBA (or local user accounts setting) config. And there is no easy way to remove it.
Because I see you are just playing around and testing out things, I would warmly recommend that you start over with a new project and be careful by your second step of the wizard (available in both VS 2013 and VS 2015) - Click on "change authentication" and chose "No authentication":
On this clean project, you can add your Azure AD authentication and everything will work and you will not see any SQL Server Errors (well it depends how you configure your Azure AD Auth - some of the wizzards - namely the one of Multi-tenant also creates EF context).
So I've this application and have to grant access to type of people the admin and a little group of people who have to edit a little part of an module.
Lets say I've a module which has fields [A, B, C, D], and a group of people need to change the default value of some os the items that module represents, for instance C and D.
Now I've created the the groups, setted the permissions and assigned the test user to that group, editted the security.yml like this: credentials: [[admin, certificatore]] as i need to be an or. Try to access it's not letting me in. where i'm going wrong? myUser extends the sfGuardSecurityUser.
I've noticed that in DB the user, group and permission I've created are not present, but from the backend i can see them...
Have you tried deleting contents of cache folder?
Here is the background. I had an .NET MVC v1.0 project that I was trying to secure it by using Windows authentication mode. So I set the web.config to:
<authentication mode="Windows" />
And then went into my controller and did the following:
[Authorize(Roles="IT")]
public class LicenseController : Controller
In AD we have a group called "IT" and I am many others are apart of this group. Once I had this in place I started a debug session and tried going to any of the actions in that controller and I was met with a 401. I search high and low looking for somewhere that I had screwed the pooch and couldn't find anything wrong. After a while of struggling I decided to try changing the "Authorize" to a specific user an see if that worked. So I changed it to the following:
[Authorize(Users="domain\\tnederveld")]
And low and behold that worked. So I went and added a different group that I was a member of and took out the users authorize statement and that worked. I started looking into the differences between the two AD groups and the only thing that was different was on the second group I tried the "Group name (pre-Windows 2000):" were the same. The "IT" groups "Group name (pre-Windows 2000):" was "IT Associates". So I tried changing the authorize statement to:
[Authorize(Roles="IT Associates")]
And it started working. I thought for sure this was an MVC issue, so to make sure I tried it on a regular Web Forms project and was meet with the same issue.
The real kicker is that when you use the UserPrincipal that is part of the System.DirectoryServices.AccountManagement it returns the group "IT" when using the .GetGroups() method.
Why is this is happening?
You need to keep apart the various names an entry in AD can have:
the name per se is typically the CN attribute - the Common Name. This is the "CN=xxx" part in your LDAP string. Here it's IT - and that's what System.DirectoryServices.AccountManagement will return - it's the "Active Directory"'s most common name
the "IT Associates" name is the pre-Windows 2000 or sAMAccountName - the thing Windows NT used to use before there was AD - a local user and/or group name (SAM = Security Account Management or something like that). The SAM Account Name needs to be unique per domain - even in a huge AD forest these days.
Unfortunately, lots of the Windows API calls are still based on that name - since they are (and need to be) backwards compatible with earlier Windows versions. The ASP.NET membership system uses those calls and thus will use your domain/tnederveld user name and IT Associates group - those are the SAM account names of your objects
Not sure if there's much you can do about it - just be aware that in a AD environment, any of your user or groups has a plethora of "names" - always be very clear about which one you're talking about!
For a detailed list of all AD attributes, see Richard Mueller's excellent web site with Active Directory reference material.