I currently have an MVC 5 App which uses Windows authentication, from the intranet template. I would like to now expose this to internet users and utilize oauth. It seems that many of the files in oauth walkthroughs are missing from my project. Is there a nuget package I can use to refill the missing files that would have been in the "Individual Users" template, or do I really need to create a new project as OAuth and back fill Windows auth into it?
You can't really simultaneously use both Windows Auth and Forms Auth (Individual User Accounts), with or without OAuth. There's hacky ways to invalidate what I just said, but they're just that: hacky. Really, the only real approach is go Forms Auth and then connect to LDAP manually to sort of proxy authentication from the domain to Forms Auth (basically, you'd have to create a local user account that represents a domain account).
Really, if you need to use simultaneous different forms of auth, the safest and easiest bet is to use separate projects and just share as much of the code as you can, with class libraries, Razor Generator for compiling views, etc. You'd of course have to host each project separately, but you could simply use a subdomain (i.e. internal.mysite.com vs www.mysite.com), or if you got your own network DNS server, you can even map internal requests vs external requests to the two different sites using the same domain.
Related
I am aware of ASP.NET Authentication using Identity. So, if my application already has Authentication enabled, why would I want to enable IIS authentication on top of that?
Also, if I have both enabled, will that require a user to type in his or her credentials twice (once for the application login and then for the IIS login)?
Both are different things altogether.
ASP.NET Authentication using Identity in your web application is used for authentication & authorization of End-User in your application.
IIS authentication is for security and access management for hosted application.
If we explore a little further why this is needed. End-user just need to rights for viewing data & doing operations using User Interface Screen.
IIS user(used for IIS autehntication) might need right for creating schema, modifying schema as in Continuous Integration (CI) when you deploy code, new schema is created or existing schema can be modified.
Also in multi-tiered application, we can choose to run service(web services, web API, WCF
etc) under end-user authentication if needed OR user with more rights is required.
All decisions depends on your architecture, needs & security requirements. No choice is good for all architecture needs. We need to choose what suits our requirement best in given scenario and we design in such way application is further extensible/scalable for higher loads and easier for maintaining code too in long support.
I notice there are several different namespaces/classes for accessing Active Directory. What are the differences between using the following ?
System.DirectoryServices.AccountManagement
System.DirectoryServices.ActiveDirectory
System.Web.Security.ActiveDirectoryMembershipProvider
The items under AccountManagement deal with working with various LDAP type data stores. Not just Active Directory, but NDS and WinNT as well. If you know your backing store is LDAP compliant or may switch between various LDAP stores then this is probably the best to use.
The ActiveDirectory namespace is specifically for AD. Usually you only care to use this if you are going to stay strictly within an AD environment.
The ActiveDirectoryMembershipProvider has a slightly different focus. This is usually used by Web Apps as one of the membership providers. Other membership providers include the SqlMembershipProvider or even custom ones that you might create. This is used when your backing store might be AD, but could also be changed to use SQL server or some other random store in the future.
In summary, it all boils down to how your app currently functions and how it might grow in the future. If you have a desktop app, then use the System.DirectoryServices namespace. If you have a web app that might be deployed into unknown environments, use the membership providers.
Note that I have used a combination of a SqlMembershipProvider and the System.DirectoryServices space together in some apps. Specifically to authenticate into an LDAP store (AD/NDS) while authorization stays in my app.
I was tasked with creating an SSO solution from an existing asp.net app to a new sharepoint 2010 app.
The existing asp.net app uses forms authentication, but not against a single data source. It checks a database, active directory and a few mainframe tables to authenticate, and finally creates a forms authentication ticket.
I was looking to share the token between sp2010 and the asp.net app, but I am now realizing this is not possible, due to the fact the sp2010 does not use simple FBA tokens any more.
So now I am looking to go the STS and claims-based route. After looking in to it a little, I understand that using ADFS would be much better than building a custom STS for the asp.net side. My issue is that since I have the custom ticket creation authentication method on the asp.net side, I don't have a single data source to "feed" the adfs. I am new to sharepoint and adfs and I really don't know how to begin this type of integration.
Can anyone help me get my head around this?
Thank you!
ADFS attribute stores might solve your problem, although for this to make sense you would ideally integrate Windows Identity Foundation (WIF) into your application, which might be an intrusive change.
http://technet.microsoft.com/en-us/library/adfs2-help-attribute-stores(v=ws.10).aspx
In short, ADFS is not limited to AD for collecting user data. You can configure it to query other user attribute stores, such as your database. You can then author rules within ADFS to tell it what queries to make, and ADFS will use these queries to populate user claims into the token that ADFS issues to your application.
I am wondering what the best way to secure our applications is for the following situation. Basically, we have a page where we authenticate users, and once they user has logged in they have an option to select from various applications. My dilemma is how to pass that the user is authenticated from our login page to the various applications. I would also need to pass the user id. Currently we pass an encrypted userid to each application once they sign on. Is there an easier way to do this through forms authentication? The applications are "Applications" in IIS and run under different app pools so I haven't found anyway of passing Sessions between the Membership and the applications.
IIS 7.5 Structure:
-Sites
-Website
-Membership
-Application 1
-Application 2
-Application 3
There is no way to directly pass a session between applications in separate pools. You'd have to build a transfer mechanism.
If these are internal applications and you have a Windows domain, the simplest way is to use Windows Authentication and avoid the problem altogether.
Barring that, you may want to look at the Enabling Single Sign-on Using ASP.NET article on MSDN.
Currently, we have many web applications (external & internal) developed using Classic ASP through .NET 2.0 technologies. Each of those web applications have their own login screen authenticating against their own custom database or using Windows authentication. Users have access to one or more of these applications, meaning they have to log out and log back into applications that they would like to access. All applications share some part of the back-end data sources. Also, the business logic is embedded in the UI in addition to being duplicated across applications because there is no code/business logic sharing. Screenshot #1 gives a brief idea of the existing architecture.
Screenshot #2 shows the suggested architecture, which I hope will help in faster development, code/business re-usability and may be simpler maintenance. Users will access either external or internal url. In external, users will provide credentials and will be authenticated against custom database. In internal site, users will be automatically logged in using Windows authentication. After creating some samples, I have begun to like ASP.NET MVC 3. It keeps business logic separate from UI and I also like the unit testing capabilities.
Here are my questions:
Based on what I have found on the web so far, multiple authentications are not feasible within a single website. My understanding is that I have to host one website for each type of authentication (Forms and Windows). How do I redirect users to common landing page after they are authenticated so they can see the modules (links/menus) that they are authorized to access? Should I have to publish the same code set (dlls and content) to both the websites?
Has anyone faced a similar architecture problem? If yes, could you please share the challenges that you faced and how you tackled them? What are the industry standards in designing applications of this sort?
Does the suggested architecture make any sense or is it a really bad design? Are there any drawbacks in doing this in ASP.NET MVC 3?
I would really appreciate your inputs.
Thanks in advance.
I would set up a seperate web site which only handles the windows authentication. I would then rely on something like OpenID and/or OAuth to ask for credentials/token to make sure to user has proper access.
The user that want to sign in using windows credentials go through that process because you are right in that a IIS server running windows authentication is hard to mix with other stuff.
You can set up some kind of claim based network of thrust in which you applications get thier credentials from trusted sources and through that process you can negotiate and control access privileges cross many web sites. As long as your not doing custom hosting or white label branding you can have everything in one place (or even if you did you could design it so that you have a central solution of handing out authentication tokens).
Keep in mind the difference between Authentication and Authorization. You presumably want a single authentication mechanism (or maybe two, one for internal and one for external users). There is a similar post here that lays out some pretty good guidelines: How to allow multiple authentication methods in ASP.NET?
On one project we built a common controller class used in every page of the site. It handled authentication and access control. When a user tried to access any page it checked to see if they had a session identification cookie. If they did not they were required to authenticate(login). A challenge was doing a good implementation of the security. Current browsers have many flaws that make this difficult.