To implement automatic log-in on server's 401 Query ( Basic Authentication) i am using nsHttpAuthManager( a manager that stored credentials to bre used in automatic authenticat). when i am adding the credentials it should be added to HTTP authentication manager but for some reason popup for credential is still coming.How can i check what are the values of a stored entry
how can i test whether Credentials with port,username,password,realm are being added to Authentication manager or not? Any tutorial would help.
Related
Hi have not been able to find an answer on stackoverflow or online hoping someone has experience of a similar setup.
We have .NET Core 3.1 user management application which obtains user information from a Windows 2016 Active Directory server (application access is done via the groups defined in AD) fairly rudementary the idea is:
Start application > Redirect to WSO2 (version 5.9.0) IAM Logon page
Attemp to logon with a valid AD user (which has been set to 'user must change password at next logon'..)
WSO2 appears to attempt to authenticate and then logon however fails
Kibana shows logon failed message for this particualr user
The WSO2 logon page shows an error message
However what we were expecting to happen was for a redirect to occur back to the .NET Core application and we customised the logon.jsp related pages as per the WSO2 Customisation guide.
WSO2 does not have an identity providers it uses a service provider with SAML SSO configured.
The custom logon.jsp page has some code that checks the incoming RelyingParty value and performs the appropriate redirect as required.
The issue:
The redirect is not working as expected instead of redirecting back to the .NET Core application that made the initial call to the WSO2 IAM the above occurs i.e. the logon page shows an authentication error.
What we would like for the server to do is redirect back the .NET Core application IF the 'user must change password at next logon' radio button is enabled on their AD account - this needs to happen at the server side i.e. WSO2 (well that's my limited understanding if you know better please do advise).
Ideal scenario:
.NET App startup > WSO2 logon page
SAML SSO flow > LDAP query to AD return user
detect the 'user must change password at next logon' is true and then redirect back to the .NET app where the app will take over query AD display the change password views (nothing special about these standard change-password actions)
.NET App > call WSO2 again perform valid logon return with SAML SSO response back to .NET APP.
Thank you in advance :-)
As per your issue description, I believe that you have made the following configuration in the AD.
I believe you have initiated the Admin Forced Password Reset flow by setting the "User must change password at next login" option in the AD for the user. But unfortunately, it is not possible as once the "change password at next login" is selected in the AD, it marks the password as expired and the WSO2 IS treats it as Authentication Failed (LDAP error code 49). Therefore, it will require API level customization of WSO2 IS basic authenticator and the user store manager to achieve your requirement.
But in the WSO2 IS Admin Forced Password Reset flow, the user will be given an OTP through email to log in to the IS and the password reset flow will be initiated as similar to your requirement without using the AD. Hence, it is recommended to use the Admin Forced Password Reset flow available in the WSO2 IS to reset the password of the user.
I am trying to implement WEB API 2 (for Single Page App, not as part of Visual Studio project) OAuth2.0 protocol. As per Which OAuth 2.0 flow should I use, using refresh tokens is not an option. However, I am not sure I understand Implicit Grant flow with eventual Silent Authentication.
Does Implicit Flow mean only issuing normal access tokens? In that case, how do we allow user to stay logged in for long time? How should Silent Authentication endpoint look like, what should it receive and return to client? Is using refresh token really an issue - most of people have their usernames / passwords saved in browser?
Does Implicit Flow mean only issuing normal access tokens? Yes.
In that case, how do we allow user to stay logged in for long time? You can set timeout using "expires_in" parameter.
Refer for Complete Detail here: https://oauth2.thephpleague.com/authorization-server/implicit-grant/
How should Silent Authentication endpoint look like, what should it receive and return to client? Upon authentication of the user during login, the server sends & set the authentication key in the session/browser. So, during every page call, only authentication key is send to server. You shall find many examples of implementation online.
Is using refresh token really an issue - most of people have their usernames / passwords saved in browser? No, it's not an issue. If token expires, you can easily reissue token after authentication. Password & username is not saved in the browser. Only authentication key is stored.
General question. Server admin setup SPNEGO. The LTPA bullet is marked under Global Security in admin console. My understanding is that SPNEGO captures username from an initial sign-on (ie network). Later, if user goes to an app's URL, few of the many things happening is SPNEGO is going through user's ldap groups (admin console-securtity roles) trying to find group that is tied to app's role names. If match is found, user authorized and can go directly into app without having to use login form to enter credentials. But have problem trying to implement this. Checking HttpServletRequest - getUserPrincipal().getName() and getRemoteUser() at front end of app are coming up null. If SPNEGO is in fact setup correctly, should a null ever be found?
You are confusing a few things. SPNEGO is a mechanism to pass user authenticated in the Kerberos realm to the given service without need to pass user password. It has nothing to do with authorization - this part is done by WebSphere security service based on the id retrieved from the request (in short).
Null username usually is effect of not enabling Application Security in the server or not protecting application with Java EE security (security constraints defined in the web.xml).
For some basic information about SPNEGO in WebSphere, check the following page Single sign-on for HTTP requests using SPNEGO web authentication
I'm building web portal in ASP.NET MVC 3 that uses distant web service as only way to communicate with database. Web service has requirement to always have Username/Password passed in request header, otherwise it rejects the call.
I have overridden ASP.NET Membership so that my ValidateUser method sends Username/Password to web service Login method, and returns true/false if authentication is successful. It works quite nice with AcountController provided with MVC 3 Empty internet template. Since I have to pass Username/Password on every web service call, I'm saving them in Session.
My problem is:
If I close browser and reopen it... I remain logged to website, but my Session variables are expired, so none of my requests to web service are being accepted, even though I'm still logged with credentials.
I'm looking for nice suggestion how to sync user logged in state with session state. Either to keep them both persistent until log off is used or to have them both dispose on browser being closed.
Thanks for all suggestions :)
When the user signs in using your AccountController, try setting the auth cookie like this:
FormsAuthentication.SetAuthCookie(model.UserName, false);
This should tell ASP.NET to delete the cookie when the browser window is closed. Then, when user opens up a new browser, both the session and the auth cookie should both be destroyed.
Sessions are cookies on the client side. Forms Authentication (which uses your membership provider) also uses cookies.
They are different.
Is your auth ticket or cookie persistent? This MS KB will explain things and scenarios in more detail than I would here...
Hth.
I have an Intranet application with Windows Authentication. Everything works fine. However, for some sensitive operations (it could be approving AP check, or grading a student) I need to get user's id and password. The goal is to prevent somebody walking to unattended terminal, and generally for non-repudiation. Trivial with forms authentication - but I can't figure out how to do it with Windows authentication.
I don't think it matters, but it's MVC application and authentication is done against Active Directory
Typically, server application needs to issue HTTP Status Code 401 to tell client for authentication information. However, in case of windows authentication, once user is authenticated, the token is cached by client system or browser and used subsequently whenever needed. So in your case, even if you issue 401, client will send the same token again - so your main problem of abusing unattended terminal will not get solved (as user already logged in there into the system).
One of the way could be simulate forms authentication from the application - i.e. on sensitive operations, prompt user for his/her windows password again (note that you will be already having user's name(identity) if you are using windows authentication) and then re-validate that password using active directory API (or logon user windows API).
Personally, I feel that you are trying to solve the problem at server which is wrong end - I would rather have a IT policy that prohibits unlocked unattended terminals - either user should lock the workstation or have a password protected screen saver. Typically, these things can be somewhat enforced via group policy.
In my webforms app I've got one page set as only allowing Windows Auth and no others, and then to get the username (since they have to have already done the 401 auth procedure via the browser) I get their username like thus:
string username = Request.ServerVariables["LOGON_USER"];
and then I can query the Membership provider to get the user information from the infrastructure.
Or are you trying to manually do the 401 auth process?
how to manually authenticate user in asp.net windows authentication