Web Authentication with client certification - asp.net

I'm trying to authenticate login of a web app with three elements:
Userid of web app
Password of web app
Client Certificates installed on user's PC. I see a client or machine certificate as a long string or key which is stored in Windows registry.
I'm planning to put those three elements together in a table, so when user intent to login, it will send those three elements to server side and they will be checked.
For example, if user loads web app in a PC which has not be assigned to him, then server will validate that userid and password are correct, but client certificate does not belong to user, and will reject login.
I haven't yet installed a client or machine certificate in every client PC nor installed a CA in IIS. But according to Microsoft, an asp.net web app will send automatically a client or machine certificate to server and asp.net can get it. Also I have found another program example for doing that.
How is that possible? I allways thought that an asp.net web app can't read client resources and if you want to read client resources, then you should use something like ActiveX with all its complications.

Your are right, ASP.NET can't read any client resources. ASP.NET has nothing to do with getting a client certificate from the the user's PC.
What you do is to tell your Web Server (IIS) to request or require a client certificate. The server is adding a special http header to tell the browser to send a client certificate. The Browser asks Windows for one, or uses its own store (Firefox). The browser then sends the public part of the client certificate to the server.
Your ASP.NET can ask IIS whether the browser has sent a certificate and access that information for authentication purposes.

Related

SignalR: Reply to Web Forms client on same machine as web application originating request

I'm looking for a way to support the following process:
Button is clicked in web application running on machine named PC1234.
Call is made to server (either the web server or an API on another server, it doesn't matter) to Do Something.
The server sends a notification to a Windows Forms client installed on PC1234 that the action is complete.
I've got the easy part working using SignalR. I can call a method on the web server and then send a notification with SignalR to ALL clients that the method has completed. The problem is notifying ONLY the client on the originating machine.
My initial plan was to include some unique identifying attribute of the machine with the call to the server which could then be used to direct the SignalR notification back to just that machine, but that doesn't seem to be possible.
An alternative idea was to have the call to the server include a unique reference and also update a file locally (i.e. a Cookie) with that reference, then have the client app poll the Cookie for new references and filter all SignalR messages received for that unique reference. This would be a bit clunky even if it worked, which it doesn't really, not least because I want this to work cross-browser, and different browsers store cookies in different places.
Ultimately this is to support printing locally and silently from a web application. The user selects a document in the web application, hits a print button, the request is sent to the server which retrieves the document from the database, saves it to a network share and sends a notification to a client app on the machine from which the print request was generated. The client app then prints the document from the network share and deletes it.
I never found a way to do exactly what I described in my question, but I came up with an alternative which worked well enough.
In both my web application and my Windows Forms client, the user was logged in with the same Windows credentials. I was therefore able to have the server respond to the button click in the web application by broadcasting a SignalR message to all SignalR clients where the same user was logged in, using
Clients.User(userId).send(message)
See this article for more detailed examples and instructions.
In my Windows Forms client, I included code to track how many instances of the client were connected to the SignalR Hub with the same user credentials and code to handle the receipt of a SignalR message from the server when multiple client instances were connected with the same user details (in my case, this meant displaying a message saying something like "You've requested a print from the web application but you're logged in at multiple workstations. Do you want the document to print here?").

ASPNET Authentication with Multiple servers

I have an ASP.net 4.5.2 app using the token authentication and authorization. This works as expected.
However, I now want to use two servers. So the user could get switched from one server to the other. The issue with this is that when the user is switched, the new server sends a 401 Unauthorized response until the user log in again.
Is there a way to make both servers accept the token?
The main purpose of this is for failover. If server 1 goes down, I can route the traffic to the second one. I have tested this and it works, except the user is forced to log in again.
The machine key must be the same for all servers serving the app.
Here is how to create the machine key in IIS.
Then copy that same key to the other servers.

AD authentication possibility on third-party servers

Please assume there are two servers:
Server-A: Windows 2012, IIS8, ASP.NET 4.5
Server-B: Windows 2012, IIS8, ASP.NET 4.5, Active Directory
The two servers are owned and managed by different organisations, and Active Directory on Server-B has no remit nor involvement with Server-A.
Based on this, is it possible to use Windows Authentication on Server-A to authenticate a user accessing Server-B? I would assume not, but obviously aren't completely sure.
I have managed to write code on Server-B to read attributes (e.g. employeeID) for the currently authenticated user, but need to pass them to Server-A for processing (this might eventually act as a single-sign-on mechanism). Unless there are better ways of course which you might want to share??
I achieved this in the following manner. There may be better methods but this one is as secure as I can get it:
User logs into Server B via Active Directory
User access an 'authentication' page hosted on Server B
The page looks up their AD employeeID and encrypts it in a cookie
The user is transfer to the web app on Server A
Web app on Server A sees the encrypted cookie and decrypts it, checking that the previous page was located on the customers IP address
Web app logs the user in using the employeeID from the encrypted cookie
An interface has been created on Server B so that when a employeeID value gets updated, this change is mirrored onto Server A so that the employeeID values stay synchronised.
You can use Forms authentication and AD authorization provider.
http://msdn.microsoft.com/en-us/library/ff650308.aspx

Accessing Smartcards from a Web Site

A number of Countries have implemented electronic id cards, that their citizens can use to securely access online facilities like banking.
I am interested in learning how to support these cards, but tracking down documentation on how to do this from an IIS hosted website is a real PITA: In MSDN for example the bulk of the smartcard documentation covers the end to end scenario of linking smart cards to domain logins in a corporate environment.
I am just trying to authenticate the holder of - for example, a Spanish DNI-e card and perform an OSCP validation of the card via http://ocsp.dnie.es/
Now, its seems that, rather than explicitly detecting the smart card insertion, I need to create a login page on the server with SSL client authentication forced - but how do I configure one request to require ssl client authentication and to pick the correct client certificate?
Indeed, configure your server to require client certificate authentication. You will receive the client authenticator details in the headers.
You can force to only accept specific certificates by configuring the public root certificate of those client certificates on the server and removing all others that you are not interested in. In the authentication request going from your server to the browser, only the root certificates are listed that are trusted on your server system. The client browser will only offer client certificates that are somehow related to that root.
In an Microsoft environment you would configure your IIS to require SSL on your login page. Additionally, require SSL client authentication using a certificate.

Enable cross domain integrated windows authentication

I have a web application (say app1) which is hosted in a IIS server virtual directory.
This web application needs Integrated Windows Authentication for its functioning.
I need to integrate this web application with another product which does not use supply me windows credentials.
This application sends me an http request in a specific format.
I need to validate the request and redirect it to app1 with valid windows credentials so that it logs in smoothly.
I have created another application for this purpose
This is hosted on a separate virtual directory.
It has IIS anonymous and asp.net anonymous authentication enabled.
the pseudo code is as follows :
app2
parse request
if request sucessful
get windows credentials
get identity using credentials
reponse.redirect(app1.aspx)
But app1 authentication fails, IE asks me for credentials again.
Ideally IE should not ask me for credentials.
What would be the security context sent in the request to app1.
How can I trace the authentication failure at iis and asp.net?
To do this you need a trust relationship between the domains.
The response.redirect just sends a response back to the browser which then makes a request for the page in the redirect. So the identity is the identity of the browser.

Resources