I need to allow users to login website either with their Active Directory accounts if they are in local network (Sitecore's single sign-on functionality) or with their credentials (email and social security number) if they access site being outside local network.
First option could be achieved by enabling Windows Authentication mode in IIS and second - by using Anonymous mode. But it is impossible to enable these two modes at the same time for one site. So the question is how to configure website in IIS to allow both groups of users login it with appropriate option and do not create different site for each option?
Any good ideas are appreciated.
Assuming you are talking about the Sitecore interface, you can disable Windows Authentication and your AD users can still log in by specifying the domain as part of their username, e.g. <AD-Domain>\AD-username and then supplying their AD password. If you have followed the Sitecore Active Directory Module Guide then domain in this instance should be ad but you can change this to whatever you like, just make sure the rest of the config and references to "ad" have been changed to match.
In order to still allow Single Sign On without the user having to type in their domain/username/password you need to remove Anonymous and enable Windows Authentication for the login file only located at /sitecore/admin/ldaplogin.aspx. See section 4.3.1 of the documentation.
In order to use this Single Sign On page and login, your AD users need to browser to http://<your-site>/sitecore/admin/ldaplogin.aspx. I provided a link on Sitecore login page by creating an HTML page with a link to this page:
<html>
<body>
Login with your Windows account
</body>
<html>
And then updating the Login.SitecoreUrl setting to the html page:
<!-- LOGIN SITECORE URL
Specifies the Url of the Sitecore pane on the login startpage.
-->
<setting name="Login.SitecoreUrl" value="/sitecore/admin/ldaplogin.html" />
Your users will then be provided with a link in the pane on the right side of the login page for Sitecore 7.5 and earlier.
Sitecore does have its own Active Directory module that its worth investigating. The links to documents are broken currently so can't find the exact answer to help you.
Here is the link to the main page and download - sdn.sitecore.net/Products/AD.aspx
It's their own Module so if you do have any questions or issues you can raise a support ticket with them.
Related
I'm using webmatrix, razor, c#. I've created a web site for friends, it's on godaddy. I've created web pages to upload or delete images for the gallery, they work ok on webmatrix on my laptop, but get an "access denied" error with godaddy, understandably since I'm an anonymous user.
Godaddy says it is doing windows authentication and the godaddy gui shows me the folders and the user accounts and their permissions.
Can anyone tell me please how to keep the rest of the web site anonymous but to do this with the web pages which amend the gallery:
1. some kind of authentication to get into
2. they also authenticate to godaddy so they have permissions to create/delete files in the relevant folders
I can't see how the WebSecurity class can help. I've read that by default it creates its own database of user accounts, so this could achieve 1, but not 2. I've also read that it can be configured to use windows authentication instead of its own database, but that to do this anonymous access must be disabled.
I'd be grateful for any help, I certainly am stuck. For anyone kind enough to reply, please bear in mind I'm not a web developer, I'm a server admin!
I'm not sure if you're attempting to allow the end users to go to their galleries using GoDaddy AND thru the website. That sounds like a difficult security challenge.
One approach is to only allow the web application to have access to all the files and folders on the server. Then you can forget about Windows authentication. Have the users authenticate using the WebSecurity classes and pages.
_PageStart.cshtml is a file whose code runs everytime a page is opened by a user. In there you can put code which controls who has access including anonymous activity. For example, users are always allowed to go to the account pages in the account folder, because that's where they sign in. So they are still anonymous before signing in. The code is simple:
// You're always allowed to go to the login pages
if ( Request.RawUrl.StartsWith( "/Account") )
{
return;
}
If the code returns from here and doesn't take any other action, the page will open normally.
I have looked at numerous articles and tried a multitude of settings, but I can't seem to achieve what I'm looking for in my intranet site. Even if I don't get a solution, a definitive "you can't do that" will help me move forward. Here is what I'm trying to do:
Web site recognizes the user's network login credentials - ONLY so I can get their user ID without a login
The website uses some generic account (IUSR or something like that) to access a SQL Server that the same network users can NOT access EXCEPT through the website
Users can upload files to a set of folders created on-the-fly by the website to contain their files for later reference by them
The website can construct web pages on-the-fly with links to the users' files - and ONLY theirs - so they can open / download them through the web pages
Users can NOT access the uploaded files through a network share on the web server
All of the folder creation, file upload, and file serving occur under some generic account like IUSR
I currently have things configured to use Windows Authentication and I could probably live with that except I don't want to require a login to the site. Apparently, in order to make this happen, I need to have the server configured as a trusted delegate and IT is dragging their feet on doing that. Also, this config allows the users to access the SQL Server and folders/files through means other than the web site and I don't really want that. I only need to pick off their user ID so I can use it to get information about them out of Active Directory and keep track of their interactions with the web app.
In reviewing your post I must first say "Yes" it seems like what you want to accomplish can be done. However the enormity of your question precludes simple posting answers. From what I gather there are three security issues you want to navigate 1) Windows Authentication, 2) Admin only SQL access, 3) User only Access to files and directories while authenticated using Active Directory.
I have been building ASP.net intranet web applications using Active Directory (Windows logins) for a few months. I would encourage you to explore this article: http://www.mikesdotnetting.com/article/216/windows-authentication-with-asp-net-web-pages for details on setting up windows authentication in an ASP.net web application. You can add elements to your web pages using a section of Visual Studio [Toolbox] called 'Login', which contains elements such as 'LoginName'.
Next I am pretty sure you can control the SQL server query access using authentication parameters of your choosing. In the portion of the connectionString that is normally 'Integrated Security=True;' you will need to switch that to 'Integrated Security=False;username=sqlAdminUserName;password=sqlAdminPassword'. For more information I suggest reviewing this post: Integrated Security = False.
For the third security issue once you have isolated the user's windows login identity you should be able to dynamically build web pages, files, directories, and whatever other resources you require all customized for that individual user. I believe the generation of all those materials can be done with an IUSR account with the only needed ingredient being the Windows login user identity.
Good Luck and I hope my suggestions help move you ahead.
Actually, the answer is not all that complex and it is a real mystery why it is so difficult to find a single source on the web to spell it out. Here is my IIS authentication for an intranet app that acts exactly how I want:
Enable ASP.NET Impersonation and edit to Authenticated User
Enable Windows Authentication
Advanced Settings->Extended Protection->Off
Advanced Settings->Enable Kernel-mode authentication->unchecked
Providers->Available Providers->Negotiate:Kerberos and move that to the top
Disable all other authentications
Most critical: Make the server a 'trusted delegate' in Active Directory
That should do it.
I have a site that I'm trying to migrate into my Sitecore instance. The Sitecore instance has multiple sites. For the one site I'm trying to migrate over, there is a login page for external users to login. I'm validating this against an external database. This all works so far. My issue is that I need to prevent the external users from accessing certain pages without logging in(they should be redirected to the login page). The way that this was working when the site was outside of Sitecore was that there was forms authentication being done and when a page was trying to be accessed without the user being logged in the ReturnURL would be used to return the user to the proper page after login.
I'm not sure how to do this now that I have multiple sites inside of my sitecore instance.
Any suggestion?
This is not very different in Sitecore to how it was done before, except now you can control the security of which pages should be accessible by logged in users with the Sitecore Security Editor. There are a few pieces which you need to hook up in order to get this work properly though.
Have a read through these articles, they should provide everything you need to get this to work:
Implementing Sitecore Extranet login on a website
Setting Up a Sitecore Extranet (site seems to be down, view cached copy)
Set the value of <setting name="NoAccessUrl" value="/sitecore/service/noaccess.aspx" /> in web.config to your Login page (this can be an item in Sitecore) using a patch config and if a user tries to access a restricted page they will be redirected to this page, which will also include the return url parameter.
If you are using an external database to authenticate users then you will also need implement your own membership provider:
Sitecore authenticate users against external membership database
Sitecore Membership Providers
Be sure to correctly set the domain attribute of your <site> definition to whatever you set in domains.config and set as the providerName of your <provider> definition.
I have a site where the vast majority of the content will be secured using Forms Authentication. However there is one sub folder that will be used internally by the administrative staff. I would like to secure this folder using Windows Authentication. Is that possible? Would I have to make the admin folder a virtual directory?
CLARIFICATION: There is no need for the administrative staff to access the main site. They are really two separate sites/apps. Regular users will access the main application via Forms Authentication (and never access the admin folder). And admin users will access the admin application via Windows Authentication (and never access the main site).
Thanks,
Corey
Yes, it's possible but you have to build a custom membership provider or an interface to allow for it. It is not possible to specify individual authentication methods on sub-folders unless they are in completely separate projects/application domains.
One method to accomplish this would be to use an LDAP membership provider and change the ldap connection based on the username (if there is a discernible method of doing this).
One other method would be to provide a separate website that uses the Windows authentication to perform the login and then constructs a custom cookie for the user and transfers them back to the original website identifying the individual as a member of the administrative staff.
Then the folder could be secured using the <location> elements in the web.config.
If I was going to build a site with Mixed authentication, I would setup the site to use webforms. I would then setup a virtual application inside of this application that consisted of the same forms auth web.config information but set to use Windows Auth.
On the login page of the windows auth site after you validate their credentials I would then manually call FormsAuthentication to create the auth token. At this point you can then redirect the user to the Forms Auth site and they should be logged in (as long as all the forms auth cookie information is the same for both sites, this might also include needing to setup the same machine keys for both applications).
I haven't done this specifically but this should definitely be a viable (and probably one of the most optimal) solutions.
It may be as simple as right-clicking on the admin folder in Windows Explorer and setting the rights in the Security tab.
Put the administration site in its own application - by right clicking on the folder in IIS manager and and choose convert to application.
Once that's done you can adjust the authentication method on the application by highlighting the application folder in IIS manager and then choosing authentication and adjusting them (or you can do it the hard way via web.config if you can't remote into the machine).
I've been having trouble getting my ASP.NET application to automatically log users into the Intranet site I'm building. No matter the googling or the experimentation I applied, there is always a login box displayed by IE7.
I've got Windows authentication mode set in the Web.config, disabled anonymous access and configured the correct default domain in IIS, but it's still asking the user to log in and, more annoyingly, the user is required to provide the domain too (DOMAIN\auser), which is causing problems with non-technical visitors. Thank Zeus for password remembering functionality.
I'm not the network administrator so it's possible that something about Active Directory is set up incorrectly, or it could just be me missing something very simple. Please note that I don't want to impersonate the user, I just need to know that the IPrincipal.Name property matches that of a valid record in my user database, hence authenticating the user to my application.
To this end, it would be very useful to have a checklist of all configuration requirements for AD, ASP.NET and IIS to work together in this manner as a reference for debugging and hopefully reducing some user friction.
It sounds like you've covered all the server-side bases--maybe it's a client issue? I assume your users have integrated authentication enabled in IE7? (Tools -> Internet Options -> Advanced -> Security). This is enabled by default.
Also, is your site correctly recognized by IE7 as being in the Local Intranet zone? The IE7 default is to allow automatic logon only in that zone, so users would be prompted if IE thinks your site is on the internet. I believe using a hostname with a dot in it causes IE to place the site into the Internet zone.
Open Active Directory Users and Computers MMC snap in
Expand computers section from TreeView (left side)
Check if the computer is registered in your domain.
Also, you have to login with a domain account on that computer, otherwise that authentication box will be shown.
In IIS, enable annonymous access and allow the web.config to handle user authentication.