I have used used the Intranet template to create my site and I have set up some AD users and groups. I have configured Internet Explorer to add the site to the local intranet so that I log-in automatically. When I have an Authorize attribute set to specific Users, the user is logged in automatically. But I when use roles such as [Authorize(Roles = "MyADGroup")], the user is not logged in automatically, he needs to enter the password again and then he is logged in.
I cannot understand why this would not work with single sign on. Do I need to add some other configuration to enable this?
Turns out ... I just needed a machine restart. Something was being cached somewhere
Related
Each user of my asp.net forms app logs into a PC with their Active Directory credentials.
How could the ASP.NET forms app get the user name and the email address currently logged into the PC?
There is no guaranteed way to find out which user they are logged into their computer with. However, you can:
Enable Windows Authentication so they need to authenticate with your website with an AD account
Add your website to the Trusted Sites in the Internet Options on their computer (this can be done in group policy) so that IE and Chrome will automatically send the credentials of the currently-logged-on user account. (Firefox uses its own network.negotiate-auth.delegation-uris setting)
If you skip step 2, then the user will be prompted for credentials. If the credentials sent in step 2 fail for whatever reason (for example, they are logged in with a local account instead of a domain account), the user will be prompted for credentials. Then they can type in whatever AD account they want, which may not be the same as what they are logged into their computer with. That's why I say that there is no 100% guaranteed way to know what account they are logged into their computer with.
If only some of your users have AD accounts, and some don't, then you can use split Forms and Windows authentication. I've done this before and described how I did it in a past answer.
Get User Name with HttpContext.Current.Request.LogonUserIdentity than Query to AD to get Email check How to get a user's e-mail address from Active Directory?
In my site administrator can view list all other online users.
Administrator can also disable any account from that list.
Everything was going fine so far. But now I decided to log out the user which is being disabled. How can I do a log out operation for a particular user from the above specified online user list?
NOTE: I'm using default membership schema for my SQL Server database.
You cannot logout a user from outside of their session. See Programatically logout an ASP.NET user for a possible workaround.
Scenario: I have the membership provider setup and its currently pointing to a SQL database on my machine. The role based access works and I have a menu that is security trimmed. The user can only get to pages that they have access to.
Problem: When an anonymous user tries to get to a page that they dont have access to it brings them to a login page so that they can login. That is fine. But when a logged in user tries to get to a page they dont have access to(Usually by typing in a URL) it brings them to the login page again asking them to login(except there already logged in. I'd like to either take them to a different page or somehow tell them they don't have access. Any ideas/suggestions?
Thanks in advance
This is what I use. They point out that using <customErrors> won't work because of the way the 401 status gets changed and provide a solution.
I’ve a Gmail account, assume that me#gmail.com. Now I want to login (as admin) in my website through this account. I know I can use OpenID etc. for that purpose but I want to limit it for just me only. Can I do this? I don’t let anyone else to know which service I used to login and what is my address and etc. (Note: My website contains just one and only one login form, for just me, only!)
I assume that once your OpenID has been verified you will have you own database storing logins (me#gmail.com) so you provide persistence.
You would have a table of logins with an admin column so that for example even though noadmin#gmail.com was verified by OpenID I do not want to let them access, so Response.Redirect them outta there.
very simple question:
I have admin site in my web project. So, how can I make it safe?
What I have until now:
Database handled user with userID and userlevel
on the pageload of the admin master page (which includes all admin sites) there is a clause to check if userID is okay (get the user from database) and if userlevel is right
If Not, redirect to Default.aspx with normal master page
if yes, go trought
How safe is it really?
Edit:
The userID is saved in a session on the server.
There is no way to save the login (no cookies).
The user must login to get the userID in the session
The login is saved in a database table user_log with username, password, ip, loginsucceeded and userID
The basic idea looks ok. It all comes down to how you are getting that UserID to make the checks against. If the userID is being passed as a querystring, then that is very bad. If it is stored in a session via sometype of pre authorization then it is better. If you are using SSL, IP checking, etc it will improve your level of security.
The main thing is HOW you are getting the userID to verify against. That is where the exploit will occur. Secure that process and you should be ok with your setup.
Edit: Based on your update this looks ok but it also depends on how secure you really need this to be. How secure is your sign in page? Are you using SSL? Any worries about session highjacking? Why not store an IP with the userID and verify the request IP against the stored IP when doing the UserID fetch from the session?
There are so many security solutions out there. You need to decide how far you need to safely go to ensure the level of security that is necessary for your particular application.
We use integrated windows authentication.
In IIS manager, click the "Directory Security" tab
Uncheck "Anonymous Access"
Check "Integrated Windows Authentication"
This lets you administer who has rights to your admin site by modifying domain accounts instead of using a roll-your-own solution. You can still get the logged-in user's credentials via the Environment class, which can be used to associate any web-specific properties for each user that you want to store in your database. This also has the advantage of automatically handling timeouts, relogin requirement if browser was closed, etc.
Your solution looks almost fine, though it sounds as though you're adding individual user accounts to the SQL server instead of handling everything through the ASP.NET service account login. I'd avoid adding individual user accounts into your database. In ASP.NET, unless you're jumping through some useless hoops, the ASP.NET service account is what is authenticated for DB connectivity, not the user that's logged into the site.