I have 2 projects. One of them is using ASP.Net authentication, the other uses Windows authentication, which is the administration side. I want the Admin project to be able to manage the users of the other. I can modify everything except the password.
If I use UserManager.PasswordHasher to create a new hash and update the AspNetUser, I cannot login with the new password (I can see the update has occurred). I tried to incorporate Asp.Net users in the admin project but it's messing with the Windows authentication.
Is this a salting issue? Is there a way to do a simple model update that will update the password hash correctly without re-implementing the entire Identity model?
Something like should work:
user.PasswordHash = UserManager.PasswordHasher.HashPassword(newPassword);
UserManager.Update(User);
Related
I have a site using ASP.net identity 2.0 for user management with a few external authentication options as well (google,facebook,etc).
I want to give users the option to delete their account. I found a good example of how to implement this in this answer: ASP.NET MVC 5 how to delete a user and its related data in Identity 2.0
However, I am looking to restrict anyone else from registering the old user's username when he/she delete their account. However, the email should be freed up if they decide to reregister.
I want to prevent user ABC from deleting their account, and then someone unrelated taking username ABC (this would cause confusion/problems in my use case).
I am looking for advice on best practices on how to implement this. Is there anything built into ASP identity? Or should I keep a list/sql db somewhere of all registered usernames (deleted and active) and simply check new users against this list?
Thank you.
A hyper simplistic approach would be to simply not delete the user account in the user tables but rather mark it as locked and update the email address from whatever it is to something else and set whatever other sensitive fields like passwords to in-house defaults. You'd probably want to reduce and or outright delete any rights / roles too.
So do a replace on an email account of abc#abc.com to make it abc#abc.com#deletedaccount.me.
Then you're done and dont need any extra coding as the framework will take care of the rest itself.
I want to change the password of Membership table ,i can change directly in database but that is in encrypted format.how to retrieve original password in front end and How to update that .Please send me the logic.
You cannot directory change it in database and should use Membership provided methods.
using System.Web.Security;
u = Membership.GetUser("username1");
u.ChangePassword("OldPassword","NewPass");
If you don't know old pass, use MembershipUser.ResetPassword instead
If you want a ready-made solution, I use this tool to manage my users and roles.
You just fire it up and point it to the web.config of your web app and away you go.
http://aspnetmemberman.codeplex.com/
Features
Initialize membership databases
Create and delete users
Create and delete roles
Assign and un-assign users to roles
Reset user passwords
Unlock, activate and de-activate users
Works with System.Web and custom providers
Attempts to handle custom profiles
We're currently using forms authentication for our intranet site and would like to allow users to authenticate via windows authentication instead. How will this affect current user accounts, profiles and roles. I have seen on the web that I can mix the two authentication types and put roles and profiles in a separate DB, but how do I link up existing role and profile assignments with windows authentication user logins?
I'm not sure if you can do it exactly what you are asking however you could code your way out of this, you could write functionality that requires people who are windows authenticated to enter a credential you already have on file which is unique (say an email address) you could then convert the user account programatically if they responded by clicking a link.
You could create the new account and import the information from the old non windows authenticated account and then delete the old account. All db records that relyon UserId however would need to be changed in this approach as part of migration.
Depends on how integrated you want to be but if it's single sign on that't driving this.
get the user's sid look for it in profiles roles etc (could add sid column to them but a simple sid - userid table would be better.
if they are in there you are good to go.
if they aren't use the forms athentication to identify them and add a mapping from their sid touserid. So they'll get asked once more and thats it.
You'll probably need a similar mechanism anyway, in the event of the sid changing, which can happen after various windows issues. or for say anonymous access for non windows users.
if you don't like sid as an id then some other e.g domain\user name might do it.
windows groups/roles to application roles for full integration is another step, as would
rationalising profile info like full name etc..
it's nice quick start any way without having to trawl through everything that uses user id now and change it.
Finally coming back around to answer the question. We actually kind of scrapped what we had in our Forms Authentication. The Roles work pretty differently with Windows authentication, as does the profile. We used a custom profile provider rather than the built in profile provider. If anyone is interested in what we've done, I put together a series of four blog posts that detail what we did in our environment and some of the glitches we ran into: Part 1, Part 2, Part 3 and Part 4.
I can't be the first person to have this problem, I must be missing an easy solution. I have inherited a non-public ASP.NET site secured using a forms authentication with a SqlMembershipProvider to secure the site. Everything is working fine with the users the developer manually added to the database.
I need to add an administrative page to allow priviliged users to add and alter user accounts. The membership provider makes it really easy to build one, but the problem I'm having with the SqlMembershipProvider now is the question/answer requirement. The administrator needs to be able to reset the other users' passwords to a temporary password and create a new user account (also with a temporary password). Reseting a password requires either the answer for the user's question or their current password.
I could of course just put in something like "question" and "answer" for all accounts and it would work, but I'm concerned about security risks of doing this. Perhaps I'm being too paranoid though. Creating a custom membership provider, in addition to being a lot of work, doesn't solve this problem because the membership provider base has the same requirements.
Thank you.
Reseting a password requires either the answer for the user's question or their current password
If you are currently not using the question/answers , you can override this in the web.config
requiresQuestionAndAnswer="false"
After that you can do:
string requesteduserGUIDstring = "some GUID";
Guid UserID = new Guid(requesteduseridstring.ToUpper());
MembershipUser mu = Membership.GetUser(UserID);
mu.ChangePassword(mu.ResetPassword(), tbNewPassword.Text);
If you are using the question/answers, you can add a second provider to your web.config and set only for that provider the same overrule and use that provider ONLY for the reset password functionality,
We have an ASP.NET application that manages it's own User, Roles and Permission database and we have recently added a field to the User table to hold the Windows domain account.
I would like to make it so that the user doesn't have to physically log in to our application, but rather would be automatically logged in based on the currently logged in Windows domain account DOMAIN\username. We want to authenticate the Windows domain account against our own User table.
This is a piece of cake to do in Windows Forms, is it possible to do this in Web Forms?
I don't want the user to be prompted with a Windows challenge screen, I want our system to handle the log in.
Clarification: We are using our own custom Principal object.
Clarification: Not sure if it makes a difference or not, but we are using IIS7.
Integration of this sort is at the server level, it's IIS that decides that the user is not logged in; and it's IIS that sends back the authentication prompt to the user, to which the browser reacts.
As you want to use the domain login there is only one way to do this; integrated windows authentication. This will only work if the IIS server is also part of the domain and the users are accessing the machine directly, not through a proxy, and from machines which are also part of the domain (with the users suitably logged in).
However your custom principal object may create fun and games; authentication of this type will be a WindowsPrincipal and a WindowsIdentity; which you can access via the User object (see How To: Use Windows Authentication in ASP.NET 2.0)
I assume you want a custom principal because of your custom roles? I doubt you can get the two to play nicely; you could create a custom role provider which looks at your data store or look at you could look at ADAM, an extension to AD which provides roles on a per program basis and comes with nice management tools.
I did pretty much exactly what you want to do a few years ago. Im trying to find some code for it, though it was at a previous job so that code is at home.
I do remember though i used this article as my starting point. You set up the LDAP provider so you can actually run a check of the user vs the LDAP. One thing to make sure of if you try the LDAP approach. In the setting file where you set up the LDAP make sure LDAP is all caps, if it is not it will not resolve.
using System.Security.Principal;
...
WindowsPrincipal wp = (WindowsPrincipal)HttpContext.Current.User;
to get the current domain user. Of course you have to make sure that the IIS is set up to handle Windows Authentication.
This might be helpful:
WindowsIdentity myIdentity = WindowsIdentity.GetCurrent();
WindowsPrincipal myPrincipal = new WindowsPrincipal(myIdentity);
string name = myPrincipal.Identity.Name;
string authType = myPrincipal.Identity.AuthenticationType;
string isAuth = myPrincipal.Identity.IsAuthenticated.ToString();
string identName = myIdentity.Name;
string identType = myIdentity.AuthenticationType;
string identIsAuth = myIdentity.IsAuthenticated.ToString();
string iSAnon = myIdentity.IsAnonymous.ToString();
string isG = myIdentity.IsGuest.ToString();
string isSys = myIdentity.IsSystem.ToString();
string token = myIdentity.Token.ToString();
Disclaimer: I got this from a technet article, but I can't find the link.
You can use System.Threading.Thread.CurrentPrincipal.
Request.ServerVariables["REMOTE_USER"]
This is unverified for your setup, but I recall using this awhile back.
Try Request.ServerVariables("LOGON_USER").
If the directory security options are set so that this directory does not allow anonymous users, when the surfer hits this page they will be prompted with the standard modal dialog asking for username and password. Request.ServerVariables("LOGON_USER") will return that user.
However, this will probably not work for you because you are using your own custom security objects. If you can figure out how to get around that logon box, or pass in NT credentials to the site before it askes for them, then you would be all set.
Have you thought about impersonation? You could store the user's NT logon credentials in your custom security object, and then just impseronate the user via code when appropriate.
http://msdn.microsoft.com/en-us/library/aa292118(VS.71).aspx