I have setup my MVC application already to use the Membership provider along with AD.
I am able to login and see details about users and such.
My next step is to implement some sort of SSO with my SharePoint 2010 application. From what I understand, Claims-Based authentication may be a good approach for my situation. Both my MVC app and the SharePoint app will be hosted on the same domain if this helps with the question.
I have setup a Claims-Based SharePoint application, so I'm assuming I need to find out how to let SharePoint know that the user has logged into my MVC app so they don't need to login again, which is where ADFS might come into play.
Does anybody have any experience with this topic. If so, are there any resources available to look at for research?
I have found that Active Directory already supports multi-tenancy within a domain.
Make certain that applicationName setting in your web.config is the same for your Sharepoint and MVC apps.
<membership>
<providers>
<clear/>
<add
name="MyADMembershipProvider"
type="System.Web.Security.ActiveDirectoryMembershipProvider, System.Web,
Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"
connectionStringName="ADConnectionString"
.......
applicationName="/"
/>
</providers>
</membership>
Related
I'm experimenting with the Microsoft Azure portal in order to see how my legacy application performs with the least amount of rewrite. Authentication is a problem.
Background: this ASP.NET web application currently uses the SqlMembership Provider for Users, Roles, Profiles and Personalization. Yep, there has been a lot of blogging about the ASP.NET Identity, Simple Membership, Universal Providers and that the asp.net SqlMembership Provider is being phased out. But, if possible I'd still rather use the legacy asp.net membership on Azure.
Currently, I am able to publish my VS.NET 2013 solution to Azure but I am not able to login. As soon as I navigate to the url, it auto-logs me in as the Azure Portal user. It almost appears that Windows Authentication is active, rather than forms. Here's how I got here:
I created the sql membership tables on Sql Azure using special Azure-friendly scripts for Sql Azure (here: https://support.microsoft.com/kb/2006191).
However, when I run my application on the azure site vs. when I run it locally I see different behavior. On azure a different authentication mechanism takes hold: first, I'm prompted to login with my organizational ID (this is my msdn email), then after I enter my login for Azure, I automatically get logged into my application as live.com#myazureid#domain.com and I am not redirected to default.aspx but login.aspx and none of the web.sitemap menus appear other than the ones available to non-authenticated users. I also created a second user in the portal jeff#mydomain.onmicrosoft.com and I am prompted to login thru live then I am autologged into the application. Basically it acts like windows authentication is active, not forms auth. (Clarification: I found out later that this behavior is Azure Active Directory.)
In contrast, when my application runs locally (vs.NET 2013) with my connection strings pointing to the same sql azure data source (the membership tables) I login as I'd expect: I enter my membership username/password and I see my default page and pages tied to my roles are accessible, the user exists in users table, etc.. Obviously my local runtime environment and azure are different and it seems that Azure is somehow overriding my web.config provider settings and using its own mechanism.
My web.config:
<authentication mode="Forms">
<forms cookieless="UseCookies" defaultUrl="~/Default.aspx" loginUrl="~/PagesAnon/userLogin.aspx" requireSSL="false" slidingExpiration="true" timeout="45" />
</authentication>
<membership defaultProvider="AspNetSqlMembershipProvider" userIsOnlineTimeWindow="2">
<providers>
<clear />
<remove name="AspNetSqlMembershipProvider" />
<add name="AspNetSqlMembershipProvider" type="System.Web.Security.SqlMembershipProvider" connectionStringName="LocalSqlServer" enablePasswordRetrieval="false" enablePasswordReset="true" requiresQuestionAndAnswer="true" applicationName="/" requiresUniqueEmail="false" passwordFormat="Hashed" maxInvalidPasswordAttempts="4" minRequiredPasswordLength="7" minRequiredNonalphanumericCharacters="1" passwordAttemptWindow="10" passwordStrengthRegularExpression="" />
</providers>
</membership>
<roleManager defaultProvider="AspNetSqlRoleProvider" enabled="true" cacheRolesInCookie="true">
<providers>
<clear />
<remove name="AspNetSqlRoleProvider" />
<add name="AspNetSqlRoleProvider" connectionStringName="LocalSqlServer" applicationName="/" type="System.Web.Security.SqlRoleProvider, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" />
</providers>
</roleManager>
Thanks to Simon W above, I found my problem. In the Azure Portal, there is a setting that controls "Azure Websites Authentication / Authorization". Its found under Websites, then Configure, then scroll down a bit to "Azure Websites Authentication / Authorization". In my case there was an entry there: my website was tied into the "Directory" for my account and the "application" was set to my "tenant" (I think that's the Azure term).
To fix this, I simply removed the entry in the portal and I am able to login to my web application perfectly. Forms authentication wired up to Membership is working as I'd expect.
I believe that I published the original website using VS.NET 2013 Publish (using Server Explorer with the Azure SDK tools installed) and maybe there is a default setting that enables Azure AD in that scenario. I won't know until I retrace my steps and confirm this later. When I create a new website using the Portal, it does not default to this scheme.
Simon, I don't know how to give you credit for the answer... you basically got my head pointed in the right direction (just the use of "Azure AD authentication" got be googling the right terms) and facilitated the fix.
I would like to use mvc4 Simple membership provider. So I set up a new MVC4 internet application. Click Debug and I see that db and tables were created for me.
Is this all I need to do?.
Some articles:
http://weblogs.asp.net/jgalloway/archive/2012/08/29/simplemembership-membership-providers-universal-providers-and-the-new-asp-net-4-5-web-forms-and-asp-net-mvc-4-templates.aspx
http://blog.longle.net/2012/09/25/seeding-users-and-roles-with-mvc4-simplemembershipprovider-simpleroleprovider-ef5-codefirst-and-custom-user-properties/
tell me to add
<membership defaultProvider >...
section. is this necessary?
Also:
I can't get ASP.Net configuration tool to work. It says "An error was encountered. Please return to the previous page and try again. "
??
If you created a new MVC 4 web application using the Internet template it should have wired up SimpleMembership for a basic log-on/log-off functionality. It should have already updated your web.config with the proper settings. It should have setup the membership and roles and they should looks something like this.
<roleManager enabled="true" defaultProvider="SimpleRoleProvider">
<providers>
<clear/>
<add name="SimpleRoleProvider" type="WebMatrix.WebData.SimpleRoleProvider, WebMatrix.WebData"/>
</providers>
</roleManager>
<membership defaultProvider="SimpleMembershipProvider">
<providers>
<clear/>
<add name="SimpleMembershipProvider" type="WebMatrix.WebData.SimpleMembershipProvider, WebMatrix.WebData" />
</providers>
</membership>
SimpleMembership does not use the ASP.NET Configuration Tool used with the traditional ASP.NET membership. You have to create your own web pages for managing roles and users.
The Internet template just creates the basic functionality for authentication and authorization in your application. But SimpleMembership is very extensible. For example it is fairly easy to customize what type of information you want to capture in the user profile or setup email confirmation of new users.
Objective:
I want to create a web service that allows me to connect to it (through ASP.NET Web Application) and then authenticate users just as Membership Provider Does/Role Provider Does.
I do not want to use Membership/Role Provider by configuring at the ASP.NET Web Application's Web.config. Instead, what i would like, is to have some sort of configuration that points my Asp.net Web Application to a webservice (the one i want to create), that than authenticates the user.
Expected Solution:
what i found after some google research, that the solution might be: WCF Authentication Service. But I am unable to get it working. I created this service, did all the configuration as it says in this article:
http://msdn.microsoft.com/en-us/library/bb398990.aspx
but i am not sure, how do i now configure my Asp.Net Web Application, to use this service as the Membership/Role Provider.
I may be going in complete wrong direction, and this service may not be the solution to my problem. Can you please help me out.
Thanks,
Your Dev Brother ... :)
You are going in the right direction.
ClientFormsAuthenticationMembershipProvider is a membership provider you are looking for.
Below is sample web.config configuration to use it:
<appSettings>
<add key="ClientSettingsProvider.ServiceUri" value="" />
</appSettings>
<system.web>
<compilation debug="true" targetFramework="4.0" />
<membership defaultProvider="ClientAuthenticationMembershipProvider">
<providers>
<clear/>
<add name="ClientAuthenticationMembershipProvider"
type="System.Web.ClientServices.Providers.ClientFormsAuthenticationMembershipProvider, System.Web.Extensions, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35"
serviceUri="http://localhost:49712/Authentication_JSON_AppService.axd" />
</providers>
</membership>
</system.web>
Configuration may be tricky. I spent hours before figure out that ClientSettingsProvider.ServiceUri should be added.
You may add temp WinForms or WPF project to your solution to build configuration. these types of projects have special tab - Services tab in project settings that provide GUI for configuration. Sample below is for .NET 3.5 but idea is the same for 4.0.
http://www.codeproject.com/Articles/27670/Implementing-Application-Security-with-Client-Appl
I am trying to set up a custom ASP.NET membership provider to authenticate using LDAP and Apache DS. This is what my web.config entry looks like:
<membership defaultProvider="DefaultMembershipProvider">
<providers>
<add name="DefaultMembershipProvider"
type="System.Web.Security.ActiveDirectoryMembershipProvider, System.Web, Version=2.0.0.0,Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"
connectionStringName="ADConnectionString"
connectionProtection="None"
connectionUsername="uid=myid, O=this domain"
connectionPassword="mypwd"
attributeMapUsername="sAMAccountName"
enableSearchMethods="True" />
I am not having much luck here, probably owing to the fact that I have no idea what I am doing. I am hoping someone can at least verify I am headed in the right direction?
You can't use the ActiveDirectoryMembershipProvider for LDAP, it requires a real ActiveDirectory server. Unless Apache DS emulates AD, you won't be able to use this.
You're going to have do a custom membership provider. THere's a working example here:
http://forums.asp.net/t/970391.aspx/1
Sorry for the poor title here :)
I have my WSS configured for Forms Authentication. I'd like my users to land on the WSS login page, log in, and then provide them links to other ASP.NET apps which also are configured for forms authentication. I'd like to achieve a single-signon-ish solution (the reason I say "ish" is I'm not looking to implement SSO per-se, as in SAML, but rather achieve the similar effect of not forcing the user to re-enter their credentials). You can assume the forms auth credentials that WSS uses are the SAME as those in the subsequent forms auth apps I want to provide the links to.
Does this require code on the WSS side, or can I make this happen non-programmatically on the ASP.NET/IIS configuration side?
Thanks
What is your Forms Authentication Provider?
On Active Directory (for instance) your browser will remember what your authentication was on the first entry site and carry it for you.
Having this on the web.config file of both ASP.NET and SharePoint sites:
<connectionStrings>
<add name="ADConnectionString"
connectionString=
"LDAP://testdomain.test.com/CN=Users,DC=testdomain,DC=test,DC=com" />
</connectionStrings>
<membership defaultProvider="MyADMembershipProvider">
<providers>
<add
name="MyADMembershipProvider"
type="System.Web.Security.ActiveDirectoryMembershipProvider,
System.Web, Version=2.0.0.0,
Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"
connectionStringName="ADConnectionString"
connectionUsername="testdomain\administrator"
connectionPassword="password"/>
</providers>
</membership>
Will ensure they will both use the same authentication providers and therefore once the browser has the information about their identity, it will recycle it accordingly throughout.
Other wise, try a Federation Service.
Here is a tutorial on how to use ADFS
Hi Ric thanks for the response. I think I found my answer. Forms authentication is all about the cookie, so if I configure both the ASP.NET web app and the Sharepoint virtual directory to use the same authentication cookie, I should get single-sign on between them. I'm going to try.
UPDATE: This works nicely.