Slow ASP Classic authentication with LDAP - asp-classic

I use asp classic to authenticate a user with LDAP. There are about 10 000 accounts in the LDAP and the check for authentication in asp is quite slow (15 seconds).
I used on the same server the LDP tool (from Microsoft) and everything (from connection, binding and search) is fast.
Here's my code, I tried 3 different options and I had same results :
Using SQL instructions :
Dim oConn: Set oConn = Server.CreateObject("ADODB.Connection")
oConn.Provider = "ADsDSOOBJECT"
oConn.Properties("User ID") = Username
oConn.Properties("Password") = Password
oConn.Properties("Encrypt Password") = True
oConn.Open "DS Query", Username, Password
Dim Query: Query = "SELECT sAMAccountName FROM 'LDAP://ldap.mydomain.com/CN=" & Username & ",CN=Users' WHERE objectCategory = 'person' AND objectClass='user' AND SAMAccountName = '" & Username & "' "
Dim oCmd: Set oCmd = Server.CreateObject("ADODB.Command")
Set oCmd.ActiveConnection = oConn
oCmd.CommandText = Query
Dim oRs: Set oRS = oCmd.Execute
If oRS.BOF Or oRS.EOF Then
' Authentication failed
Else
' Autentication passed
End If
...
Using LDAP instructions :
Dim oConn: Set oConn = Server.CreateObject("ADODB.Connection")
oConn.Provider = "ADsDSOOBJECT"
oConn.Properties("User ID") = Username
oConn.Properties("Password") = Password
oConn.Properties("Encrypt Password") = True
oConn.Open "DS Query", Username, Password
Dim Query: Query = "<LDAP://ldap.mydomain.com>;(samAccountName=" & Username & ");samAccountName;subtree"
Dim oCmd: Set oCmd = Server.CreateObject("ADODB.Command")
Set oCmd.ActiveConnection = oConn
oCmd.CommandText = Query
Dim oRs: Set oRS = oCmd.Execute
If oRS.BOF Or oRS.EOF Then
' Authentication failed
Else
' Autentication passed
End If
...
Using IADS objects :
Dim DSODomaine
Dim DSOContainer
On Error Resume Next
Set DSODomaine = GetObject("LDAP:")
Set DSOContainer = DSODomaine.OpenDSObject("LDAP://ldap.mydomain.com", Username, Password, ADS_SECURE_AUTHENTICATION + ADS_SERVER_BIND)
If Err.Number <> 0 Then
' Authentication failed
Else
' Autentication passed
End If
...
The 3 examples are all slow. What could I do to improve performance using asp classic ?

Ancient thread, but you can include the port in the address like
LDAP://ldap.mydomain.com:389 - that should speed up your query
Later edit - if your issue is exactly 15 seconds delay, this will help:
Windows tries to retrieve a fresh CRL (certificate revocation list) from both its own and third-party servers. This looks like it times out in exactly 15 seconds. This might be the case if the machine is isolated or doesn’t have internet access to those resources (blocked/firewall, slow connection etc).
If your CA/Certificate is already available on the webserver you try to lower the timeout to see if it solves the issue?
We just need to follow these steps on Vault Server:
Start gpedit.msc -> Local Computer policy -> Computer Configuration -> Administrative Templates -> System -> Internet Communication Management -> Internet Communication Settings -> Turn off automatic root certificate update = Enabled
Start gpedit.msc -> Local Computer policy -> Computer Configuration -> Windows Settings -> Security Settings -> Public Key Policy -> Certificate Path Validation Path. Select tab “Network Retrieval” and enable the “Define these policy settings”. Deselect “Automatic update root….” And most important set the timeout values to 1.

Related

UserName and UserPassword Verification function

i'm afraid to use User forms data to query the database for user login, since the company has only 20 employees, I'm thinking of this function but I'm no sure if this still a easy code to crack for any no so good hacker user
Private Function VerifyCredentials(ByVal User As String, ByVal Password As String) As Boolean
Dim verification As Boolean = False
Dim _conString As String = WebConfigurationManager.ConnectionStrings
("YounnectionString").ConnectionString
'Initialize connections variables
Dim cnn As New SqlConnection(_conString)
Dim cmd As New SqlCommand
cmd.Connection = cnn
cnn.Open()
'No data from the form are used on the SQL Server
cmd.CommandText = "Select UserName, UserPassword from tblUsers;"
Dim cmdReader As SqlDataReader = cmd.ExecuteReader()
'compare the data from the server with the data from the form, it so not matter what the user send from the form
While cmdReader.Read()
If Trim(User) = Trim(cmdReader("UserName"))
AndAlso Trim(Password) = Trim(cmdReader("UserPassword")) Then
verification = True
End If
End While
' this method may result on performance problems if your tblUsers is too big,
'afther all it is the entrance and most of the companies
'just has several hundred users
cmdReader.Close()
cmd.CommandText = ""
cnn.Close()
Return verification
End Function
Please some one check this code and give me better solution, this company was hack ones and the developer was fired. I'm dont know about security but they want a solution while hire a expert. thanks
You are just storing plain text password. Once your database is compromised, you do not have time to notify users.
You need to store hashed password with salt. Although, it can still be cracked (it takes times) but you still have sometime to notify users to change the password.
For ASP.Net, the easiest way will be to use
ASP.NET Universal Providers or
ASP.NET Identity
Let the database filter for you.
Change the query to
"Select UserName, UserPassword from tblUsers
WHERE UserName = " & Trim(User) & " AND UserPassword = " & Trim(Password)
And then, if there is some result the authentication is correct, and if there's no result, obviusly you have to return false, so simply do
Return cmdReader.Read()
Use it
Introducing ASP.NET Identity – A membership system for ASP.NET applications
http://blogs.msdn.com/b/webdev/archive/2013/06/27/introducing-asp-net-identity-membership-system-for-asp-net-applications.aspx

paypal nvp .net sdk error

Folks,
We have a web site that uses PayPal Express Checkout for Digital Goods to make software sales. It has been working fine for 5 months. Last week we started getting an error "The request was aborted: Could not create SSL/TLS secure channel.” off the live site. When I run the site off my development server it runs fine and we can process a transaction. All these are against the live paypal site. In looking at many questions on this forum and others the main problem appears to be using the wrong endpoints. I am using the .NET SDK and the nvp methods. I checked the endpoints and they are the current ones provided by paypal for nvp transactions. Even looked in the dll to make sure we did't have an older version. We are good there.
Then I thought it might be that the hosting server could'd establish a secure link to paypal so created a test page with a url with query string to the endpoint like(https://api-3t.paypal.com/nvp?USER=XXXX_api1.XXX.com&PWD=XXX&SIGNATURE=XXXXXX&VERSION=60.0&PAYMENTACTION=Authorization&AMT=1.95&RETURNURL=https://www.paypal.com&CANCELURL=https://www.paypal.com&METHOD=SetExpressCheckout).
This worked and returned the expected transaction token. So we can connect from the hosting server. Then thinking our credentials or credential retrieval code might be the problem I pulled the credentials out of our database and ran the test as follows.
Test Query string with server data code======================================
This worked so credentials and endpoint are good on the hosting server.
( Dim sCEnvironment As String = System.Configuration.ConfigurationManager.AppSettings("Environment")
Dim dtsettings As DataTable
dtsettings = Dac.ExecuteDataTable("GetCredentials", Dac.Parameter("#Environment", sCEnvironment))
'// Set up your API credentials, PayPal end point, API operation and version.
Dim sAPIUsername As String = dtsettings.Rows(0).Item("UserName").ToString
Dim sAPISignature As String = dtsettings.Rows(0).Item("Signature").ToString
Dim sAPIPassword As String = dtsettings.Rows(0).Item("Password").ToString
Dim sEnvironment As String = dtsettings.Rows(0).Item("Environment").ToString
Dim QS As String = "https://api-3t.paypal.com/nvp?USER=" & sAPIUsername & "&PWD=" & sAPIPassword & "&SIGNATURE=" & sAPISignature & "&VERSION=60.0&PAYMENTACTION=Authorization&AMT=1.95&RETURNURL=https://www.paypal.com&CANCELURL=https://www.paypal.com&METHOD=SetExpressCheckout"
Response.Redirect(QS)
I then moved on to testing the token generation using the sdk dll (paypal_base.dll). See code below. As each line is generated I added to it a string that writes out to the test page so I can get an idea what is going on our hosting server. We use the express checkout for Digital Goods process. I got the basic code from https://cms.paypal.com/cms_content/FR/fr_FR/files/developer/nvp_DoAuthorization_cs.txt and added the Digital Goods query parameters per the online documentation. This works on my development server and returns the Token. It worked on the hosting site for about four months until sometime between January 27 and January 30 when I got the first notification that a customer could not purchase a product.
When run on our hosting server we get the “The request was aborted: Could not create SSL/TLS secure channel.” error message on the line of code highlighted below. The query string is generated by the encoder and held in the variable pStrrequestforNvp so the encoder works.
I am at a loss. What could be different on the hosting server than on our development server? Is there a method in the dll I could use to write out the actual call to the paypal server? I put the same dll file we used in development on the hosting site, but something is different.
Test the sdk generated query ===========================
Dim caller As NVPCallerServices = New NVPCallerServices
Dim profile As IAPIProfile = ProfileFactory.createSignatureAPIProfile
Dim sCEnvironment As String = System.Configuration.ConfigurationManager.AppSettings("Environment")
Dim dtsettings As DataTable
Dim sMsg As String
dtsettings = Dac.ExecuteDataTable("GetCredentials", Dac.Parameter("#Environment", sCEnvironment))
profile.APIUsername = dtsettings.Rows(0).Item("UserName").ToString
sMsg = "APIUserName = " & dtsettings.Rows(0).Item("UserName").ToString & "<br/>"
profile.APISignature = dtsettings.Rows(0).Item("Signature").ToString
sMsg = sMsg & "APISignature = " & dtsettings.Rows(0).Item("Signature").ToString & "<br/>"
profile.APIPassword = dtsettings.Rows(0).Item("Password").ToString
sMsg = sMsg & "APIPassword = " & dtsettings.Rows(0).Item("Password").ToString & "<br/>"
profile.Environment = dtsettings.Rows(0).Item("Environment").ToString
sMsg = sMsg & "Environment = " & dtsettings.Rows(0).Item("Environment").ToString & "<br/>"
caller.APIProfile = profile
Dim encoder As NVPCodec = New NVPCodec
encoder("VERSION") = "65.1"
encoder("METHOD") = "SetExpressCheckout"
encoder("RETURNURL") = "http://www.multiware.biz/return.aspx"
encoder("CANCELURL") = "http://www.multiware.biz/cancel.aspx"
encoder("PAYMENTREQUEST_0_CURRENCYCODE") = "USD"
encoder("PAYMENTREQUEST_0_PAYMENTACTION") = "Sale"
encoder("PAYMENTREQUEST_0_AMT") = "1.95"
encoder("PAYMENTREQUEST_0_ITEMAMT") = "1.95"
encoder("PAYMENTREQUEST_0_DESC") = "Software"
encoder("L_PAYMENTREQUEST_0_ITEMCATEGORY0") = "Digital"
encoder("L_PAYMENTREQUEST_0_NAME0") = "Test"
encoder("L_PAYMENTREQUEST_0_NUMBER0") = "123"
encoder("L_PAYMENTREQUEST_0_QTY0") = "1"
encoder("L_PAYMENTREQUEST_0_AMT0") = "1.95"
encoder("L_PAYMENTREQUEST_0_DESC0") = "Download"
encoder("REQCONFIRMSHIPPING") = "0"
encoder("NOSHIPPING") = "1"
encoder("SOLUTIONTYPE") = "Sole"
Try
Dim pStrrequestforNvp As String = encoder.Encode
sMsg = sMsg & "pStrrequestforNvp = " & pStrrequestforNvp & "<br/>"
Dim pStresponsenvp As String = caller.Call(pStrrequestforNvp) ***Error occurs here***
sMsg = sMsg & "pStresponsenvp = " & pStresponsenvp & "<br/>"
Dim decoder As NVPCodec = New NVPCodec
decoder.Decode(pStresponsenvp)
Dim Token As String = decoder("TOKEN")
sMsg = sMsg & "Token = " & Token & "<br/>"
Me.lblResponse.Text = sMsg.ToString
Catch ex As Exception
sMsg = sMsg & "<br/>" & ex.Message.ToString & "<br/>" _
& ex.StackTrace.ToString
Me.lblResponse.Text = sMsg.ToString
End Try
I'll answer my own question. After many back and forths with the web hosting service and PayPal we narrowed the problem to the Server not authorizing the Security Certificate. Had to put a trace on our page to find this and prove it was on their side. As I suspected it was an MS update that screwed things up. One day the site was working the next it wasn't.
For further reading on the subject see the dialog at http://forum.arvixe.com/smf/other-programs-promotions-graphics/need-urgent-help!-(paypal-checkout-not-working-any-more)/msg39498/#msg39498
To their credit the Arvixe folks tracked down the problem and eventually resolved it after we went back and forth a few times on whose problem it was.

ASP.net This implementation is not part of the Windows Platform FIPS validated cryptographic algorithms

Hey all i am getting this error when trying to compare a password in my database using my ASP.net page.
This implementation is not part of the Windows Platform FIPS validated cryptographic algorithms.
The code looks like this:
Public Shared Function UserAuthentication(ByVal user As String, ByVal pass As String) As WebUserSession
Dim strSQL As String = ""
Dim strForEncryption As String = pass
Dim result As Byte()
Dim sHA1Managed As SHA1 = New SHA1Managed()
Dim encryptedString As New System.Text.StringBuilder()
result = sHA1Managed.ComputeHash(ASCIIEncoding.ASCII.GetBytes(pass))
For Each outputByte As Byte In result
'convert each byte to a Hexadecimal upper case string
encryptedString.Append(outputByte.ToString("x2").ToUpper())
Next
strSQL &= "SELECT email, name, id, permission_id, username FROM (user) INNER JOIN user_per ON user.id = user_per.user_id "
strSQL &= "WHERE(username = '" & user & "' And password = '" & encryptedString.ToString() & "')"
We recently had to update/lock down our server to be compliance with security holes and the like. But doing so caused this error for one of the websites we are hosting on the same server. Prior to all these security settings the web site worked just fine.
The odd part is that i am able to run the website local (debug mode) within VS 2010 and it does just fine. No errors at all.
Would anyone have any tips on how to go around this to make the website work again as it did before we added all these security settings to be complaint? We simply can not just disable it because that would cause our other websites to go out of compliance.
I've already tried the suggestions on these pages:
http://blogs.msdn.com/b/brijs/archive/2010/08/10/issue-getting-this-implementation-is-not-part-of-the-windows-platform-fips-validated-cryptographic-algorithms-exception-while-building-outlook-vsto-add-in-in-vs-2010.aspx
http://social.msdn.microsoft.com/Forums/en/clr/thread/7a62c936-b3cc-4493-a3cd-cc5fd18b6b2a
http://support.microsoft.com/kb/935434
http://blogs.iis.net/webtopics/archive/2009/07/20/parser-error-message-this-implementation-is-not-part-of-the-windows-platform-fips-validated-cryptographic-algorithms-when-net-page-has-debug-true.aspx
http://blog.aggregatedintelligence.com/2007/10/fips-validated-cryptographic-algorithms.html
Thanks.
Tried using this code as well
Dim p As String = Password.Text.ToString
Dim data(p) As Byte
Dim result() As Byte
Dim sha As New SHA1CryptoServiceProvider()
result = sha.ComputeHash(data)
The error is:
Conversion from string "S51998Dg5" to type 'Integer' is not valid.
And that error is on the line: Dim data(p) As Byte
According to this sha1managed is not fips compliant. It throws an InvalidOperationException because this class is not compliant with the FIPS algorithm.
You need to either disalbe FIPS compliance or use a FIPS compliant implementation. sha1cryptoserviceprovider I think is FIPS complaint.

Sharepoint not getting current user NetworkCredential from active directory

we have strange problem, we have single signon and we are trying to fetch unread email count from Exchange ews webservice, the problem is it always gets same count for all user which is actually for server user.
'it should now get for current user who requested the page
'but its always for server user where sharepoint is installed
Public Sub GetUnreadEmailCount()
Dim errormsg As String = String.Empty
Dim UnreadCount As Integer = 0
Dim esb As New ExchangeServiceBinding
Try
esb.RequestServerVersionValue = New RequestServerVersion
esb.RequestServerVersionValue.Version = ExchangeVersionType.Exchange2007_SP1
esb.UseDefaultCredentials = True
esb.Url = Domain + "/EWS/Exchange.asmx"
ServicePointManager.ServerCertificateValidationCallback = New RemoteCertificateValidationCallback(AddressOf CertificateValidationCallBack)
Dim biArray(1) As BaseFolderIdType
Dim dfFolder As New DistinguishedFolderIdType
dfFolder.Id = DistinguishedFolderIdNameType.inbox
biArray(0) = dfFolder
Dim geGetFolder As New GetFolderType
geGetFolder.FolderIds = biArray
geGetFolder.FolderShape = New FolderResponseShapeType
geGetFolder.FolderShape.BaseShape = DefaultShapeNamesType.AllProperties
Dim gfResponse As GetFolderResponseType = esb.GetFolder(geGetFolder)
Dim rmta As ResponseMessageType() = gfResponse.ResponseMessages.Items
Dim rmt As FolderInfoResponseMessageType = DirectCast(rmta(0), FolderInfoResponseMessageType)
If rmt.ResponseClass = ResponseClassType.Success Then
Dim folder As FolderType = DirectCast(rmt.Folders(0), FolderType)
UnreadCount = folder.UnreadCount
End If
Label1.Text = vbCrLf + "Unread email count : " + UnreadCount.ToString
' Return UnreadCount
Catch ex As Exception
If Not ex.Message Is Nothing Then errormsg = ex.Message
Try
If Not ex.InnerException.Message Is Nothing Then errormsg = errormsg + " : " + ex.InnerException.Message
Catch e As Exception
End Try
Finally
If esb IsNot Nothing Then esb.Dispose() : esb = Nothing
If Not errormsg = String.Empty Then
Label1.Text = vbCrLf + "Error : " + errormsg
End If
End Try
End Sub
We were actually having the same problem, although we were not using single sign on. So I'm not sure this is exactly what you are experiencing.
The problem is that you can not have a user on Machine A give their credentials to Machine B (SharePoint?) and then have Machine B send those credentials on to Machine C
It's referred to as the "Double Hop" problem and is a security feature, however I'm not really into the technical side of it. Our solution was to use Kerberos.
I hope this helps you, if not, that it helps you rule out this specific issue :)
Your server side code is running as the AppPool's identity, which is your sharepoint service account. I'm assuming that's what you mean by 'the server user.'
esb.UseDefaultCredentials = true;
will use the creds of the context. I'm not sure of what's available in the EWS services, so if you can use a higher-privileged account and get based on the user coming in, i.e., HttpContext.Current.User.Identity as a parameter, then that may be the best way.
You could authenticate via javascript directly to the EWS services, skipping server-side code altogether, and write something that consumes & displays the server stuff as you need it.
You'd need to find a way to auth the user directly to the EWS services. Double-hop is an issue with NTLM, as your NTLM ticket is only valid for the first hop. Kerberos fixes that, but you still need to impersonate.

Microsoft ODBC driver for Oracle Syntax error or access violation (-2147217900)

I have a large VB program that connects to Oracle database.
strCn = "Driver={Microsoft ODBC for Oracle};" & _
"SERVER=PSPROD;"
Set Cn = New ADODB.Connection
Cn.ConnectionString = strCn
Cn.CursorLocation = adUseNone
Cn.Open
There are many users of my program so I have a table that contains each user's login name and their access rights to the various tables. I create a recordset of all users when the program is started and then select USERNAME and GRANTED_ROLE from the record set where USERNAME and PASSWORD are found. I use a "Set role 'GRANTED_ROLE' identified by 'password'" statment and Cn.Execute statement to set up the user's access rights. This is all done in a Module.
On a form, I want to call a Stored Procedure that will SELECT, INSERT and UPDATE information into another schema's tables. I am able to call and run the stored procedure when I create a new connection to the database with this code:
Dim cmd5040 As ADODB.Command
Dim conn5040 As ADODB.Connection
Dim param5040 As ADODB.Parameter
Set conn5040 = New ADODB.Connection
conn5040 = "Driver={Microsoft ODBC for Oracle};" & _
"SERVER=PSPROD; UID=XXXXXXX; PWD=XXXXXXXX"
conn5040.Open
Set cmd5040 = New ADODB.Command
With cmd5040
.ActiveConnection = conn5040
.CommandType = adCmdStoredProc
.CommandText = "S4115040_IMPORT_NEWBIDITEMSPES.S4115040_CheckTime"
.Parameters.Append .CreateParameter(, adInteger, adParamInputOutput, 5)
.Parameters.Append .CreateParameter(, adVarChar, adParamInputOutput, 400)
End With
cmd5040(0) = 0
cmd5040(1) = ""
cmd5040.CommandTimeout = 300
cmd5040.Execute
conn5040.Close
However, I get the error message "-2147217900 [Microsoft][ODCB driver for Oracle]Syntax error or access violation" when I attempt to use the same connection ('Cn') when the program first started. My code is:
Dim cmd5040 As ADODB.Command
Dim param5040 As ADODB.Parameter
Set cmd5040 = New ADODB.Command
With cmd5040
.ActiveConnection = Cn
.CommandType = adCmdStoredProc
.CommandText = "S4115040_IMPORT_NEWBIDITEMSPES.S4115040_CheckTime"
.Parameters.Append .CreateParameter(, adInteger, adParamInputOutput, 5)
.Parameters.Append .CreateParameter(, adVarChar, adParamInputOutput, 400)
End With
cmd5040(0) = 0
cmd5040(1) = ""
cmd5040.Execute
I have worked with my DBA. She has given me direct grants and direct execute privliges and I am still get the error message.
What am I doing wrong? Should I be able to use the original connection to run a stored procedure? Or must I create a second connection?
edit: on reviewing your code, I notice that the original connection Cn specifies the driver and the server name whereas the second connection conn5040 specifies the driver, server name, user and password.
Therefore, it may be that the stored procedure you are calling requires a user and password which the original cn connection does not specify
Original answer:
Make sure that the variable cn is still in scope when you try to use it. If it is declared in a module then it should be declared outside of any Sub or Function and, if other modules should be able to access it, it should be declared as Public
Option Explicit
Public cn as ADODB.Connection
Sub foo()
...
Presuming that cn is still in scope, you could examine the State property of the object which cn references to see if the Connection is still open.
If (cn.State = adStateClosed) Then
' we have a problem
...

Resources