Communication Active Directory users with asp.net - asp.net

I installed VM player in my machine and installed windows 2008 standard core inside. Also via command prompt added users and groups for a particular user as below,
creating user
dsadd user "cn=username,cn=users,dc=myname,dc=ca" -pwd password -disabled no
creating group
dsadd group "cn=groupname,cn=users,dc=myname,dc=ca"
Also added user to the existing group as below,
dsmod group "cn=groupname,cn=users,dc=myname,dc=ca" -addmbr "cn=username,cn=users,dc=myname,dc=ca"
Now i connect this users via my asp.net application in my local machine as below,
Web.config settings
<authentication mode="Forms">
<forms loginUrl="logon.aspx" name="adAuthCookie" timeout="10" path="/"/>
</authentication>
<authorization>
<deny users="?"/>
<allow users="*"/>
</authorization>
script for authentication
void Login_Click(object sender, EventArgs e)
{
string adPath = "LDAP://domainaddress:389/DC=somename,DC=m"; //Path to your LDAP directory server
LdapAuthentication adAuth = new LdapAuthentication(adPath);
try
{
if(true == adAuth.IsAuthenticated(txtDomain.Text, txtUsername.Text, txtPassword.Text))
{
FormsAuthentication.SetAuthCookie(txtUsername.Text.Trim(), false);
string groups = adAuth.GetGroups();
//Create the ticket, and add the groups.
bool isCookiePersistent = chkPersist.Checked;
FormsAuthenticationTicket authTicket = new FormsAuthenticationTicket(1,
txtUsername.Text, DateTime.Now, DateTime.Now.AddMinutes(60), isCookiePersistent, groups);
---------
-------
}
where i am getting exception in string groups = adAuth.GetGroups(); as below
"Error authenticating. Error getting groups. The username is incorrect or bad password. "
Please let me know if i am doing some mistakes or please let me know how i find groups of assciated user.
Regards
Sangeetha

Related

Current user with ASP.NET Forms authentication app

I am trying to retrieve the current user in my web application that uses ASP.NET Forms authentication.
However, System.Security.Principal.WindowsIdentity.GetCurrent().Name returns domain\windowsUser, NOT the username that was used in the FormsAuthentication.RedirectFromLoginPage method.
I am using Forms authentication in my config file:
<authentication mode="Forms">
<forms loginUrl="Views/Login.aspx" name=".ASPXFORMSAUTH" timeout="1" cookieless="UseUri">
</forms>
</authentication>
<authorization>
<deny users="?" />
</authorization>
I am also trying to follow Microsoft's walk through and retrieve the Authentication ticket using the following snippet:
if (Request.IsAuthenticated)
{
var ident = User.Identity as FormsIdentity;
if (ident != null)
{
FormsAuthenticationTicket ticket = ident.Ticket;
var name = ticket.Name;
}
}
However, ident is always null because it's WindowsIdentity not FormsIdentity. What's wrong here?
Thank you!
Use User.Identity.Name to get the user name.
Windows authentication does not use the FormsAuthenticationTicket.

Informing ASP.NET website about the currently logged-in user

I'm new to ASP.NET and have been trying to solve this for awhile now.
I've came across this blog, and everything looks to be good, except one thing: the below code always evaluates to false in HttpContext.Current.User.Identity is FormsIdentity in this code snippit:
protected void Application_AuthenticateRequest(Object sender,
EventArgs e)
{
if (HttpContext.Current.User != null)
{
if (HttpContext.Current.User.Identity.IsAuthenticated)
{
if (HttpContext.Current.User.Identity is FormsIdentity)
{
FormsIdentity id =
(FormsIdentity)HttpContext.Current.User.Identity;
FormsAuthenticationTicket ticket = id.Ticket;
// Get the stored user-data, in this case, our roles
string userData = ticket.UserData;
string[] roles = userData.Split(',');
HttpContext.Current.User = new GenericPrincipal(id, roles);
}
}
}
}
When I used breakpoints, it turned that my PC name is the current user, which I think is not a FormsIdentity.
Web.config:
<?xml version="1.0"?>
<!--
For more information on how to configure your ASP.NET application, please visit
http://go.microsoft.com/fwlink/?LinkId=169433
-->
<configuration>
<system.web>
<compilation debug="true" targetFramework="4.0"/>
</system.web>
</configuration>
What am I missing here? and how to tell HttpContext of the current user after a sucessful login?
If you want users to have a FormsIdentity, then you need to turn on FormsAuthentication in your web.config file. In your element, you need to populate the authentication and authorization nodes. (For example, see the section of the blog post you mentioned titled "Securing Directories with Role-based Forms Authentication") Right now these elements are not present in your web.config file, and so Forms Authentication is not happening. A configuration like this is typical:
<system.web>
<authentication mode="Forms">
<forms name=".ASPXFORMSDEMO" loginUrl="logon.aspx" protection="All" path="/" timeout="30" />
</authentication>
<authorization>
<deny users ="?" />
<allow users = "*" />
</authorization>
</system.web>
The node instructs ASP.Net to use forms authentication, while the node denies access to the site for any user who is not authentication.
More information can be found here and here

Authenticate against AD LDS

I've just installed AD LDS on my developer PC and everything works find, I've even created the user "abc" via ADSI Edit.
My goal is to test my ASP.NET Mvc 3 web application with my test AD LDS instance.
How can I get the app to authenticate the user against the instance? Do I have to write a custom membership provider? (overriding some stuff in the default AD membership provider?)
Thank you for any help!
You don't have to do any authentication since it is handled by iis.
All you have to do is change authentication mode to windows.
<system.web>
<authentication mode="Windows" />
</system.web>
Remember to either install iis after you installed AD, or register it manually.
Because you are using AD LDS I don't think authentication mode "Windows" will be so helpful. I believe you need to create a Login View(here /Account/Logon) and use authentication mode "Forms".
Enter the followwing in web.config
<authentication mode="Forms">
<forms name=".ADAuthCookie" loginUrl="~/Account/Logon" timeout="30" slidingExpiration="false" protection="All"/>
</authentication>
<authorization>
<deny users="?"/>
</authorization>
Authenticating the user can be accomplished by using System.DirectoryServices.AccountManagement. The controller code should look something like this:
public ActionResult Logon(LogonModel model)
{
if (model.Username != null && model.Password != null)
{
string container = "CN=...,DC=....,DC=...."; //Your container in LDS
string ldapserver = "server:port"; //LDS server
PrincipalContext context = new PrincipalContext(
ContextType.ApplicationDirectory,
ldapserver,
container,
ContextOptions.SimpleBind);
bool authenticate = context.ValidateCredentials(string.Format("CN={0},{1}", model.Username, container), model.Password, ContextOptions.SimpleBind);
if (authenticate)
{
FormsAuthentication.RedirectFromLoginPage(model.Username, false);
}
else
{
System.Threading.Thread.Sleep(5000);
this.ModelState.AddModelError("Password", "Wrong username or password");
}
}
return View("Logon", new LogonModel { Username = model.Username });
}
Note that this ONLY solves authentication and not authorization.
You can also use membership providers, but if you are looking for an easy solution I think this should do the trick.

When does ASP.NET authentication occur?

I have an application where I display every Active Directory group that the current user belongs to. When I have my config setup like this:
<authentication mode="Windows"/>
<authorization>
<deny users="?"/>
<allow users="*"/>
</authorization>
It works fine. When it's like this:
<authentication mode="Windows"/>
<authorization>
<!--<deny users="?"/>-->
<allow users="*"/>
</authorization>
No groups are found. Why does this make a difference? Does asp.net only authenticate if we are specifically denying access to unauthenticated users?
If it helps this is how i'm getting the groups:
protected string GetUserGroups()
{
StringBuilder userGroups = new StringBuilder();
ArrayList groupMembers = new ArrayList();
DirectoryEntry root = new DirectoryEntry("LDAP://myldap/DC=nc,DC=local");
DirectorySearcher ds = new DirectorySearcher(root);
ds.Filter = String.Format("(&(samaccountname={0})(objectClass=person))", User.Identity.Name.Substring(User.Identity.Name.LastIndexOf(#"\") + 1));
ds.PropertiesToLoad.Add("memberof");
try
{
foreach (SearchResult sr in ds.FindAll())
{
foreach (string str in sr.Properties["memberof"])
{
string str2 = str.Substring(str.IndexOf("=") + 1, str.IndexOf(",") - str.IndexOf("=") - 1);
groupMembers.Add(str2);
}
}
}
catch
{
//ignore if any properties found in AD
}
return String.Join("|", (string[])groupMembers.ToArray(typeof(string)));
}
I may be wrong, but I believe this is how it works:
The first time a browser hits a site it does so as anonymous.
If the server says that anonymous isn't allowed, the browser then sends the users windows credentials.
If those credentials don't pass muster, then the browser pops up the login box or (depending on the application) sends them over to a login page.
So, because your site allows anonymous, all of the users are coming in that way.

Object Moved error while consuming a webservice

I've a quick question and request you all to respond soon.
I've developed a web service with Form based authentication as below.
1.An entry in web.config as below.
<authentication mode="Forms">
<forms loginUrl="Loginpage.aspx" name=".AuthAspx"></forms>
</authentication>
<authorization>
<deny users="?"/>
</authorization>
<authentication mode="Forms">
<forms loginUrl="Loginpage.aspx" name=".AuthAspx"/>
</authentication>
<authorization>
<deny users="?"/>
</authorization>
2.In Login Page user is validate on button click event as follows.
if (txtUserName.Text == "test" && txtPassword.Text == "test")
{
FormsAuthenticationTicket ticket = new FormsAuthenticationTicket(1, // Ticket version
txtUserName.Text,// Username to be associated with this ticket
DateTime.Now, // Date/time ticket was issued
DateTime.Now.AddMinutes(50), // Date and time the cookie will expire
false, // if user has chcked rememebr me then create persistent cookie
"", // store the user data, in this case roles of the user
FormsAuthentication.FormsCookiePath); // Cookie path specified in the web.config file in <Forms> tag if any.
string hashCookies = FormsAuthentication.Encrypt(ticket);
HttpCookie cookie = new HttpCookie(FormsAuthentication.FormsCookieName, hashCookies); // Hashed ticket
Response.Cookies.Add(cookie);
string returnUrl = Request.QueryString["ReturnUrl"];
if (returnUrl == null) returnUrl = "~/Default.aspx";
Response.Redirect(returnUrl);
}
3.Webservice has a default webmethod.
[WebMethod]
public string HelloWorld()
{
return "Hello World";
}
4.From a webApplication I am making a call to webservice by creating proxy after adding the webreferance of the above webservice.
localhost.Service1 service = new localhost.Service1();
service.AllowAutoRedirect = false;
NetworkCredential credentials = new NetworkCredential("test", "test");
service.Credentials = credentials;
string hello = service.HelloWorld();
Response.Write(hello);
and here while consuming it in a web application the below exception is thrown from webservice proxy.
<html><head><title>Object moved</title></head><body>
<h2>Object moved to here.</h2>
</body></html>
Could you please share any thoughts to fix it?
You need to set
service.AllowAutoRedirect = true
If you are planning to redirect in your code.
Just tried this and worked: Go to the website where you are hosting the web service in IIS, click on Session State, change the Cookie Setting's Mode to Use Cookies. Done.
You need to set both
service.AllowAutoRedirect = true;
service.CookieContainer = new CookieContainer();

Resources