I have written application in which I have used SSRS and Lightswitch. Lighswitch application is used for data entry portion for the user. And SSRS is used for generating reports and graphs from the data entered through Lightswitch App.
I have configured basic authentication on SSRS side and Windows authentication on Lightswitch app. When a user hits the application SSRS reports comes by default. Since I have setup authentication on SSRS side it asks for the user credentials for the first time. Also when user switch to lightswitch app for data entry it again asks for user creds again. So basically user has to enter creds two times which is not good thing as per usability.
So I was wondering if there is any way user only has to login once at the start of the application? Please let me know if it is possible?
Thanks in advance
I would try to use Windows Authentication for SSRS and configure to meet the requirements so no user logins are required by either app. This is more secure, as well as more usable.
Related
I'm developing a web application that requires the user to log in using forms authentication. inside the webpage you need to download a desktop application that requires to login to the same system too. Is there a way to transfer the current logged credentials from the web application to the windows desktop application without need to login again?. Both applications shares a Login object from an vb.net interface.
I tried to save the IP address in the Database but that don't work for me because the website needs to be accessed inside and/or outside of the company and the user cannot login twice in different machines.
I tried to google for solutions but without luck.
Do you have any suggestions regarding this?
This may not be exactly the scenario you're envisioning, but this article shows how to use Forms authentication from a Winforms client using WCF Authentication Services. This should get you going in the right direction. Per the article, you can use these services in any .NET application.
http://msdn.microsoft.com/en-us/library/bb386582.aspx
This article shows how to do it with a Silverlight app, just so you have another example. http://blogs.msdn.com/b/brada/archive/2008/05/03/accessing-the-asp-net-authentication-profile-and-role-service-in-silverlight.aspx
And just one more for fun. http://aspalliance.com/1595_Client_Application_Services__Part_1.all#Page1
There isn't really any way to share this without encrypting a file containing the user's credentials and storing it on the hard drive along with the file, but then you run the risk of someone decrypting the information and getting access to the user's password.
I think that an alternate approach that could work is to generate an authentication token (could be as simple as a GUID) and store it in your database along with the user's id when the user requests the download. You would want this token to expire after a reasonable time limit (5 minutes, for example).
You could then include a file that contains this authentication token with the download. When your apps starts, you could check for the existence of the file. If it's there, you extract the token, delete the file, send the token prior to presenting the user login.
If the token valid, your server would send back the user's login and your app would proceed as though the user were logged in, otherwise you would just display the login screen.
I have a web application where forms authentication is used. The user names are the same that the ones used by the users in their computers, so they want the web app to be able to detect that user name so the app can log it the user automatically.
How can it be done? I mean, if I set the authentication mode to "Form" do I still get those credentials from IIS?
I know this can be done in several better ways than this, but I am interested in this particular way. As it is a small web app in an intranet with a few users doesn't worth it a big architectural change. If it's possible, happy days, otherwise it will have to wait.
Cheers.
That cannot be done with Forms Authentication. Without prompting the client for credentials, there is no way to retrieve that information from the client's machine.
Windows auth cannot coexists with Forms auth, but it can coexists with Anonymous auth.
More info here: Windows authentication is not challenging browsers out of the domain
I'm trying to set up SSRS 2008 on my desktop machine for development purposes.
The following is working fine:
Report deployment on local server
Previewing the report in BIDS
Access to htpp://localhost/Reports panel
But when I point the ASP.NET Reportviewer to the Report URL, I get the following error:
The permissions granted to user 'NT-AUTHORITY\NETWORKSERVICE' are insufficient for performing this operation. (rsAccessDenied)
How can I get around this error? Is there any dialog where I can grant SSRS access rights to certain forms authentication roles? I've googled quite a bit on this, but what I have found so far was either outdated or quite confusing.
Edit: Several users of my web app are going to have access to the same database, so I need the UserID build-in field (User!UserID) to reflect the user's Forms authentication ID. I guess the only way to achieve this is making SSRS work with forms auth?
You web application is running as Network Service so that is the user you are trying to connect to Report Server as. You have several options. One, you can grant Network Service permission to execute the report you are trying to run. Two you can have your web application impersonate a windows user and give the correct users permission to the report. Three you can impersonate impersonate a different user when connecting to RS. I believe to do the last one you will have to write some extension code for the viewer to tell it how to impersonate before connecting, but for the other two there would be no code change.
You could also look into using Report Server in Forms auth mode if your web site is not an internal site, but this is more complicated.
EDIT for 2nd Question:
Yes, you will need each user to be unique when they access RS so you will need to use Forms Auth or windows auth or write your own custom authentication extension.
I have a website with a large user base configured with asp.net 2.0 forms authentication. Before the user logs in via forms authentication is it possible to retrieve the windows login name/user account name on the machine they are using?
Many thanks
It certainly is possible--by adding another web application to your system. Here's roughly how I have done it:
Your primary web app uses Forms authentication. On the forms login page, any user that is determined to be on the local LAN (check IP address), redirect them to another app that uses Windows authentication. In this second app, you can determine the user (assuming the browser is configured to send credentials automatically to the zone in which your app resides), then set a cookie which your first app can read, and redirect the user back to the original app.
This does work.
This would only be possible if you were using Windows Authentication in your web application and then only if the user had logged in.
The kind of information you are after is not sent as part of the web request (quite rightly) and is therefore unknown to the web server.
Unfortunately no - if the user has not logged on, they are browsing anonymously, and are therefore unknown to the server. There is no way to identify them.
Once they're logged on, if you're using impersonation use WindowsIdentity.GetCurrent().Name. However, for forms authentication there's no direct way to ask the browser for their Windows credentials as they may not even be running Windows!
Not BEFORE no (not from the server).
Depending on the type of Auth you use, though, and the way the site is configured, you CAN get them to log in with their windows details.
See Mixing Forms and Windows Security in ASP.NET on Microsoft's MSDN.
The main difference with #TheObjectGuy answer is that instead of using 2 websites, this does all in a single website by configuring IIS to use the Integrated Windows authentication just in a "single" page (WinLogin.aspx).
My supervisor at the office tells me that he saw a demonstration with a pre-release version of Microsoft "Geneva" (now Windows Identity Foundation) where a developer did the following:
He set up some sort of ASP.net web application where a user could log in using a customized log-on system. Behind the scenes, the web application logs the user in as a user in an Active Directory.
The user logs in.
Once the user is logged in, the the ASP.net web application thread runs as the logged in user for the duration of the user's session and can access resources on the network (such as running SQL queries on tables whose access is controlled Active Directory)
Steps 2) and 3) are exactly the same as using the "Integrated Windows Authentication" setting in the "Directory Security" tab of the web site settings in IIS. Step 1) is different because we are using a custom log-on system as opposed to the Kerberos authentication.
We want to set up one of our applications to operate exactly as described in 1), 2), and 3). However, all the documentation that I've seen regarding Windows Identify Foundation is about Cardspace and Federated Security. We have zero interest in using either of these technologies right now.
We just want to be able to log users in to Active Directory Accounts behind the scenes.
Yes, we've tried the ActiveDirectoryMembershipProvider with Forms Authentication, but it's a complete kludge to actually access resources on the network requiring impersonation on every page!
UPDATE Jan 7, 2010. Okay, I've been working at this for a while, and everything I've managed to come up falls short of what I want to achieve. Perhaps the functionality I want is not in the release version of WIF.
Here's where I'm at now. I've found some documentation on MSDN that indicates that there are three different identities used in ASP.net: the identity specified by HttpContext.Current.User, the identity specified by Thread.CurrentPrincipal, and finally the identity specified by WindowsIdentity.GetCurrent. link
In one example of where I want to use the process I'm looking to design, I want to perform a SQL query as the logged in user. In my debugger, I see that I easily set the HttpContext and Thread users to the logged in user. However, when I connect to the SQL server using Windows Authentication, it always always always connects as the WindowsIdentity.GetCurrent user and that user is always always always the identity of the ASP.net process unless I'm using Windows Authentication with impersonation. I absolutely cannot use Windows Authentication with my application because my users must log in by playing a magic flute song and Windows Authentication has no support for logging in with magic flute songs.
To clarify, there is no trouble with obtaining a WindowsIdentity representing the logged in user (who logged in with a magic flute song). The problem is that I cannot use that WindowsIdentity to perform SQL queries for my user.
WIF allows you to configure it so a claims based identity maps to an AD account, the claim may either be a federated identity claim, or delivered via an information card. c2WTS performs this function.
Even when it does map because of delegation you're always going to have to delegate if you want to use the AD identity IIS is impersonating - that's just how it works, unless you setup Kerberos delegation for IIS
You can achieve the same using Identity Impersonation in ASP.net. Also you need to enable windows integrated authentication for you web app. This will solve the purpose. If the logged in user does not have the required rights to access resources you will get security exceptions which you will have to handle.