I am trying to make a mixed mode authentication to be able to put some users on Federated authentications and others on Forms authentication.
I am working with WIF, I set up my STS and everything is happy, when I am in federated mode by turning off all the authentication this way:
<authorization>
<deny users="?" />
</authorization>
<authentication mode="None" />
I log in to my main application then when I log in to my side application it will let me log in silently since the session cookie is already generated and the user is authenticated.
but when I use Forms authentication, when I log in to my side application it will take me to the login page which I understand because the user is not authenticated but it seems even with having the session cookie it is not silently redirecting it.
I know that I need to redirect onEndRequest to the STS to authenticate the user and if the user is already authenticated then it will generate FedAuth cookie and and it will log me in silently,
does anybody know how to implement this, I didn't find resources about it when I researched.
Alaa
For all who needs to setup federated user authentication in asp.net app the following link might be extremely helpful:
http://blog.elis-co.com/wif-sso-and-forms-authentication-in-asp-net/
Also http modules included to the config from the link above are outdated. So correct them with ones from the following article:
https://learn.microsoft.com/en-us/dotnet/framework/security/how-to-build-claims-aware-aspnet-web-forms-app-using-wif
Related
I have an ASP.NET / MVC website using Windows Authentication.
On IIS side, it is set-up to only allow Windows Authentication.
The web.config side is configured to allow windows authentication only:
<authentication mode="Windows" />
<authorization>
<allow verbs="OPTIONS" users="*" />
<deny users="?" />
</authorization>
<identity impersonate="true" />
The issue is that sometimes (depending on users [which is weird, but it may just be random], between 1 and 50% of the time), instead of loading the page as expected, the browser (Chrome and IE behave the same) will display a login prompt instead of loging the users in a seamless way.
I have not been able to determine any way to force it one way or an other, and if the user keeps refreshing the same page, in the same browser, it will end up working (if the user got the login prompt in the first place), or showing the prompt.
EDIT:
I have activated Failed Request Tracking in IIS. I can see that all queries fail with an error code 401.2, which is expected, since Anonymous Auth is disabled.
This first response contains the accepted Authentication modes in its header:
WWW-Authenticate: Negotiate
WWW-Authenticate: NTLM
For most requests, the next request is used to authenticate the user, and everything works fine.
When authentication fails, and a login prompt is shown, the next request is a 401.1, with the error message:
Indicates a particular Security ID may not be assigned as the label of an object. (0x80070513)
I have no idea about what is causing this behavior, and even less about how to solve it.
It could possibly be a duplicate SPN issue. And if it is, I believe your application is running under NTLM and not negotiate (kerberos).
Few things you can test here.
Capture fiddler trace from client. If the authentication token starts with TIRM..., its NTLM and not kerberos.
Also, please share the following info.
Is this a load balanced environment ?
Do you access the site using custom domain name or server name ?
what identity is your application pool running under.
Problem statement :
I have implemented windows authentication on my website.
I have used following code in my web.config for authentication
<authentication mode="Windows">
</authentication>
<authorization>
<deny users="?"/>
</authorization>
Now, the problem is that when I access the website, it takes the default ( windows) credentials and tries to login.
But I need that it should prompt the user for credentials so that user can enter domain-name\id and password of separate domain for authenticate (User will have VPN access to this other domain)
You can achieve this using Digest Authentication mode in IIS. Once enabled it will prompt always for UserName/Password to the end user.
You can read more about this type authentication here:
http://technet.microsoft.com/en-us/library/cc778868(v=ws.10).aspx
http://technet.microsoft.com/en-us/library/cc754104(v=ws.10).aspx
Instead of using Windows Authentication use Forms Auth and check entered login and password in Domain.
There is a nice article on MSDN: How To: Use Forms Authentication with Active Directory in Multiple Domains
I'm looking to deny all anonymous access to my login page and only allow people who are in a certain role to be able to view the page or anything under that directory. Is this possible? I have tried to implement this in the web.config but had no joy :(
thanks
This would only be possible in an intranet application where your users would be authenticated against Active directory. See MSDN
Otherwise, how would users log in if they don't have access to the login page?
I would rather implement access control on the actual content pages, or do an additional check when users attempt to log in and let them know that they need to be in a certain role in order to log into the system successfully.
Yes, you can...assuming that your clients are all running Windows workstations that are in the same AD domain as your IIS webservers and are using Internet Explorer (so, intranet only and not over the Internet). You want to configure IIS to only accept Integrated Windows Authentication, which will force the client workstations to use Kerberos to supply authentication information to IIS. Here's a how-to from Microsoft on how to configure this.
In web.config:
<configuration>
<system.web>
<location path="MyLoginPage.aspx">
<system.web>
<authorization>
<deny users="?"/>
</authorization>
</system.web>
</location>
</system.web>
</configuration>
The special keyword ? means anonymous users; which is documented in the element schema:
Attribute: users
A comma-separated list of user names that are denied access to the resource.
A question mark (?) denies anonymous users and an asterisk (*) indicates that all user accounts are denied access.
Basically this is the Microsoft long-winded way of saying:
Location: MyLoginPage.aspx
Deny: anonymous
This means that someone will have to be authenticated using a mechanism other than Form; such as Integrated (aka Kerberos, Windows) authentication, or with Basic authentication. You won't be able to use Forms Authentication, because they won't be able to reach the login page to login.
How can an application, running on a production server, access the login username of the machine that a user is accessing an application from? For example, I am currently logged into my machine on the INTRA corporate intranet. My username will be INTRA\Username.
I have added specific usernames to a database and wish to check this intranet username against the database to restrict access to an application and leverage the username across the application.
Currently, I am using the following code to access the username:
Private username As String = Thread.CurrentPrincipal.Identity.Name
This is working great on localhost, but when authenticating against the database on a development server, I'm getting the following error:
Login failed for user 'NT
AUTHORITY\ANONYMOUS LOGON'.
Is this an incorrect approach? Is this even possible, or is it too much of a security issue? This application will be an internal intranet application running in an IE shop. Relevant pieces of web.config that already exist include:
<identity impersonate="true"/>
<authentication mode="Windows"/>
<authorization>
<deny users="?"/>
</authorization>
<connectionStrings>
<add name="CONNSTR" connectionString="Initial Catalog=DATANAME;Data Source=servername;Integrated Security=True;" providerName="System.Data.SqlClient"/>
</connectionStrings>
When setting up your web application on the server, you need to go into the Document Security section (the name of it changes depending on what version of IIS your server is running, but it's something like that), turn off anonymous authentication, and turn on Windows authentication. That tells the server to request windows login authentication from the browser. (Perhaps someone who knows web.config files better than I [which is nearly anyone] can edit this to point to the relevant bit; I don't think it's impersonate but if I knew, I'd say. I've so far only done this via the UI.)
in your example, you are locating the username that your webserver is running under. What you are after is the username of the user accessing the page.
Try something like this:
How To: Use Windows Authentication in ASP.NET 2.0
If setting the directory security to Windows Authentication is not working, change it to Basic Authentication. You'll also need to specify the domain name to authenticate against. This was the only way we could get the security to propagate through from the IIS layer to the DB. Unfortunately this causes the username and password to be sent through clear text. Its not the best solution, but since things were on the Intranet, it worked while we work on updating our login procedure.
My application needs to be designed so that an administrator can, via a web interface select if their users login via windows authentication or forms authentication.
This means I cant specify the authentication mode in the web.config i.e.:
<system.web>
<authentication mode="Windows"/>
</system.web>
How do I approach this?
Use Forms authentication mode, whereby the login form can determine the user and the preferred authentication method for that user. If the user can be windows authenticated, you don't need to present the login form, just set the user as authenticated and redirect accordingly.