ASP.net Windows Authentication with custom database - asp.net

I'm creating an intranet website that requires Windows Authentication. I already set up everything, or I think I did, to use windows authentication and roles managed in a database. That's important because I can't use the Active Directory groups and roles.
It works. When I enter the website it display my Windows user name and it is accesible with User.Identity.Name. I can validate a role using User.IsInRole("roleName") and it works too.
Now the problem I have is that when I use Membership.GetUser and Membership.GetAllUsers I always get null and an empty collection.
My RoleManager Provider is:
<add
name="SqlRoleManager"
type="System.Web.Security.SqlRoleProvider"
connectionStringName="ApplicationServices"
applicationName="/appName"
/>
And my Membership Provider is this one:
<add
name="AspNetSqlMembershipProvider"
type="System.Web.Security.SqlMembershipProvider"
connectionStringName="ApplicationServices"
applicationName="/appName"
/>
Am I missing something or my config is wrong?
Thanks!

Why do you want to call Membership.GetUser? You are already authenticated via Windows Authentication. If you want to use Membership with Windows Authentication (why, i don't know), you have to jump through some more hoops.
You can use the ActiveDirectoryMembershipProvider, rather than SqlMembershipProvider. This lets you call GetUser and retrieve AD information.
You can copy the Windows Authentication information into a SqlMembership database on login.
You can create a custom membership provider that allows you to do all the authentication yourself.
So, the first question is why do you want to use Membership?

Related

How to configure SSRS without using my Windows login and password?

The way SSRS in my project works, it requires my Windows User Login and password in the web.config file of the ASP.NET application which calls the reports. This is a problem since i have to change the password every 90 days as a security measure. Is it possible to configure SSRS without any employees Login and password ?
This is the part that worries me
<add key="ReportServerUsername" value="me" />
<add key="ReportServerPassword" value="my password" />
<add key="ReportServerDomainname" value="my domain />
Yes, set it up to use impersonated/delegated credentials.
You will have to configure the web application to use integrated authentication, then set the correct attribute in the config file.
<authentication mode="Windows"/>
<identity impersonate="true"/>
If done this way, each user will be accessing the database using their own username and password, so you will want to set up security appropriately. This means creating
NT Group - Add users to this group
Server Login - Create a DB login for the group
DB user - create a db user for the login
db role - create a db role, and assign it to the login
Permissions - give the role the needed permissions on database objects

Automatic or manual Active Directory authentication in asp.net mvc

I'm working on an asp.net mvc web app that is supposed to:
Automatically login someone if they are a valid user in Active Directory.
If the client is outside of the network (they're at home or whatever), allow them to manually login with their AD credentials through a login form.
I'm very new to AD authentication, I'm confused as to if I should be using Forms Authentication or Windows Authentication.
I have this in my web.config:
<add name="ADConnect" connectionString="LDAP://[something]/CN=dhr,DC=[something],DC=net" />
If I set: <authentication mode="Windows">
I can check User.Identity.IsAuthenticated in the controller to determine if they're logged in. If they're not, am I supposed to use this?:
Membership.ValidateUser("someguy", "somepass");
I get an error about making a secure connection to the server if I run the above. I have this as my provider:
<membership defaultProvider="AspNetActiveDirectoryMembershipProvider">
<providers>
<clear />
<add name="AspNetActiveDirectoryMembershipProvider"
type="System.Web.Security.ActiveDirectoryMembershipProvider"
connectionStringName="ADConnect" attributeMapUsername="sAMAccountName"
/>
</providers>
</membership>
Typically, network administrators prevent web applications that use windows authentication to expose to the internet due to security reasons. This is definitely possible, but you need to make sure that second scenario is valid and possible in your organization. A common scenario to connect from the internet is to use VPN which will log in you to the network (means you will be authenticated against AD).
To perform only authentication for the first scenario you do no need the AspNetActiveDirectoryMembershipProvider. An authentication (validation of user identity) usually only required to be set
in web.config: authentication mode="Windows" and authorization
on IIS: set integrated windows authentication to ON
on IIS: if you have second scenario (or if you have different domains, etc) keep anonymous access as ON - it should prompt with standard login propmt;otherwise set it OFF

ASP.NET 4 Membership Machine Key

I have had a working asp.net 4 membership wesite for about 5 months and today I changed the regex to loosen the password restrictions. I can still create and access new accounts, but can no longer access any of the previously registered ones.
I have checked the database and confirmed that they are all still there. My initial thought was an incorrect password. I've checked two accounts that I knew the password for and both are inaccessable. I attempted to use the password recovery option, but when I type in the username I'm told that the user does not exist.
When I check the databases and consult both the membership and profile tables, the old and new users, pre and post regex change, are all in the same table. This leads me to my final discovery and the one that I have no experience. Is there a new Machine Key that is creating the new users but cannot decipher the old ones, hence making them unavailable? If so, how can I fix this?
Like your comment my first thought was that the application key has been altered. This key is stored in web.config/system.web/membership:
<membership>
<providers>
<clear/>
<add name="AspNetSqlMembershipProvider"
...
applicationName="YOUR_KEY_HERE" />
</providers>
</membership>
This key allows different applications with the same membership provider (e.g. the System.Web.Security.SqlMembershipProvider in your case) to utilize the same database for storing membership data.
One provider will not see users from the other provider and vice versa, because they take the aplication name into account when querying the database. But when you look at the Users table, you may not notice immediately the relation, since the SqlMembershipProvider uses a Guid in the Users table. But it's a foreign key to the Applications table, where you can find the application name.
See also: Always set the "applicationName" property when configuring ASP.NET 2.0 Membership and other Providers
My problem was slightly different* but I specified my own machine key in web.config. See the details here: http://msdn.microsoft.com/en-us/library/ff649308.aspx
(* my app was wandering from server to server in a large virtualized server farm hence changing the machine key with each hop causing the app being unable to read the cookies it has previously set.)

How to maintain Forms authentication session state between Azure Web Roles?

I have deployed a RIA Services enabled Silverlight Business application on Azure that uses Forms authentication.
To enable Forms authentication on Azure, I have implemented the Table Storage providers from the Azure Toolkit. It almost works, but I have problems with keeping the session state. After I have logged in, and repeatedly presses F5 to refresh the page I switch between being logged in and logged out.
I have two Web Role Instances, and if I disable one of the it works like a charm. But as soon as I enable the second instance it's back to this sporadic behaviour. So clearly the state is not preserved because of the load balancing. Fine, I forgot to implement the Session provider, so I did:
<sessionState mode="Custom" customProvider="TableStorageSessionStateProvider">
<providers>
<clear />
<add name="TableStorageSessionStateProvider"
type="Microsoft.Samples.ServiceHosting.AspProviders.TableStorageSessionStateProvider"
applicationName="AppAdmin"
/>
</providers>
</sessionState>
Sadly, that didn't help.
Update: The actual table (Session) is created in the Table Storage, but no data is in there.
Any ideas and/or suggestions?
Have you set your machine key in web.config?

Retrieving the Windows username from a logged-in machine through an intranet application

How can an application, running on a production server, access the login username of the machine that a user is accessing an application from? For example, I am currently logged into my machine on the INTRA corporate intranet. My username will be INTRA\Username.
I have added specific usernames to a database and wish to check this intranet username against the database to restrict access to an application and leverage the username across the application.
Currently, I am using the following code to access the username:
Private username As String = Thread.CurrentPrincipal.Identity.Name
This is working great on localhost, but when authenticating against the database on a development server, I'm getting the following error:
Login failed for user 'NT
AUTHORITY\ANONYMOUS LOGON'.
Is this an incorrect approach? Is this even possible, or is it too much of a security issue? This application will be an internal intranet application running in an IE shop. Relevant pieces of web.config that already exist include:
<identity impersonate="true"/>
<authentication mode="Windows"/>
<authorization>
<deny users="?"/>
</authorization>
<connectionStrings>
<add name="CONNSTR" connectionString="Initial Catalog=DATANAME;Data Source=servername;Integrated Security=True;" providerName="System.Data.SqlClient"/>
</connectionStrings>
When setting up your web application on the server, you need to go into the Document Security section (the name of it changes depending on what version of IIS your server is running, but it's something like that), turn off anonymous authentication, and turn on Windows authentication. That tells the server to request windows login authentication from the browser. (Perhaps someone who knows web.config files better than I [which is nearly anyone] can edit this to point to the relevant bit; I don't think it's impersonate but if I knew, I'd say. I've so far only done this via the UI.)
in your example, you are locating the username that your webserver is running under. What you are after is the username of the user accessing the page.
Try something like this:
How To: Use Windows Authentication in ASP.NET 2.0
If setting the directory security to Windows Authentication is not working, change it to Basic Authentication. You'll also need to specify the domain name to authenticate against. This was the only way we could get the security to propagate through from the IIS layer to the DB. Unfortunately this causes the username and password to be sent through clear text. Its not the best solution, but since things were on the Intranet, it worked while we work on updating our login procedure.

Resources