I have an issue with my website authentication.
I'm building an website that needs to use the same single sign on as an intranet site.
My idea was to use windows authentication on the website to get the user credentials and then use LDAP to authenticate them against our client's Domain controller.
The website in question is hosted on a server outside the client's domain.
I've tried using the ActiveDirectoryMembershipProvider but i cannot get it to work with integrated authentication.
My issue is that my i cannot get windows authentication to use LDAP as a membership provider. At the moment, windows authentication gets the user credentials, tries to authenticate them against users on the computer and fails as the web server is not on the domain. I want to get the credentials and send them using LDAP to a domain controller that will authenticate them.
Is there a way i can do integrated authentication using and LDAP connection for authentication?
Updated
If your website is Hosted on the Server outside the Client's Domain then you can not get the User Authenticated.
Because when you send the Credential to the Hosted Server there is a Location object in the Domain Server, and it will try to find that specified User first locally where you have hosted your website and then to the Doamin Server that have been specified in location(though we can also set the priority)
If it doesn't found any user locally then
After that it will Send request to the Domain Server with those Credentials.
In your case First it will not found that Domain Server name in the location object to which you want it to communicate with.
For ex:
PrincipalContext pr = new PrincipalContext(ContextType.Domain, "corp.local", "dc=corp,dc=local", username, password);
Here Corp.Local is the Domain name which is in my Location object and Username and Password of that user which have administrative rights for Edit/Update/Delete any user in Domain server.
So the whole process goes again and when the specified Domain Server is found in the Location object then it will make communication with that Domain and generate a TOKEN
The Only Solution for your case is that you need to replicate all your user from Client Server to your Domain Server or else you need to make TRUST between two domain servers.
Hope this is what you are looking for.!!
Related
I have two servers, let's say they are APPSVR (ASP.NET) and DBSVR (SQL Server). Currently, the application running smoothly with database connection using SQL Server authentication with User Id and Password.
In the future, it must be changed with Windows Authentication Integrated Security=True. I have tried to change this but can't worked (DB connection failure).
We have domain controller also and both server in the same domain. I am not sure which one that must be configured in our environment (Domain/SQL Server/IIS Manager). What's the right procedure to do this?
Is your asp.net application already running with domain user authentication?
Do you need per user login for SQL server because you set up the
access right on domain user rather than create your own access right
system on your asp.net application?
Why i am asking you this? Because You need to consider the differences between web application and desktop application. In web application, the web server contact the sql server not the user pc.
So this complicate the setup if you want the web server to use the windows authentication to login to sql server then you need to set up the web server to somehow masquerade as the domain users. You also need to consider the scenario if user are accessing the web application from the internet.
I suggest using strong application only password for sql server connection using local user rather than domain Users. For access right you can simply create a new table to store domain user login id and their access right. This set up still allow login to web application using the domain Users but the database connection is not. The Advantage is you can minimize the access to simply few or even one user application only user you need to maintain in sql server rather than every domain Users that need to be registered on sql server if you use windows authentication.
If you still need the Windows Authentication set up than you can see the info here.
We recently had to change over to using Windows Auth instead of a SQL Account to access the DB from our ASP site. The trick is to have the application pool start up with the same domain account you use to access the SQL Server and then you can just change your connection string to use Integrated Security.
The process is shown here:
https://thycotic.force.com/support/s/article/Using-Windows-Authentication-to-access-SQL-Server-Secret-Server
I have successfully configured forms authentication in an ASP.NET website and able to login using my domain's account. I am now deploying to out UAT server which is hosted on Amazon, UAT server is not part of a domain and it is on a workgroup, I have created a local user and trying to login but unable to login. I am have tried these user name combinations
machinename\username
.\username
username
Can I use forms authentication if machine is not part of a domain?
I have a web application that uses SimpleSAMLphp for single sign on using ADFS to authenticate users inside a company.
When a user needs to access the web app from within the company (under the federation server domain), it is automatically authenticated and redirected to his main dashboard inside the web app. So till now, all works very good and the user is correctly bypassed the web app main Login page when he is in the company.
I'm facing a problem: when a user needs to access the web app from outside the company (not under the federation server domain), I need to automatically redirect him to the main Login page of the web app (to enter his username and password), and not to the federation service URL. Because if he tries to access the web app from outside the company, he receives an error (page cannot be displayed or not found) after the SimpleSAMLphp redirects him to the federation service URL which is not publicly accessible.
Maybe I'm missing some simpleSAMLphp configuration or others.
Can any one help me out in this issue.
Thanks in advance.
It doesn't seems as SSP issue, however more information would be appreciated.
Is your internal web app user is trying to access publicly hosted to internet?
From what you describe, it seems that your site is internal site and won't be available outside of your network. You would need some kind of VPN access to be able to view it from outside of company network/building.
I'm migrating to client certificate authentication instead of windows basic authentication for my ASP.NET Web App. I've set user mapping in IIS 6.0 correctly and now I have a client certificate installed and mapped to a specific AD server account. I can login to the website using the installed certificate correctly and I can retrieve the mapped username correctly using Request.ServerVariables["LOGON_USER"].
The problem is that I still need to retrieve the mapped user password however when I tried to use Request.ServerVariables["AUTH_PASSWORD"] it returns blank string?
Any ideas how to get the mapped user password correctly?
I have a web application (say app1) which is hosted in a IIS server virtual directory.
This web application needs Integrated Windows Authentication for its functioning.
I need to integrate this web application with another product which does not use supply me windows credentials.
This application sends me an http request in a specific format.
I need to validate the request and redirect it to app1 with valid windows credentials so that it logs in smoothly.
I have created another application for this purpose
This is hosted on a separate virtual directory.
It has IIS anonymous and asp.net anonymous authentication enabled.
the pseudo code is as follows :
app2
parse request
if request sucessful
get windows credentials
get identity using credentials
reponse.redirect(app1.aspx)
But app1 authentication fails, IE asks me for credentials again.
Ideally IE should not ask me for credentials.
What would be the security context sent in the request to app1.
How can I trace the authentication failure at iis and asp.net?
To do this you need a trust relationship between the domains.
The response.redirect just sends a response back to the browser which then makes a request for the page in the redirect. So the identity is the identity of the browser.