I am trying to share authentication and authorization between different web applications (asp.net application and a MVC4 Application).
I read that you should set the machine key and those values to be the same between the sites. I have done this and the authentication is working properly.
But now in the MVC Application i want to use the Authorize attribute to make sure users can only see what the are supposed to see. This is not working.
I also checked.
When I call User.IsInRole("Admin") from the ASP.Net application(this is where the login is done) the value returned is true, but then when navigating to the MVC application the same call returns false.
It seems that the roles is not being shared across the application, is it possible to get is working or should i Create a custom Authorize Attribute ?
thanks in davance
The more applications you have, the more problematic it is to share the forms cookie. And ultimately, if two applications are on different domains (something.foo.com and somethingelse.bar.com) this won't work as you can't force your browser to submit a cookie to two different domains.
This only works if you have manual control over your forms cookie and issue it for .yourdomain.com top level domain and you have your applications in subdomains (app1.yourdomain.com, app2.yourdomain.com). And this could be a serious restriction.
What you could possibly do is to externalize your authentication, i.e. create a separate web application with the sole goal to authenticate and authorize your users. You pick one of Single Sign-on protocols (WS-Federation, OAuth2, OpenID) and federate your application environment around this authentication provider.
It possibly sounds difficult, especially if this is new to you but if you invest your time, there are only benefits.
Related
I have three asp.net applications. Only one of them has a forms authentication login. I redirect anonymous users to that one login page for all three applications to login. Once they log in, they automatically redirected back to the application and page they were attempting to access.
I enabled this functionality by setting the same MachineKey in all three applications.
Is there a way to do this for ADFS 3.0 WIF authentication as well? It doesn't seem to work the same in my testing. When I log into the application that is wired up to ADFS, I still can't access the other two.
WIF and ADFS don't work the same way as traditional forms authentication. These technologies rely on issuing access tokens, and require that dependent applications (also known as Relying Parties, or RPs) configure a trust relationship with the token provider (AKA Identity Provider, or IP). You can't share the cookie with MachineKey between apps that have not directly authenticated with an IP, and to be quite honest you don't want to.
The typical web scenario (also known as Passive Federation) is to have a separate application that functions as a Security Token Service (STS). This application houses the Login.aspx page and is protected with Forms or Windows Authentication like you would find in a classic ASP.NET scenario. When you attempt to access a web application that requires authentication, it needs to be set up to redirect you to the STS website, rather than handling it by itself. Once you log into the central STS, it will issue you a token that you then provide to applications to gain access. If you use WIF properly, this is all handled behind the scenes and is just a matter of configuration.
Each of your three web applications should be configured with a trust relationship to your IP. You said that you have a web application wired up to ADFS already, if that's via the proper trust relationship, then you should simply have to replicate that set up to your other 2 applications.
Is it possible to share Session state between web applications on separate servers? One of the web sites is using session state to maintain user credentials/info session state, the other is using forms authentication to maintain this information. Without modifications to the website using session storage, is it possible for the website using forms auth to read/access the session state on the other server? If not, which I assume is the answer, would it be possible if they ran on the same server? (i.e. the same app pool)?
Note: Both applications are under the same domain name (one of them will be a sub-domain)
As a note, the reason this is being asked is because a client is requesting a "single sign-on" approach between two websites. We're using forms authentication and the other site (which we cannot modify at this moment) is maintaining credentials/logon information in session
ASP.NET 4
IIS 7.5
Assuming the latter, you could try something like this:
first, make sure all the appliations are running in the same domain. If not, all bets are off. I don't know if there's a simple way to configure the domain property of the session cookie yet, so you may have to do it yourself, by setting the cookie domain property to the domain:
Response.Cookies["ASP.NET_SessionId"].Domain = ".mydomain.com";
you'll need to make sure that each application is configured to use either a common state server, or a db-backed session.
please follow the link : How to share session state across subdomains
I have an ASP.NET web application that is entirely protected by Forms Authentication.
Is there a configuration under which web requests coming from another application on the same machine, either web or console, can bypass the form authentication and access the page as if it were authenticated?
#merlin2011,you have two chose.
1.use cookie with same machineKey in the different application.(simplest)
the Forms Authentication in ASP.NET use cookie to Encryption and decryption your identity and indicates whether you are logged.the application use different key to encrypt you identity in the different application by default.
see more:
Forms Authentication Across Applications
notes:this solution only for the between application in the same web domain.
(for example,www.example.com,a.example.com,if the www.example1.com will not work)
2.the application in the different web domain(Complex)
in this situation,you need the Single Sign-on solution .this will required you need to write code to authenticate a user whether is logged.
this article will can help you Cross Site Authentication and Data Transfer
good luckly!
I'm writing an internal web application right now (with ASP.Net Web Forms), and it presents an odd problem. I have to be able to impersonate the currently logged in windows user, and execute a command based on their Windows Authentication to log in.. AND ... if they don't have Windows Authentication set up in the application I have to use to log them in, I have to be able to accept a user name and password. I also have to write the application in .Net 4.0, and secure it as much as possible. I got this to work by NOT utilizing Windows Authentication or Forms Authentication in the web.config, and instead setting session variables to guard against user accessing pages in the web app other that the log in. I did this by creating an oddly name session variable with a value based on their user name (windows auth or not), and then a secret session variable. The secret variable is in the web.config as a 256bit encrypted string, in which I decrypt, and set as the session secret. In order for the page to load, the first session variable can't be blank, and the second variable has to equal the decrypted key value... if the variables don't pass inspection, it redirects them to the login page. I set this up on every page, generic handler, and webservice method in the web app. I make the session timeout after a few minutes of no activity, and on log out, I set all session variables to nothing, and expire all cookies. (I also disable all cache).
My question is... Does this offer comparable security to that of Forms authentication? I have always used Forms authentication, but can't use it here. If I did, the users would have to reconfigure settings in IIS and in he web.config to toggle login procedures (From my knowledge, you can't use both Forms authentication, and windows authentication to manage the security of your pages and other web resources). With the method described above, I can accomplish the best of both worlds, but am curious about the security of my methods. Is there anything else I can implement here to assure the utmost security other that using forms authentication? Is it possible to accomplish the same level of security of Forms authentication without using it?
Thank you for any insight in advance!
Does this offer comparable security to that of Forms authentication?
No
The first rule when it comes to security is don't reinvent the wheel unless you absolutely have to. Any home baked solution you come up with has the potential to be as secure as a provided one like Windows or Forms Authentication. The problem is that home-grown solutions rarely reach that potential. They may test okay, but subtle bugs can remain. You don't want to find out a year later that you were hacked six months ago. Existing solutions have already been tested and used in millions of applications, whereas yours will be used in one application and tested by a handful of people at most.
A quick search suggests that it is possible to implement both Windows and Forms Authentication in the same application, so I'd pursue it further.
Mixing Forms and Windows Security in ASP.NET
We have an ASP.NET MVC application that uses Forms Authentication to create and validate the authentication ticket (cookie). The log on flow is very special, not just username/password, but it ends with a call to FormsAuthentication.SetAuthCookie(userId, false) to create the cookie. So a standard cookie is created, it is just how it is created that is special.
We will also have to integrate with a couple of other web sites that are not neccessarily .NET based or not possible to customize via some kind of Single Sign-On that do not require any modification on the other sites. All sites are behind the same UAG/ISA Server.
Is it possible to setup some kind of filter in UAG/ISA Server that can validate the Forms Authentication cookie created by the ASP.NET MVC application? If it is not OK it should redirect to the log on page in that application? If it is OK it should just let the request through. For example, would it be possible to use a ISAPI filter with UAG that does this? We can use the same machineKeys on the UAG server and the ASP.NET app server (I guess that is required to start with)
I don't know much about UAG and I'm also interested in alternatives to UAG. In fact, what we really need is just something that works as a perimeter protection for all those sites and that can utilize the already existing log in flow/cookie.