I have a couple of PHP applications that run over WAMP Server, and for management reasons my boss told me to migrate the into an IIS server and ASP.NET so we only have to manage one database of users, in this case the Active Directory Users Group (Windows Server 2008 R2).
So we would create a security group called Delete_Update_Stock_Toolcrib, and only the users inside said group would have access to the web page where the transaction takes place (no need for ultrasecurity, since my users a really really basic users).
So my question is, is it possible to get an automated authentication from the AD user using a .NET API?
Just like Sharepoint, where according to the security groups you are in, you can access certain parts of the information available for your departament.
You could authenticate users using the built in ActiveDirectoryMembershipProvider.
Then, in ASP.Net, the concept that is the nearer of Users Group is Roles. There is a Active Directory Roles Provider on codeproject that should allow you to map Users Group to Roles, but I never tried it.
Here a great tutorial on the subject
Related
I am sure this must have come up for people before. We sell an ASP.Net application that can be used by anonymous users and we have system administration areas secured with forms authentication. The software is installed on-premise at each client site and made accessible on their intranets.
We are looking at providing a hosted solution in the future. My question is how I can restrict access to the application to only users from a particular client but still provide anonymous access? Regular Joes on the internet should not be able to access it.
I was thinking LDAP may play a part and I could compare the Active Directory domain of the client perhaps but I don't have much experience in this area.
All help greatly appreciated.
I have looked at numerous articles and tried a multitude of settings, but I can't seem to achieve what I'm looking for in my intranet site. Even if I don't get a solution, a definitive "you can't do that" will help me move forward. Here is what I'm trying to do:
Web site recognizes the user's network login credentials - ONLY so I can get their user ID without a login
The website uses some generic account (IUSR or something like that) to access a SQL Server that the same network users can NOT access EXCEPT through the website
Users can upload files to a set of folders created on-the-fly by the website to contain their files for later reference by them
The website can construct web pages on-the-fly with links to the users' files - and ONLY theirs - so they can open / download them through the web pages
Users can NOT access the uploaded files through a network share on the web server
All of the folder creation, file upload, and file serving occur under some generic account like IUSR
I currently have things configured to use Windows Authentication and I could probably live with that except I don't want to require a login to the site. Apparently, in order to make this happen, I need to have the server configured as a trusted delegate and IT is dragging their feet on doing that. Also, this config allows the users to access the SQL Server and folders/files through means other than the web site and I don't really want that. I only need to pick off their user ID so I can use it to get information about them out of Active Directory and keep track of their interactions with the web app.
In reviewing your post I must first say "Yes" it seems like what you want to accomplish can be done. However the enormity of your question precludes simple posting answers. From what I gather there are three security issues you want to navigate 1) Windows Authentication, 2) Admin only SQL access, 3) User only Access to files and directories while authenticated using Active Directory.
I have been building ASP.net intranet web applications using Active Directory (Windows logins) for a few months. I would encourage you to explore this article: http://www.mikesdotnetting.com/article/216/windows-authentication-with-asp-net-web-pages for details on setting up windows authentication in an ASP.net web application. You can add elements to your web pages using a section of Visual Studio [Toolbox] called 'Login', which contains elements such as 'LoginName'.
Next I am pretty sure you can control the SQL server query access using authentication parameters of your choosing. In the portion of the connectionString that is normally 'Integrated Security=True;' you will need to switch that to 'Integrated Security=False;username=sqlAdminUserName;password=sqlAdminPassword'. For more information I suggest reviewing this post: Integrated Security = False.
For the third security issue once you have isolated the user's windows login identity you should be able to dynamically build web pages, files, directories, and whatever other resources you require all customized for that individual user. I believe the generation of all those materials can be done with an IUSR account with the only needed ingredient being the Windows login user identity.
Good Luck and I hope my suggestions help move you ahead.
Actually, the answer is not all that complex and it is a real mystery why it is so difficult to find a single source on the web to spell it out. Here is my IIS authentication for an intranet app that acts exactly how I want:
Enable ASP.NET Impersonation and edit to Authenticated User
Enable Windows Authentication
Advanced Settings->Extended Protection->Off
Advanced Settings->Enable Kernel-mode authentication->unchecked
Providers->Available Providers->Negotiate:Kerberos and move that to the top
Disable all other authentications
Most critical: Make the server a 'trusted delegate' in Active Directory
That should do it.
We have completed developing a custom CMS using ASP.NET. The CMS will be setup in IIS hundreds to thousands of times (one per domain). The CMS uses SQL Server to store page content, settings etc.
Should we create a new SQL Server login (using SQL Authentication) for every website or should we use the same login for all websites?
Any thoughts on this would be appreciated
If you are going to the trouble of provisioning a separate CMS and DB for each instance, then you should create a separate sql login for each instance.
This way you add one more layer of security to the design (and incur little more of your already hellish maintenance cost).
It would seem safer to let each site have it's own login.
That way you can't look at the wrong content database by accident (or mischief).
I would advise using Windows Authentication in SQL. It is easier to set up, and doesn't require storing passwords in web.config files.
You can further restrict this user account for security purposes.
Also don't let these user accounts use the same passwords, that screams insecurity.
I am kind of new to this, and I'm still trying to figure out how the whole thing works.
I have a sharepoint site, and I also have separate ASP webpages, they are under the same domain, but different servers. They both authenticate to AD.
I thought that by having my webpages under the same domain as the sharepoint, once I had an user authenticate to sharepoint (windows authentication), my webpages would be able to find who that was, as long as they had windows authentication also. But I guess it doesn't work like that.
So, my main goal is: from an ASP.NET page, I want to be able to get the authentication info from SharePoint.
What should I do?
Thanks!
The users are authenticated by thier login credentials with AD. In a C# ASP.Net page you can get thier username from System.Web.HttpContext.Current.User.Identity.Name
You can use this information to make a web service call to the SharePoint User Profile Service in order to get details SharePoint records on that user. This assumes that the user profile services is installed and running (not a given).
As for authentication information, you will need to be more specific about which information.
Remember that the rights given to a given AD user differ completely between what is permissioned for SharePoint and anything you have for the ASP.Net website.
If you are wanting to get information on what permissions a given user has, you can use the SharePoint Permissions web service to get information on what permission there are.
Unfortunately, accessing that webservice requires elevated rights on the SharePoint server.
If you are just wanting to align the two sites so they have consistent permissions, your easiest bet is to create the relevant groups in AD and permission those groups independantly in each application.
I'm working on a SharePoint portal site, while user should be redirected to it from SAP Portal, both of the two portal, user is going to be authenticated through Active Directory.
So is there a way to have a single sign on for both of them, so user login to SAP portal and then be redirected to sharepoint portal without providing his login credentials again?
I'm not an expert on this area (and definitively not one on SAP) but if your SAP Portal and your SharePoint are set-up using the same authentication mechanism (eg : ntml or Kerberos) and you have windows authentication, this should be transparent (assuming the current user is member of any group of SharePoint that has at least a read access).
One of the client I had been working with had a similar scenario, a SAP Portal, several SharePoint site collections and share authentication across them, but there were relying on a dedicated SSO solution from Novell.
This forum discussion seems to cover a similar requirement