Why does Azure ACS require authentication every time I debug my project? - acs

When your developing an Azure webrole in Visual Studio every time press F5 to run the project and wait for Azure development environment to start up and then I'm required to visit the login page and go through the Azure ACS authentication process. What needs to be done to enable ACS authentication status to be persisted across compilation and debug sessions?

You can cache the ACS token in the browser’s cookie and make it persist after the browser is closed. Then modify your service application so that it checks if the token in cookie is valid and has expired or not. Then decide whether you need to request user to sign in or not. Just make sure to validate the token every time.
BR,
Arwind

Related

How could I refresh (or detect an expired) active directory oauth2 token in ASP.NET?

I am using azure active directory integration with an MVC application. So users get redirected to the azure login portal to enter their credentials. My application has many ajax requests which will not work when the authentication token is expired because the MVC application tries to redirect the API call to the AD login page.
When i refresh the page, any API requests will start to work again. I was wondering how I can detect on the client side when a session expires or how I can handle refreshing a token with API calls.
You could try to renew session by adding a hidden iframe in Layout.cshtml, which hits the new "forced" sign in route at regular time intervals (In sign in operation you could acquire a new access token
).
Please refer to article controlling a Web App’s session duration . In that article you could find a code sample about how to ensure that app’s session lasts as long as the IdP session(or at least approximate it) in ASP.NET MVC .

Asp.net windows authentication against domain - use local (cached) credentials when offline

I have ASP.NET MVC application that uses windows authentication against remote active directory server. The computer where the app runs is connected via VPN to the AD server. The problem is that after user logs into the PC with domain user and logs into the application it needs to run even while offline as well, but it throws this error:
The trust relationship between workstation and domain failed.
From what I understood there is no cookie and the authorization works on per-request basis. Is there any way to authorize the user name/password against the locally cached credentials? The connection often drops and the application needs to keep running.
Also I can't turn on Anonymous Authentication as we want to sign in users without providing credentials.
Any suggestions appreciated.
Thank you
It was due to calling (while off the network)
User.IsInRole(role)
We have custom role management, so removing base.IsInRole on our custom WindowsPrincipal solved this issue.
After doing research I thought that it actually has to be on the network, but to keep using cached credentials you don't have to be, just do not try to fetch any user related information.

Window Azure Active Directory - Service Provide Initiated

I am creating 2 websites:
http://training.xyz.com
http://portal.xyz.com
I would like to use Window Azure Active Directory for single sign on (Service Provider Initiated)
I created 2 apps in the Windows Azure Active Directory. But after I login to http://training.xyz.com and then visit http://portal.xyz.com I am prompted to login again at http://portal.xyz.com, should I not just be logged in? Am I missing something that someone can point out to me? Does Windows Azure Active Directory not support Service Provider Initiated single sign on?
Azure AD does support SP initiated SSO. The behavior you should see is a prompt less sign-in on the second app. If you aren't, please check a couple things: 1) cookies are enabled and 2) the second website is indeed issuing a sign on request to AAD on the home page (http://portal.xyz.com/) - this request will result in a silent redirect response.
Hope this helps.

Session cookie persitance in ASP.NET MVC

This is probably a duplicate question, but since I can't find the answer in the questions from the past I am going to ask again.
In my ASP.NET application, when I authorize the user, I set the custom FormsAuthenticationTicket. The persistance variable is false, so the authentication cookie should only be valid for current session.
My question is when would this session end? I restart my IIS Express development server, I shut down the dev machine, etc, and the session seems to be still active and the user is authenticated with that cookie.
How come in my VS 2012 + IIS Express environment sessions are immortal?
That's not an issue. You can restart the server and as long as the authentication cookie is still valid, the user is considered logged in. Remember, HTTP is a disconnected protocol.
The cookie will be removed the moment the user logs out and you programmatically remove the cookie or when the user closes his browser.

how to manually authenticate user in asp.net windows authentication

I have an Intranet application with Windows Authentication. Everything works fine. However, for some sensitive operations (it could be approving AP check, or grading a student) I need to get user's id and password. The goal is to prevent somebody walking to unattended terminal, and generally for non-repudiation. Trivial with forms authentication - but I can't figure out how to do it with Windows authentication.
I don't think it matters, but it's MVC application and authentication is done against Active Directory
Typically, server application needs to issue HTTP Status Code 401 to tell client for authentication information. However, in case of windows authentication, once user is authenticated, the token is cached by client system or browser and used subsequently whenever needed. So in your case, even if you issue 401, client will send the same token again - so your main problem of abusing unattended terminal will not get solved (as user already logged in there into the system).
One of the way could be simulate forms authentication from the application - i.e. on sensitive operations, prompt user for his/her windows password again (note that you will be already having user's name(identity) if you are using windows authentication) and then re-validate that password using active directory API (or logon user windows API).
Personally, I feel that you are trying to solve the problem at server which is wrong end - I would rather have a IT policy that prohibits unlocked unattended terminals - either user should lock the workstation or have a password protected screen saver. Typically, these things can be somewhat enforced via group policy.
In my webforms app I've got one page set as only allowing Windows Auth and no others, and then to get the username (since they have to have already done the 401 auth procedure via the browser) I get their username like thus:
string username = Request.ServerVariables["LOGON_USER"];
and then I can query the Membership provider to get the user information from the infrastructure.
Or are you trying to manually do the 401 auth process?
how to manually authenticate user in asp.net windows authentication

Resources