Smart Card Authentication with ASP.NET - asp.net

What are the steps required to get smart-cards authentication working in ASP.net?
Smart-card reader is installed and works properly on the client's machine
user navigates to Login.aspx page and is prompted to swipe his access card
how do i authenticate the user
thanks.

The only way that I know to access a hardware device on a client machine through ASP.Net is by writing an ActiveX control. Doing this will render the site useless to anyone not running Internet Explorer. Based on my experience, you can say that IE is your standard, but there will be people attempting to use other browsers. And that's fine as long as you have the support of your App Admin team to say, "Sorry, use IE or don't use it at all".

Assuming you already know how to access the Smart Card reader's API, and you can successfully read and decode that data, your next step is Authenticating that data.
Again, you haven't given me any information here, so I'll assume that you have a database, against which you will need to validate the data you got from the smart card.
If the above returns true then it's simply a case of calling FormsAuthentication.RedirectFromLoginPage, or if you want a more granular control of the Authentication Cookie, then you can create your own FormsAuthenticationTicket

If this is a plug and play device and your clients are part of an AD domain then by simply enabling windows authentication allows you to enable smart card authentication without needing to resort to custom ActiveX controls and browser plugins.
A couple of pointers in that direction:
IIS supports client certificates
IIS Forum thread: Configuring IIS 7.5 to read certificates from a smart card

Related

windows authentication using ajax

I want to create an internal website, preferably in asp.net, that uses ajax calls for performing all operations.
The requirements are that the site should use windows domain authentication (to act as a single-sign-on solution) for verifying which user is sending the request. What is the best way to accomplish this in a secure fashion? I am open to a solution using https or cookies or anything else feasible.
( I would prefer regular ajax using jquery since I havent used asp.net ajax but if that solves some issues more easily, then let me know)
The current way I am doing this (not through ajax) is disabling anonymous access in iis and then getting the logged in username from asp.net, but this requires the site to perform postbacks, etc which i want to avoid.
An Ajax request is not different from any other HTTP request when it comes to authentication.
Your user will most likely be authenticated when they access the index of your site. Any subsequent request, Ajax or not, will be authenticated. There is nothing special to do, and your jQuery code will look just like what it normally looks.
Windows authentication is checked on every request.
How this is checked depends which authentication method /provider is enabled and supported on the server (kerberos, ntlm, custom, etc)
Credentials are automatically sent over under certain rules (I believe intranet trusted for IE, I dont recall what else outside of that).
Firefox will prompt you if I recall every time.
Check out:
http://www.winserverkb.com/Uwe/Forum.aspx/iis-security/5707/IIS-6-0-Windows-Authentication-401-Every-Request
The important thing to note is the browser and server will take care of this and prompt the user when necessary.
Also to note is I highly highly suggest ALL traffic is under an SSL connection at this point to prevent sniffing and credential stealing/token stealking (such as is extremely easy for basic auth)
You can enable this protection inside of IIS and use all file permissions or you can control this in your web applications web.config by enabling windows authentication. How this is accomplished though depends on your server config (kerberos support, etc)
You should absolutely:
Use an https connection to transmit username and password
Authenticate on the server side, with asp.net
Leverage the asp.net session to as great an extent as possible.
If you're not familiar with ASP.Net ... well, consider this a good opportunity to learn :)
jQuery is great, but it's just a tool. In this case, it's probably not the best tool for this particular job.
IMHO...

Forms Authentication Using Active Directory / LDAP

First off--thanks for having a look.
MY QUESTION
In a .NET web app, is using Windows Authentication for a extra-net on a WAN consisting of various users, companies, user-agents, etc a bad idea?
BACKGROUND
I am lead dev on a fast track (very fast) web application for an extra-net that will allow the client's vendors, suppliers, partners, etc to log on and push and pull certain assets such as image files, videos, flash files, etc.
PLATFORM/TECHNOLOGY
Asp.Net 4.0, C#, MVC3
PROBLEM (Maybe)
The client's IT department has requested that the app use Windows Authentication to authenticate users. One of the reasons for this (they say) is that the assets that will be pushed/pulled by users reside on a third-party server (Signiant) which already uses credentials form their active directory to authenticate users.
MY VIEW
Windows Authentication is going to cause a bunch of headaches. Viewed as a stack, this app will sit on top of the third-party server. So if we use Forms authentication, we can just populate a data table with windows credentials for each user and pass those to Signiant's servers with our requests (you have to do this anyway). If possible, we can even make an LDAP call for the creds on the fly and then pass those to Signiant's servers.
It just seems to me that simple functionality such as "lost password" would be come extremely difficult if we are doing the Windows Auth thing. But, full disclosure, I have never built an Asp.Net app using Windows Authentication so what do I know??
Thanks!
Matt
UPDATE 8/12/11
I still don't have an answer as to whether you should do this, but the client is adamant that it must be this way. The app is supposed to be turned over in a month so I will come back and let any followers of this topic know my findings.
ASP.NET has built in support for doing AD Authentication using Forms Authentication, including password recovery.
See: http://msdn.microsoft.com/en-us/library/ff650308.aspx

How to get client MAC address by a access on a website?

I have my website, and it records the number of visitors, IP and time of access...
I want to identify each visitor... I think that this was possible recording IP Address... but when the IP is dynamic, my system fails. So I think that I can solve it recording MAC address... is possible? What language should use? PHP, ASP, Javascript?
Thanks
Edit: What I can use to identify each user without having login information (username & pwd).
The MAC address, by TCP/IP standards, is never communicated outside of the local-area network to which it pertains — routers beyond that LAN don't even get the information you're trying to record.
There are many other ways to try and identify unique visitors, including matching the user-agent's details in addition to the IP, serving cookies as part of your response, etc… it is, after all, a core functionality in the field of "web analytics".
MAC addresses are simply not part of the gamut of techniques that it makes sense to utilize for it!
It is only possible if you use a technique where you install a "native" app on the client machine. For example, an activeX component, java applet or a client application. Then that application, once installed can get the MAC and then call to your web server with the MAC as an argument. In other words, you have to build your own front end "browser" to handle logging in. Then once the user is logged in, you can launch the app in the default browser.
It would be nice if future browsers allowed users to give permission to specific sites to access the MAC. Then if a site had a button that said "Register this device" the web application could do so without needing an additional native app installed (after all, the browser IS a native app).
Can't you just have them store a cookie, so that when they come back they can be uniquely identified? No username/password requirement.
http://en.wikipedia.org/wiki/HTTP_cookie
Sorry but sending MAC address isn't part of the HTTP. However, you can use cookie to identify different users. Any backend language will do (add cookie in the server side). You can set the cookie in the client side using JavaScript too.

How to Anonymously Authenticate between a VB.Net Desktop App and ASP.Net Web App

I'm looking for a way to pass some sort of credentials or Authorization token from a VB.Net Client to an ASP.Net web application that allows the Client to auto-login to our Forms-Authenticated website. If a user is logged into a local application, I want them to be able to view some web pages without having to login to the website as well. The credentials are not the same between the apps, but I would just like to pass some sort of encrypted token or key to the web page so I know they are coming from the desktop application. Is this possible without requiring a username and password login?
I also need to make sure this URL that is used cannot be simply copied and used from another location, so I'll need to include some sort of information in the encrypted value to know where it's coming from.
I know how to login the user with Forms Authentication and all that, just need to figure out the best way to secure this. Thanks!
OAuth is commonly used to allow desktop applications to access a user's private data on a web site. Since you're using .NET, I suggest you check out DotNetOpenAuth which includes sample OAuth web sites and client applications. It allows for this secure token to be passed that can tell your web site that the desktop app is the one making the requests and (usually) whose data is being accessed.
The best part about the OAuth solution is your desktop app never has to ask for the user's credentials. No credentials are in the URL. And if the desktop application is ever compromised (perhaps by the computer being stolen), the web site can kill the secure token the desktop app was using to cut off access without requiring the user to change their password.
You might want to look into issuing client-side certificates for these applications. Basically, you generate a certificate that you install with the client application and then on the server side, you check the ClientCertificate property of the HttpRequest instance exposed by the Request property on the current context.
Note that what you are doing is really a very bad idea, in that applications should never be assigned identity, only users. To that end, you should be authenticating each and every user that is using your app, not considering the application to be the identity. It's commonly considered a bad practice to do such a thing.
You can share credentials between the applications using ASP.NET Client Application Services.
Here are some resources:
Client Application Services
Client Application Services with Visual Studio 2008
Is your desktop app running on machines that are in the same domain as your web server (i.e. all in the same company)? If so, Integrated Windows Authentication is your easiest solution.
I think its best idea to use a web browser control inside the desktop application .
Then use the WebBrowser1.Document most probably
WebBrowser1.Document.Cookie
get if the user is singed in.
I also need to make sure this URL that
is used cannot be simply copied and
used from another location, so I'll
need to include some sort of
information in the encrypted value to
know where it's coming from.
If you store the encrypted value in a cookie or as a field in a form (POST request), then the credential is no longer in the URL and so it can't be easily copied (note that I said "easily").

Getting requester's login in ASP.NET/VB.NET

Is there a way to get the logged in user from a vb.net web application? IE, if someone logged in as "foo"/"bar" on their local machine accesses the site, I need code to get me "foo"/"bar". This is for a passthrough on our intranet, where everyone uses the same Active Directory.
Essentially, I need to harvest the username of the logged in user and check it against our ActiveDirectory instance. If that fails, I need to check for Request variables and check those (that part is fairly easy). Then if THAT fails, I need to show a login screen (I also have a handle on this).
I've already come across and discarded a couple solutions for the part I'm having trouble with:
request.serverVariables("LOGON_USER") - This only works if you have anonymous access turned off in IIS, and that must be on to use forms authentication (which I'm using).
http://www.thescarms.com/dotnet/IsInRole.aspx - This solution does not seem to work for some reason. I suspect the line AppDomain.CurrentDomain.SetPrincipalPolicy( Principal.PrincipalPolicy.WindowsPrincipal) is the issue, but the meaning of this line is buried so far I can't figure out what it's actually trying to do.
HttpRequest.LogonUserIdentity?
if you're using Forms Authentication, have you tried System.Web.HttpContext.Current.User.Identity.Name?
The web browser will not send the user's local credentials to the web server unless two things are true:
The web server asks for them (i.e. Anonymous Access is disabled, and Windows Integrated Authentication is enabled).
The web browser has been configured to send local credentials if asked (an Internet Explorer option, available in FireFox via plugin, not sure about other browsers). If the browser has not been configured to send the information and the web server asks, the user will be prompted within a pop-up login screen.

Resources