Could anyone please provide me with guidance on whether it's possible to use aspNetActiveDirectoryProvider for Authentication and aspsqlProfile Provider to store user specific details?
I'm not quiet getting my head around on how do I get userID that's required for aspnet_profile table if I were to switch to Active Direcory.
Also, is it possible to change password from aspnet admin page if active directory is used?
Regards,
Changing password is possible with AD provider: see ActiveDirectoryMembershipProvider.ChangePassword method.
ASP.NET profile generally associates profile with user name. Typically, user name value will be same as the user identity value used by authentication system. So in active directory case, it would be user's domain qualified login-name (in form of <domain>/<login>) - see this link for more info: http://msdn.microsoft.com/en-us/library/ewfkf772.aspx
You may also create a custom profile provider if you need more control at database schema side - sample is already available from microsoft and you can use that as base, check these links:
http://msdn.microsoft.com/en-us/magazine/cc163457.aspx
http://www.asp.net/downloads/sandbox/table-profile-provider-samples
Related
I'm just looking into ASP.NET Identity, which seems that it is the most preferable solution for user authentication in ASP.NET apps these days (replacing all the ASP.NET Membership stuff from the past).
I am looking for a solution that would allow to maintain information about anonymous users. Even if the user is not authenticated, we can collect and store most of the profile data that we could store if the user was authenticated.
Even if the user is anonymous, it makes sense to store data like:
shopping cart
comments he's written on the site (so that he can edit them as their creator)
various site preferences (his preferred language, and many other settings)
Then when the user registers, we can offer to copy some of this data into his new user profile (or copy it automatically) depending on what data it is.
Is it possible to achieve this scenario with ASP.NET Identity? It seems that when a user is anonymous in ASP.NET Identity, he cannot have any user profile data.
In order to use the same tables to store all this information as for authenticated users, we might need to create a new user in the system for every new visitor that comes to the site and does some action that requires storing of some user data.
After that, we'd need to pass some cookie identifier to the user, so that we can always connect the data to the user, which can be seen as some form of authentication (although invisible to the actual user). That way, the guest user could actually represent an authenticated user of the system (maybe he'd just have a special role?), even though to his knowledge he's anonymous.
What do you think about this approach? Are there any ways where ASP.NET Identity can help with this?
I found these two related Stack Overflow questions, but I haven't found my answer in them:
Does ASP.NET Identity 2 support anonymous users?
ASP.NET Identity - Anonymous profiles
Edit:
I discovered that there's a mechanism called Anonymous Identification in ASP.NET that seems to solve part of the issue.
https://msdn.microsoft.com/en-us/library/91ka2e6a(v=vs.85).aspx
Maybe it can be somehow integrated with ASP.NET Identity?
Edit2: As noted in the comments, the documentation for Anonymous Identification seems to be outdated and it's quite probable that Microsoft will not be focusing on this much in the future. Solutions that work with ASP.NET Identity or other OWIN-based solutions are preferred.
Asp.Net Identity has no such thing, and it will not be secure identify the anonymous user even through hip IP or a Cookie in his browser, you can ask the user to register with very minimum info or through FB or Twitter to make the registration process as short as possible, and later he can complete his profile, this way you will make sure the data is linked to an actual profile.
ASP.NET profile properties allow your application to track and permanently store user-specific information. For example, users can specify a postal code or a favorite color scheme, and your application can store that information and retrieve it from anywhere in the application. ASP.NET automatically matches the current user — whether the user is anonymous or logged on — with the personal information that is stored for their user account.
Configuring Profile Properties
You will begin by configuring your application to enable profile properties. You will then define the first property that you want to track for each user. This property is named PostalCode and will be tracked for both anonymous and logged-on users.
Source: https://msdn.microsoft.com/en-us/library/taab950e.aspx
I was wondering if it is possible to make it so the editors within sitecore can set it so you require a username/login to only one specific page.
www.yourwebsite.com - No password required
www.yourwebsite.com/internalstuff - password required and set within CMS by the editors.
This is explained extensively in the Security Administrator's Cookbook that is supplied by Sitecore.
This is what you need to do, in a few short steps:
Create a user group with the User Manager (on the Extranet domain, that's how it's called by default, could be different in your installation)
Add users to the group
Go to the Security Editor, select the item(s) you want to protect, and disallow Read rights for the Anonymous user (this makes it impossible for not-loggedin users to view it)
Enable Read rights on your item(s) for your new user group
Make sure to read the cookbook so you know how to use security inheritance properly. That will save you a lot of time in the future.
Actually it's possible with no coding if you have Web forms for Marketers installed. It's not an enterprise ready login with e-mail activation etc. but it works. First, you should of course set up access rights and roles as mentioned in this answer by Ruud plus you need WFFM ready with forms styled and a placeholder configured to accept forms.
Go to WFFM and create a registration form (username as single-line text field, password as password-confirmation field)
as save action add "Create User" (configure correct domain/role there) (you could also add a "User Login with Password action and log the user in directly after registration)
add the registration form to a public page
create a login form (username as single-line text field, password as password field); again map the data to the username, password and domain set up for your extranet)
add the login form to a public page
enjoy :)
Note: this requires you to have write access to the asp.net user tables (by default set up in the core database). Make sure your security requirements are compliant with that. And as already mentioned this will not give you a basic e-mail validation up on registration.
Here is my problem if i can call it that way.I have implemented authentification with custom memebership provider in asp.net mvc 2.0.Everything works well but i have one problem.When user log in he provides its username and password and i check this through databse in MSSQL then i validate user and pass and use FormsAuthentication to set only UserName as profile information.
But when that user wants to create new item(lets say for sale or something) that belongs only to him and can be listed with other items that user created i can use this username(in FormsAuthentication) check it in database and connect that item to appropriate user with foreign key but that works if username is unique so i need additional informations like ID column from database table "user" to store and use it later so what is the most secure and "best practice" way to store additional information of user and use it later because username as i mentioned must be unique in database and it is not enough information about logged user.
Couldn't you store the User object (or whatever additional info you have) in the Session? or using a cookie at the client side (if you need to persist the login state even after the user closes his browser etc)? Let me know if you need specific examples.
EDIT: After reading your comments, if you are looking for a "secure cookie" solution have a look at this: http://www.codeproject.com/Articles/13665/HttpSecureCookie-A-Way-to-Encrypt-Cookies-with-ASP
I use it to store the user's id (only his id). When I retrieve this cookie I load the user given his id. Some in-memory caching allows me to avoid loading the user on each request.
But just wanted to clarify that the session object seems great for what you are trying to do + you dont have to worry about security (for the average app that is).
I am trying to find a way to handle two types of users for an intranet system. There are users who login and there are those who do not. I need to store both types of users in the membership db. Does anyone have a common solution to this problem?
This is for an event booking system. The users who are in AD will see the app. We need to store the O/S Name along with a few other attributes from AD in our membership db. The O/S Name gets captured using the Request.ServerVariables(). We need to store those "requester" details along with other details about the event that is being booked.. In addition to those users, there are users that actually log into the system. I was hoping to store both types of users in the membership db, so that when an event is retrieved, the user details will get retrieved from the membership db as wel
If you can use 'Integrated Windows Authentication' you have access to some information about the user connecting to your system.
Therefore you could use this information for the general case, without the login.
If a user then want's more access, he can logon to the site with a special username/pwd.
A membership DB would typically restrict access to a set of users for a particular application on an Intranet site. Only those who are in Active Directory as network users would even see the Intranet in the first place. And only a subset of those network users who have been granted privileges for your application in its membership system would see the link and/or be able to gain access in one role or another. Can you be a little more specific with respect to what you are trying to achieve? :-)
Encouraged by SO, I'm trying to write an ASP.NET site that uses OpenID for user authentication. It's a regular WinForms site (not MVC.NET), using the DotNetOpenId library for authentication.
Is it safe for me to permit/deny administrative functions on the site by simply comparing the current session's "ClaimedID" (as returned in the OpenIdLogin_LoggedIn event, as member DotNetOpenId.RelyingParty,OpenIdEventArgs.Response.ClaimedIdentifier) to a known administrator's OpenID (i.e. mine)?
If so, is it safe for this ID to be visible (e.g. in open source code), or should it be "hidden" in a configuration file or a database row? (I know it's better design to make it configurable, my question is just about safety.)
My solution is to follow the same idea of the Roles table. After you've authenticated the user, look up that user's roles. If the user has role "Administrator" in the UserRoles table, then they can do whatever the Administrator can do.
I don't broadcast open ID's in my app. They're stored in the table. On every action result, I'm hitting the Users table, since I have also modified mine to store various user state information. With the exception of the home page, there is going to be some user information that I need from that table. I'm using LINQ, so I include the .LoadWith() to load the User with his list of roles when it serializes.
Jarrett makes some good comments about using database tables.
Just to answer another one of your questions, no, it's not a confidentiality thing to put your OpenID in your code generally. If setting up roles seems overkill for your site, a simple equality check against your ClaimedIdentifier is just perfect.