What is the best way to authorize access to sections of the external facing website based on internal(inside company network) or external(web) user.
Is IP Address sniffing the only way(dont really like it. :S). Can we use Active Directory to check for internal users at the same time not affecting web users?.
The website does not need authentication(we dont have a login screen).
(ASP.Net MVC3, .Net 4.0)
I'd suggest you think of it as two separate websites - an internal intranet and an external site. This gives you more flexibility in deployment, and reduces the risk that a problem on one site will affect the other. If you deploy your internal site to a server without an external IP then it will by default be restricted to only those users within your network.
Without using a login, then IP address detection is the easiest, but not foolproof way of achieving what you ask.
You could also deny anonymous access but allow integrated auth to the internal sections. That would mean only folks authenticated to your domain could access the site. anyone else would be denied & you wouldn't need to add any sort of login to the app.
Simon
Related
We have an external SharePoint site that needs to be accessible to our intranet users and a select few users over the internet. The SharePoint site is on a separate domain from our intranet, but that separate domain trusts the intranet, so internal user's credentials work with the SharePoint site. As long as I have the trust settings in their browser, they will be automatically authenticated on the site.
The problem is external users. They also have accounts, but on our external network. By default they will receive a challenge/response pop up from the browser, and since they are not technically logged into the network they have to enter their credentials. I would like to be able to present them with a nice form instead of the challenge/response box. But I do not want to force internal users to have to type anything at all.
Is there a way to simply replace the pop up with a redirection to a form I can control? Everyone has to be authenticated, and in the end it is all windows authentication, I just want to control what people type into, but preserve single-sign on.
I know you can probably do this with multiple entry points into the application etc, but i was hoping to keep it simple.
I believe what you want is "Forms Authentication" in IIS. It should work the same way that you described, but allows you to specify a page to redirect to. I don't know the details, but you could try reading up on it here:
http://technet.microsoft.com/en-us/library/cc771077(v=ws.10).aspx
I use Windows Authentication with a load balanced website. The load balance is based on two IIS web servers. There is a feature in my site which allow users to relogon like Sharepoint sign-in as different user.
But I notice that while I relogon, the User.Identity in one site is changed but the other site still keep the prior account.
I suspect there are something in the cookie should be clear.
Has anyone faced this problem while playing with loading balance? Or do you know some related article which might help?
I don't know how to fix the problem. Any help will be appreciated.
by the way
I use this method to archieve the relogon it works on single server. http://www.roelvanlisdonk.nl/?p=825.
Hello guys,
I still work on this feature.
I print the User.Identity.Name in my home page. when I change the account, the User.Identity.Name output is changed correctly. but when I refresh the home page, sometimes the prior account will be displayed on the home page.
If I'm reading your comments correctly, your setup involves two web servers, each with a local user with the same name (and presumably the same password), and you're attempting to use Windows authentication in the web farm scenario.
In your situation, each computer has it's own account with a name - assume your username is "AuthorizedUser". Bear in mind that if AuthorizedUser is a local account on both machines, then these are two completely different user accounts. Each computer checks it's own user account information to verify the identity of the person, and in a non-Domain situation, Computer A has no reason to trust a user that was authenticated on Computer B.
If it were possible that computer A trusted computer B without a domain scenario - just two random computers that happen to have a user with the same name, imagine how easy it would be to hack into anyone's web server that's using Windows Authentication. All you'd have to do is guess a valid username, rather than a valid username/password combination. It's easy to see why this is a bad idea.
For Windows Authentication to work in a web farm scenario, you need to be using a Domain user (A Windows NT Domain) and that Domain User needs to have the same permissions set up on two servers. This way, there is only one AuthorizedUser, and both web servers can verify the identity against the domain. Both web servers will automatically trust that the Domain Controller has authorized the user properly and will trust the domain.
I'm looking at building an site that authenticates users against AD of my company.
I've already created something that works internally, but I'd also like the users to be able to authenticate externally - from outside the network over the internet. using any pc or even mobiles. Obviously only people within the company should be able to access it.
I just need a few guidelines for what I'll need to bare in mind for such a project..
Use forms authentication
Use ADMembershipProvider
Host site on network with AD
How do I make it visible externally? what security implications are there? what needs to be done on the server?
There is no special requirements for the AD usage, normal security requirements apply - enforce HTTPS on the login page, for start.
I guess your server is in the DMZ, so just make sure it can see AD from there.
First let me explain the problem:
I have a little portal that any user from the internet can access.This portal is responsible only for the user authentication against a DB.If user is validated than the portal shows a list of links where they redirect to multiple web sites(this sites are in various coding languages like PHP,ASP.net and Java). If the user input the url off a web site directly on the browser, the user can access the website.I want the multiple sites can only be viewed if the page request came from the portal and not directly inputed n browser.
I have local server with IIS 6, and the portal and websites are in this server.
Can anyone help?
Thanks in advance.
Gabe
If possible , host those applications as Virtual Directories under your authentication application and restrict access to only authenticated users, this shall solve the problem.
I don't know if you are able to do this, but you could try this with an ISA/Forefront server.
You can configure this to do the redirecting for you if someone enters the website url. This way users will need to authenticate themselves and you can let ISA or FF handle the authentication part.
This is implemented a lot for OWA, but can also be used for other purposes (I've done this for several SharePoint solutions).
Of course you do need an extra server, licences and all that stuff.
Don't know how you can pull something like this with only IIS. Perhaps with some IIS Modules, but I haven't got any experience with that kind of stuff, so don't know for sure.
I have a sharepoint webpart where I have links to go to different web sites to which login is required. Therefore, I think i need to log the users on before redirect them into deep pages in that site, therefore I think i need to set up a cookie to that web site when the web part is loaded (by using the user credentials of the user's active directory information).
How can I achieve this requirement with out opening up a new browser window? (Though I have used a client side script, it pops up a new browser window)
Any help is highly appreciable...
Thanks
If you are referring to "different web sites" as sites having completely different URL's, then it's probably not possible without SSO system.
The reason is that it's impossible to read/write cookies from other domain in web environment, i.e. pre-login the users like you are saying.
If all the sites are inside same domain, like mycompany.com for example, and different sites are in abc.mycompany.com or mycompany.com/subsite, then yes, you can set the cookie. See top section here http://www.15seconds.com/issue/971108.htm
A simple way to implement SSO is by implementing method described later on in same article.
in the "Requesting Cookie from Another Domain". This is not a very secure method though, but can be done if you restrict it properly to specific slave domains. And obviously all the slave sites have to be modified, as with any SSO implementation.