This will probably turn out to be a doozie.
I'm developing an application in ASP.NET to be put on our company's intranet site. I've been handed a specification in regards to security and have no idea how to do it.
First part: The application is to use Windows Authentication. This part seems easy enough; I opened IIS in Administrative Tools, right clicked the node of my website, properties and checked 'Integrate Windows Authentication'. However, I have no idea how I will govern which people have access to my site. I'm thinking this should be taken care of at the database level. This is Q#1
Second part -- I have to implement a process for the following scenario: User 'Jane' can log in to our network, but does not have rights to my application. User 'Bob' does have rights to use my application. Bob needs to be able to sit at Jane's computer (under her network account), but be able to enter his credentials into my application and use it (even though Jane is logged into the local machine and network). This is Q#2
Any help, general direction, or advice would be appreciated. The winning lottery numbers would be appreciated even more.
Thanks,
Jason
You're looking for Windows Authentication and Authorization in ASP.NET
How To Use Windows Auth in ASP.NET
Authentication/Authorization Explained
How To Implement Windows Auth in ASP.NET
Part 2...you're right, that's tough. You'll need to roll your own custom security provider.
You'll have a login page, then check that against Active Directory yourself. From MSDN
ASP.NET also supports custom solutions
for using Windows authentication,
which bypasses IIS authentication. For
example, you can write a custom ISAPI
filter that checks the user's
credentials against Active Directory.
With this approach you must manually
create a WindowsPrincipal object.
You've got requirements around authentication and authorization here.
Authentication: The act of confirming identity
Authorization: The act of correlating an identity to a privilege (eg Read/Write/Delete)
Windows Authentication is useful if you want "auto-signon" capability. The site will "know" the user by ID without them having to sign in.
The need for users to login from multiple locations means that you must implement a login page. This would fulfill your requirement in which one user may sit at another's workstation and log in.
You will want to authenticate users against the Windows domain. This can be done with a custom membership provider. Here's a walkthrough:
http://msdn.microsoft.com/en-us/library/ms180890(v=vs.80).aspx
This will allow you to present a login page that will authenticate users with their domain username and password. This will authenticate users- the identity of the user will be stored in the HttpContext.User. You can then also maintain a user list in a database to store authorization data.
Also found this -- a pretty good resource for anybody out there who's in the same boat:
Mixing Forms and Windows Security in ASP.NET
http://msdn.microsoft.com/en-us/library/ms972958.aspx
Related
I have tried my best to search the web before asking this question. I've seen similar questions on stackoverflow, however, none has been answered satisfactorily for a long time now. This is one more attempt to get this recurring question answered.
The Problem
How to build an ASP.NET MVC 5 website which uses "Windows Auth" for Intranet users and "Forms Auth" for Internet users? We'd like to accomplish this using ASP.NET Identity. Moreover, we don't want to use Active Directory Groups for authorization. For Intranet users, we want to authenticate them using Active Directory and then fall back to ASP.NET Identity to manage their roles and other profile data.
It'll be nice if we don't ask the end user to choose auth method. The web app should log in intranet users seamlessly. They shouldn't even know that there is a login screen. Likewise, the internet users shouldn't be asked to enter their domain credentials. They should see form based login screen right away.
Is there any recommended way of solving this? Or could you comment if any of the following are proper solutions?
http://world.episerver.com/blogs/Dan-Matthews/Dates/2014/8/Mixing-Forms-and-Windows-Authentication/
https://github.com/MohammadYounes/MVC5-MixedAuth
http://mvolo.com/iis-70-twolevel-authentication-with-forms-authentication-and-windows-authentication/
FYI This is 2004 article, may not be helpful now:
https://msdn.microsoft.com/en-us/library/ms972958.aspx
IIS configuration
Enable Anonymous Authentication status in IIS for the whole site and Windows Authentication for some folder under root directory (for example, /WindowsLogin). In this folder place aspx file (for WebForms project) or create ApiController (for MVC project).
Site setup
On login page add button “Login with Windows/ActiveDirectory account” (in similar way as it is common practice to add buttons Login with Twitter, Facebook, Gmail, etc.). When user presses this button, they will be redirected to the page or controller in /WindowsLogin folder, which require Windows authentication. If site uses some Single Sign-On functionality, locate it in that page or controller, in other case just save Session for Windows users there. If user accessed that page or controller, they had been authenticated as Windows users already.
One of the possible ways could be creating two sites in IIS, but having the same target folder, where sources of site are located. First site is for internal users with enabled Windows Authentication mode and binding to 80 port, while second site is for external users with Anonymous mode enabled and binding to 8080 port, for example. Then, on firewall you will have to configure NAT, that all requests coming from within local network or VPN, will be redirected to local IIS server on port 80 and all requests coming from Internet, will be redirected to port 8080 of IIS server.
The term for this is Mixed-Mode Authentication. I have done this multiple times. You only need to tweak your main site. Here is how I have done it.
Keep your main MVC site as-is but run it as Anonymous vs. under Windows Auth.
Internal Site
Create a Redirect URL Site: Setup this site as Window Auth so you can pull the User ID from Active Directory. Give your users this URL and/or make it the link they click on your Intranet. Then this site calls your MVC Site and passes the user credentials (login id).
a. This can be done either via an encrypted string on the URL or encrypted value in a cookie. You can encrypt with an expiration date/time value too.
b. (Speaking from Forms Auth) Create a Forms Authentication Ticket with that user ID. Run any other login logic you have. Done.
External Site - No Changes required. Let the users login as-is.
Are you wanting to handle forms and AD authentication from one URL? I have used thinktecture (claims based auth) as the framework for WIF and marshaling various forms of authentication. However to handle if from one URL I had to handle some logic at login that associated the user to AD or Forms based. In a more recent project, this was handled at user management when we created the user account (it was associated to AD of Forms Auth). Then when the user logged in they would preface the AD domain name as part of the login. There are a number of ways to implement this, this was just one I have used. An example, instead of requiring the domain, just use the username, then check for AD or forms based flags on the username and then handle authentication accordingly
EDIT
Just an update in re-reading your question. Are the internet users and intranet users the same? If so you need to just go forms based auth across the board and manage the users in the product DB independent of AD. If they are the same then they could login prefacing the domain name to username. if you wanted to rely solely on AD.
I did a proof of concept of this some time ago, at my previous job, so the details are hazy and I don't have any code to refer to...
The requirements were:
Single URL for internal (LAN) and external (internet) access
Two types of users, people on the domain and external (non-AD) users
Windows authentication for domain users both internally and externally
The ability to enter domain logon details when using iPads (no windows auth)
The core idea in the solution I came up with was that we used Active Directory Group Policy to add a custom string to http request header user agent, the content doesn't matter, in fact we used a long random string of characters.
https://technet.microsoft.com/en-us/library/cc770379.aspx
Then the landing page for the site checks for this, and if found redirects to a virtual directory, with windows auth, that checked their AD account, populated the ASP.NET authentication token and then redirected them to their home page.
If the custom header isn't there then it just displayed the normal login form.
The only other thing was to add an AD email/password check to the normal login form so that if a domain user accessed the site from a non-windows device (iPad) then they could use their normal login details.
Why not put your website code on the server, robocopy it to two separate websites and just handle the changes in authentication by configuring the web.config. (one would be setup with anonymous and one with windows authentication.)
It's not as snazzy as other methods but it's relatively painless. There are two sites but the content (except for the web.config) are identical.
I need to implement something like Single Sign On for a application that is being used on both Intranet and Internet.
Now , the application uses its own table for storing User information and has more users than that present in the AD for the Company. Example contract workers/3rd party vendors etc and hence many users who don't belong to the Active directory of domain are listed in the User Table.
The Application is a bit old and currently it uses Form to authenticate the users.
But strangely authentication mode in the web.config file has the following entry for authentication. <authentication mode="None" />
I changed the authentication mode to Windows in web.config and in IIS 6 selected integrated Windows authentication and unchecked the anonymous access.
Now I have following two scenarios.
#1 Intranet
User logs in to the system using the System Credential which is stored in a AD
Now if user hits the link for the web application he should be logged in.
I have implemented this part by using Page.User.Identity.name in the Page load of login.aspx to check if the user exists in the DB.
#2 Internet
If I check it from a external network the browser prompts me for credential.
The requirement is that the user should not be prompted for credential instead should be shown the current Login page
I googled and ended up on stackoverflow every time. Sadly the solutions did not work out for me.
I stumbled upon this post by Scott Enabling Windows Authentication within an Intranet ASP.NET Web application and if you check the comments Scott refers to use of solution by commenter ripster in case application is accessed from internet as well as intranet. Though it didn't work out for me or may be I didn't do it properly.
It seems you require a mix of Windows and Forms authentication : The requirement is that the user should not be prompted for credential instead should be shown the current Login page
Thought to share this . May be it can help you as mostly I have seen people to like the second below mentioned solution a lot. ( Atleast when they read it.)
If you're in classic mode - you can have both Windows and Forms authentication. An alert will pop up
Challenge-based and login redirect-based authentication cannot be used
simultaneously
you can however ignore this warning. CarlosAg says that:
we decided to leave it there was because it is still behavior that many user
scenarios would be consider incorrect, since most of the time forms
authentication uses anonymous authentication and not windows.
Read here.
Now when you want to use integrated mode, This stack question : iis7 Challenge-based and login redirect-based authentication cannot be used simultaneously leads to this famous link: http://mvolo.com/iis-70-twolevel-authentication-with-forms-authentication-and-windows-authentication/, which allows to change the authentication way for a page.
Another way you can manage this when using windows authentication is to manage usernames using code:
string user = Request.ServerVariables["LOGON_USER"];
Refer this link: http://beensoft.blogspot.in/2008/06/mixing-forms-and-windows-authentication.html , which gives a different way of mixing Forms and Windows authentication.
Its not an original question. There is already a batch of articles describing this problem and solution for it. They all are dated back to times of .Net Framework 1.1 and IIS 6.0 and are not really helping with all the membership and role providers stuff we have nowadays. But lets get closer to the problem.
The problem is short.
You have an intranet site using Windows authentication and it works just fine. All you want is to give access to this site to users from their homes and to users who don`t have Windows based workstation.
Duplicate the whole site would be cumbersome because all the application except Login part would work well just if appropriate information would be saved in cookie on Login step.
You are welcome with any suggestions.
You don't say if internal users are authenticated or not, so, as it's an intranet I'm going to assume they are, via integrated authentication.
The simplest way would be to leave it as is, and turn on digest authentication if you are in a domain environment in addition to integrated authentication - this would prompt users not on the intranet with a username/password popup and they can login with their domain credentials.
If you don't have a domain - then how is it an intranet site? How are users authenticated? If you're in a workgroup scenario, where users have login details on their own box, and login details on the intranet server (in which case moving to AD would be better all round - no need to keep the passwords in sync, or deactivate user accounts in multiple places when people leave) then mixing Integrated authentication with Basic Authentication would do the same thing - however if you're going to use Basic Authentication then you will need to add an SSL certificate to the site to stop usernames and passswords being sniffed - Basic Authentication sends them in plain text.
Well, what you could consider is if you can use Active Directory, there is a provider to use the AD store for security, that would work for both.
HTH.
My supervisor at the office tells me that he saw a demonstration with a pre-release version of Microsoft "Geneva" (now Windows Identity Foundation) where a developer did the following:
He set up some sort of ASP.net web application where a user could log in using a customized log-on system. Behind the scenes, the web application logs the user in as a user in an Active Directory.
The user logs in.
Once the user is logged in, the the ASP.net web application thread runs as the logged in user for the duration of the user's session and can access resources on the network (such as running SQL queries on tables whose access is controlled Active Directory)
Steps 2) and 3) are exactly the same as using the "Integrated Windows Authentication" setting in the "Directory Security" tab of the web site settings in IIS. Step 1) is different because we are using a custom log-on system as opposed to the Kerberos authentication.
We want to set up one of our applications to operate exactly as described in 1), 2), and 3). However, all the documentation that I've seen regarding Windows Identify Foundation is about Cardspace and Federated Security. We have zero interest in using either of these technologies right now.
We just want to be able to log users in to Active Directory Accounts behind the scenes.
Yes, we've tried the ActiveDirectoryMembershipProvider with Forms Authentication, but it's a complete kludge to actually access resources on the network requiring impersonation on every page!
UPDATE Jan 7, 2010. Okay, I've been working at this for a while, and everything I've managed to come up falls short of what I want to achieve. Perhaps the functionality I want is not in the release version of WIF.
Here's where I'm at now. I've found some documentation on MSDN that indicates that there are three different identities used in ASP.net: the identity specified by HttpContext.Current.User, the identity specified by Thread.CurrentPrincipal, and finally the identity specified by WindowsIdentity.GetCurrent. link
In one example of where I want to use the process I'm looking to design, I want to perform a SQL query as the logged in user. In my debugger, I see that I easily set the HttpContext and Thread users to the logged in user. However, when I connect to the SQL server using Windows Authentication, it always always always connects as the WindowsIdentity.GetCurrent user and that user is always always always the identity of the ASP.net process unless I'm using Windows Authentication with impersonation. I absolutely cannot use Windows Authentication with my application because my users must log in by playing a magic flute song and Windows Authentication has no support for logging in with magic flute songs.
To clarify, there is no trouble with obtaining a WindowsIdentity representing the logged in user (who logged in with a magic flute song). The problem is that I cannot use that WindowsIdentity to perform SQL queries for my user.
WIF allows you to configure it so a claims based identity maps to an AD account, the claim may either be a federated identity claim, or delivered via an information card. c2WTS performs this function.
Even when it does map because of delegation you're always going to have to delegate if you want to use the AD identity IIS is impersonating - that's just how it works, unless you setup Kerberos delegation for IIS
You can achieve the same using Identity Impersonation in ASP.net. Also you need to enable windows integrated authentication for you web app. This will solve the purpose. If the logged in user does not have the required rights to access resources you will get security exceptions which you will have to handle.
I am in the process of writing an application that will need multiple forms of authentication.
The application will need to support authentication to Active Directory, but be able to fail back to a SQL Membership Provider if the user is not in Active Directory. We can handle the failing to the SQL Provider in code based on the username provided because the username will be a different format than the Active Directory username.
Is this even possible? What I mean is, can I use membership and use both ActiveDirectoryMembershipProvider and SqlMembershipProvider together or will I have to roll my own?
Another additional added complexity is that I would like to automatically authenticate my internal users based of Windows Authentication back to AD, but use Forms Authentication for users not on our internal network, or users that are using the SQL Provider.
These will most likely be separate servers, one internal, and the other external so I have a lot of planning to do to figure out the data replication, and how I will authenticate the AD users if they hit the outside server etc.
I am wondering what thoughts are out there as I start down this road. Is what I am wanting to do even possible without me rolling my own, or is there a way to mesh these together?
Thanks for the reply.
The reason I asked originally was because I was able to get this specific senerio working about 7 years ago using IIS to authenticate and then passing back the credentials to a Lotus Domino Server Web App. If the user was not authenticated via the Windows Authentication/ISS then Domino would handle the authentication. This was what I was looking to do here, but really couldn't think of a way to make it work in IIS.
As for the rest of your reply, I think you are on to the way that I will need to take. I have thought this through and tossed it around in my head a lot. The application will be somewhat different on the two servers anyway since there is going to be limited access to the data on the external server anyway. The fact that so much is going to be different already I may just treat these as two applications, thus negating the need to use two types of authentication in the same application anyway.
I am playing around with the idea already of writing my own authentication/login window for the external server, and if the user trys to log in with their AD credentials on the external server I will be able to detect that and redirect them to the internal server. If they are not on the local network or VPN'd in they will simply not get access. This part still has some thought process to go though so I am not sure.
As an additional thought - is there a way to pull just enough of AD into a SQL database to allow me to authenticate users to the SQL database from the external server using their AD credentials, without creating any security issues? I hope I am clearly typing what I am thinking....
Thanks again!
Tim
This is the way I've handled a similar situation based on this info:
Configured the application to use Forms authentication.
Set the LoginUrl to a page called WinLogin.aspx.
In WinLogin.aspx, use Request.ServerVariables["LOGON_USER"] to get the username then call FormsAuthentication.RedirectFromLoginPage( authorizedUserName, false ) to log them in. I guess you can manually check Active Directory as this point as well.
Create an html page that redirects to a page called Login.aspx
Login.aspx is your standard username/password login.
In IIS, Enable Integrated Authentication and Anonymous on the entire site, but deny anonymous access to WinLogin.aspx.
In IIS, set your 401 errors to the page created in step 3.
What basically happens is that when an unauthenicated user hits the site, they're redirected to WinLogin.aspx. Since anonymous is turned off, integrated security makes a check. If that passes, your custom code in WinLogin can run. If the integrated security check fails, a 401 error occurs. Your custom 401 page redirects to Login.aspx where the user can log in using their username and password with the SQL provider.
As far as I know, Web Applications are configured to use either Windows Authentication or Forms Authentication, but not both. Therefore, I do not believe it is possible to automatically authenticate internal users while requiring others to enter a username / password.
You could authenticate to Active Directory or a SQL user store via Forms authentication by using a custom provider. However, the AD users would still need to enter their username and password. Although I've never combined these two methods, I have used Forms authentication to authenticate against both sources at one time or another.
With that said, I think you may want to consider reducing the "flexibility" of your system. If you have an external facing server and an internal facing server, you could simply change the provider configuration on each copy of the application to go against a different source. Then, you could configure the internal one to use Windows (automatic) authentication and the external one to use Forms authentication.
IMHO, I believe that internal users should not be using the external server to access the application. If they are, they should have a user account stored in SQL, completely separated from their AD account. Basically, when someone accesses the application externally, they are acting as an external user, irregardless of their physical location.
Well, it is possible to use ActiveDirectoryMembershipProvider and SqlMembershipProvider, but this requires you design your log on page with your own code instead of the Login controls.
About the mix authentication (Windows and Forms), as far as I know only IIS 7 makes it easy and clean. See this post for details,
http://mvolo.com/blogs/serverside/archive/2008/02/11/IIS-7.0-Two_2D00_Level-Authentication-with-Forms-Authentication-and-Windows-Authentication.aspx