Authetication system for 1 user - asp.net - asp.net

I have only one user for my asp.net application and I have to create the authentication system for the website. What could be the best, secure and easiest way I can do that?
What I believe that createing a table in a database for a single user is not at all a good choice. At the same time, security is the major need for the authentication.

You can store the username and (hashed) password in the web.config.
http://msdn.microsoft.com/en-us/library/e01fc50a.aspx

Since you don't have to worry about user maintenance, just add the user to the local system and establish integrated windows authentication. This keeps the password secure, the login is done through NTLM, and you can use the built-in Identity class to keep track of the logged in user.

Related

Is Windows Authentication enough to sign my user in?

I have an ASP.NET Core application using Identity. It is an intranet application and I am requiring all users be authenticated using Windows Authentication, which uses Kerberos.
I want to have the system be seamless for the user, so that when they access the page and they are not signed in but are authenticated, they are automatically signed in using their User.Identity.Name which corresponds to their Identiy Username which I first check to see if exists with UserManager.FindByIdAsync
If it does exist, I sign them in using the SignInManager. If it doesn't exist, I create a new user in the Identity store and then sign that user in.
Is this assuming too much? is this potentially going to come back and bite me, or is this perfectly acceptable? Most examples I see exist with user credentials being transmitted to sign the user in to Active Directory.
With integrated authentication IIS becomes the point at which users login, and you don't need, and shouldn't use Identity 3.0 - you don't need it, AD is the user database here, you don't need to add Identity.
When you create a new application you should click the change authentication button in the new project dialog and choose Windows authentication. That will configure everything correctly and won't add any of the Identity pieces.
Note that in RC1 authorization based on role/AD group membership is broken, so Authorize[Roles = "MYDOMAIN\mygroup"] won't work. This will be fixed in RC2.

Sign out from Windows Authenticated ADFS and sign in as different user in form base auth

We are going enhance the authentication and authorization system of our Intranet web app. After having few days reading about ADFS, STS, claim based authentication, asp.net Identity. Still not sure how these things works together.
Most of our intranet web applications are using Windows Integrated Authentication, we uses windows group or AzMan to do role base authorization. We have few applications(Vendor application) use it own user database and form base authentication.
We want to add following features to our web applications.
For Windows Authentication application, we want to let user to Sign Out / Sign in as different user. So when User A using his/her computer to access the application, it will auto logged in (default windows integrated authentication). When he/she do log out, it will redirect to a form to allow to input other user credential.
We want to allow user login to System A using System B username/password.
e.g. For the windows authentication application, we want allow user login to the application using the credential of the Form base application (Vendor application) of via visa
I don't know if ADFS can solve these two problems.
From my understanding, the main purpose of ADFS is to allow access to internal application from Internet, and it require SSL.
Our application all are in Intranet, and we don't want to manage the ssl cert.
But by using ADFS, perhaps I can enable both Windows and Form Authentication on my application, so then let use log out and re-direct him to the login form as which just like he access outside company network. It should solve the problem 1.
For problem 2, what if I can create a custom STS to issue security token by using the user database of the form base authentication appliaction. Then I can use claim based authentication and allow one application can use ADFS and my STS. It should solve my problem 2.
Is my direction correct? or am I complicated the problem?
ADFS will not work without SSL.
Furthermore, all RP have to use SSL.
Internally, users will be logged in seamlessly using WIA. When they logout, they will simply be seamlessly logged in again.
Also ADFS v3.0 and below can only authenticate against AD.
While what you want is possible using ADFS, the question is whether it's a good idea and worth the trouble. It may be more appropriate to ask the user to log out of the machine and log in with a different account so you can stick with Integrated Windows Authentication (IWA). Writing your own security infrastructure is fraught with peril.
If you really feel these are hard requirements and it is worth the trouble, the following may work.
Write an ASP.NET web application based on Katana and enable Integrated Windows Authentication. This will make sure that the first time a completely unauthenticated request comes in, the application will challenge the browser. Subsequent requests will have a WindowsPrincipal populated in the HttpContext.User and Thread.CurrentPrincipal.
Now, write a piece of OWIN middleware that checks if an authentication cookie is present. If the cookie is not present, it checks the Thread.CurrentPrincipal and serializes the claims into a secure cookie.
If the security cookie is present, it overwrites the WindowsPrincipal in Thread.CurrentPrincipal with a new ClaimsPrincipal created from the claims in the cookie.
Now, when a user navigates to the web application the first time, he/she will be logged in automatically using IWA and the cookie will be created. Now, provide a logout action which deletes the authentication cookie and presents the user with a username and password dialog.
In the POST handler for that action, use WIF to talk to the username endpoint in ADFS (using WS-Trust protocol) and try to authenticate the user with the supplied credentials. If successful, use the claims from the returned token to create a new authentication cookie.

ASP.NET / IIS Security (Windows Authentication)

This will probably turn out to be a doozie.
I'm developing an application in ASP.NET to be put on our company's intranet site. I've been handed a specification in regards to security and have no idea how to do it.
First part: The application is to use Windows Authentication. This part seems easy enough; I opened IIS in Administrative Tools, right clicked the node of my website, properties and checked 'Integrate Windows Authentication'. However, I have no idea how I will govern which people have access to my site. I'm thinking this should be taken care of at the database level. This is Q#1
Second part -- I have to implement a process for the following scenario: User 'Jane' can log in to our network, but does not have rights to my application. User 'Bob' does have rights to use my application. Bob needs to be able to sit at Jane's computer (under her network account), but be able to enter his credentials into my application and use it (even though Jane is logged into the local machine and network). This is Q#2
Any help, general direction, or advice would be appreciated. The winning lottery numbers would be appreciated even more.
Thanks,
Jason
You're looking for Windows Authentication and Authorization in ASP.NET
How To Use Windows Auth in ASP.NET
Authentication/Authorization Explained
How To Implement Windows Auth in ASP.NET
Part 2...you're right, that's tough. You'll need to roll your own custom security provider.
You'll have a login page, then check that against Active Directory yourself. From MSDN
ASP.NET also supports custom solutions
for using Windows authentication,
which bypasses IIS authentication. For
example, you can write a custom ISAPI
filter that checks the user's
credentials against Active Directory.
With this approach you must manually
create a WindowsPrincipal object.
You've got requirements around authentication and authorization here.
Authentication: The act of confirming identity
Authorization: The act of correlating an identity to a privilege (eg Read/Write/Delete)
Windows Authentication is useful if you want "auto-signon" capability. The site will "know" the user by ID without them having to sign in.
The need for users to login from multiple locations means that you must implement a login page. This would fulfill your requirement in which one user may sit at another's workstation and log in.
You will want to authenticate users against the Windows domain. This can be done with a custom membership provider. Here's a walkthrough:
http://msdn.microsoft.com/en-us/library/ms180890(v=vs.80).aspx
This will allow you to present a login page that will authenticate users with their domain username and password. This will authenticate users- the identity of the user will be stored in the HttpContext.User. You can then also maintain a user list in a database to store authorization data.
Also found this -- a pretty good resource for anybody out there who's in the same boat:
Mixing Forms and Windows Security in ASP.NET
http://msdn.microsoft.com/en-us/library/ms972958.aspx

How do I change a windows password through asp?

I have a web application that uses Integrated Windows Authentication to validate users. Most of them are remote and don't have access to a workstation to update their AD password.
Rather than manually managing passwords my self, I'd like to put together a script so they can change them on their own.
How would I update their windows password through ASP?
If you are going to offer this in a website, you should consider the security implications. A self-service password changing website is generally considered a major security risk and is not common.
You mention that your users are remote. If the site will be public, how will they authenticate through Integrated Authentication? They only way I know to make this possible is through VPN. Otherwise, they will have to use Basic Authentication to enter their username and password. This is very insecure, even over SSL.
Here are some recommendations:
Secure the site using client certificates. If this is not possible use SSL at a minimum.
I would strongly recommend that you implement the actual password-changing logic in a secure webservice. The ASP.NET page should call the webservice to request the change.
You should store an audit trail of password changes. DO NOT store the passwords, just an event log of the user, time, and IP address.
Test very thoroughly to ensure that the integrated security is recognizing your users properly. Make sure that users cannot accidentally change other users' passwords.
There is a function in the System.DirectoryServices namespace that seems to be able to handle this. You will need to add a reference to it in order to use it.
Here is the article on how to change user passwords:
http://msdn.microsoft.com/en-us/library/ms817839.aspx
http://support.microsoft.com/kb/555071
If you can set up IISADMPWD like this, you should be able to change passwords. This is actually an ASP application which relies on a COM component.
Note that IISADMPWD is obsolete and does not ship with IIS 7.0.

ASP.NET Forms Authentication With Only UserName

I have a bit of a hybrid situation on my hands. I'm writing an intranet asp.net web app. I don't want to use full blown Windows Authentication, because I don't have proper groups set up in Active Directory to be able to authenticate users simply based on what group they are in. Up until now, I had created a membership database, and was manually authenticating users based on their NT Login. The app is getting more complex, and I'm looking at using the Membership and Roles providers to authenticate users. Here's my issue: I want to be able to authenticate users just based on their NT, but I don't want to use Windows Authentication. I want to write my own provider to plug into the membership and roles providers, and use Forms authentication, but make it transparent. Based on a Users table, I want to be able to authenticate the user or redirect them based on their NT alone. Is this possible, or am I stuck writing my own small framework to accomplish this? I would like to take advantage of the provider framework if at all possible.
Set your web.config to use Forms Authentication.
Make sure Integrated Authentication is turned on in IIS (you may need to disable anonymous as well). This will allow you to get the user's NT name.
You can get the user's NT name with:
Request.ServerVariables["LOGON_USER"]
You can log the user in, no password needed, with:
FormsAuthentication.RedirectFromLoginPage( userName, false );

Resources