I have an application where I display every Active Directory group that the current user belongs to. When I have my config setup like this:
<authentication mode="Windows"/>
<authorization>
<deny users="?"/>
<allow users="*"/>
</authorization>
It works fine. When it's like this:
<authentication mode="Windows"/>
<authorization>
<!--<deny users="?"/>-->
<allow users="*"/>
</authorization>
No groups are found. Why does this make a difference? Does asp.net only authenticate if we are specifically denying access to unauthenticated users?
If it helps this is how i'm getting the groups:
protected string GetUserGroups()
{
StringBuilder userGroups = new StringBuilder();
ArrayList groupMembers = new ArrayList();
DirectoryEntry root = new DirectoryEntry("LDAP://myldap/DC=nc,DC=local");
DirectorySearcher ds = new DirectorySearcher(root);
ds.Filter = String.Format("(&(samaccountname={0})(objectClass=person))", User.Identity.Name.Substring(User.Identity.Name.LastIndexOf(#"\") + 1));
ds.PropertiesToLoad.Add("memberof");
try
{
foreach (SearchResult sr in ds.FindAll())
{
foreach (string str in sr.Properties["memberof"])
{
string str2 = str.Substring(str.IndexOf("=") + 1, str.IndexOf(",") - str.IndexOf("=") - 1);
groupMembers.Add(str2);
}
}
}
catch
{
//ignore if any properties found in AD
}
return String.Join("|", (string[])groupMembers.ToArray(typeof(string)));
}
I may be wrong, but I believe this is how it works:
The first time a browser hits a site it does so as anonymous.
If the server says that anonymous isn't allowed, the browser then sends the users windows credentials.
If those credentials don't pass muster, then the browser pops up the login box or (depending on the application) sends them over to a login page.
So, because your site allows anonymous, all of the users are coming in that way.
Related
I am trying to retrieve the current user in my web application that uses ASP.NET Forms authentication.
However, System.Security.Principal.WindowsIdentity.GetCurrent().Name returns domain\windowsUser, NOT the username that was used in the FormsAuthentication.RedirectFromLoginPage method.
I am using Forms authentication in my config file:
<authentication mode="Forms">
<forms loginUrl="Views/Login.aspx" name=".ASPXFORMSAUTH" timeout="1" cookieless="UseUri">
</forms>
</authentication>
<authorization>
<deny users="?" />
</authorization>
I am also trying to follow Microsoft's walk through and retrieve the Authentication ticket using the following snippet:
if (Request.IsAuthenticated)
{
var ident = User.Identity as FormsIdentity;
if (ident != null)
{
FormsAuthenticationTicket ticket = ident.Ticket;
var name = ticket.Name;
}
}
However, ident is always null because it's WindowsIdentity not FormsIdentity. What's wrong here?
Thank you!
Use User.Identity.Name to get the user name.
Windows authentication does not use the FormsAuthenticationTicket.
I installed VM player in my machine and installed windows 2008 standard core inside. Also via command prompt added users and groups for a particular user as below,
creating user
dsadd user "cn=username,cn=users,dc=myname,dc=ca" -pwd password -disabled no
creating group
dsadd group "cn=groupname,cn=users,dc=myname,dc=ca"
Also added user to the existing group as below,
dsmod group "cn=groupname,cn=users,dc=myname,dc=ca" -addmbr "cn=username,cn=users,dc=myname,dc=ca"
Now i connect this users via my asp.net application in my local machine as below,
Web.config settings
<authentication mode="Forms">
<forms loginUrl="logon.aspx" name="adAuthCookie" timeout="10" path="/"/>
</authentication>
<authorization>
<deny users="?"/>
<allow users="*"/>
</authorization>
script for authentication
void Login_Click(object sender, EventArgs e)
{
string adPath = "LDAP://domainaddress:389/DC=somename,DC=m"; //Path to your LDAP directory server
LdapAuthentication adAuth = new LdapAuthentication(adPath);
try
{
if(true == adAuth.IsAuthenticated(txtDomain.Text, txtUsername.Text, txtPassword.Text))
{
FormsAuthentication.SetAuthCookie(txtUsername.Text.Trim(), false);
string groups = adAuth.GetGroups();
//Create the ticket, and add the groups.
bool isCookiePersistent = chkPersist.Checked;
FormsAuthenticationTicket authTicket = new FormsAuthenticationTicket(1,
txtUsername.Text, DateTime.Now, DateTime.Now.AddMinutes(60), isCookiePersistent, groups);
---------
-------
}
where i am getting exception in string groups = adAuth.GetGroups(); as below
"Error authenticating. Error getting groups. The username is incorrect or bad password. "
Please let me know if i am doing some mistakes or please let me know how i find groups of assciated user.
Regards
Sangeetha
I've just installed AD LDS on my developer PC and everything works find, I've even created the user "abc" via ADSI Edit.
My goal is to test my ASP.NET Mvc 3 web application with my test AD LDS instance.
How can I get the app to authenticate the user against the instance? Do I have to write a custom membership provider? (overriding some stuff in the default AD membership provider?)
Thank you for any help!
You don't have to do any authentication since it is handled by iis.
All you have to do is change authentication mode to windows.
<system.web>
<authentication mode="Windows" />
</system.web>
Remember to either install iis after you installed AD, or register it manually.
Because you are using AD LDS I don't think authentication mode "Windows" will be so helpful. I believe you need to create a Login View(here /Account/Logon) and use authentication mode "Forms".
Enter the followwing in web.config
<authentication mode="Forms">
<forms name=".ADAuthCookie" loginUrl="~/Account/Logon" timeout="30" slidingExpiration="false" protection="All"/>
</authentication>
<authorization>
<deny users="?"/>
</authorization>
Authenticating the user can be accomplished by using System.DirectoryServices.AccountManagement. The controller code should look something like this:
public ActionResult Logon(LogonModel model)
{
if (model.Username != null && model.Password != null)
{
string container = "CN=...,DC=....,DC=...."; //Your container in LDS
string ldapserver = "server:port"; //LDS server
PrincipalContext context = new PrincipalContext(
ContextType.ApplicationDirectory,
ldapserver,
container,
ContextOptions.SimpleBind);
bool authenticate = context.ValidateCredentials(string.Format("CN={0},{1}", model.Username, container), model.Password, ContextOptions.SimpleBind);
if (authenticate)
{
FormsAuthentication.RedirectFromLoginPage(model.Username, false);
}
else
{
System.Threading.Thread.Sleep(5000);
this.ModelState.AddModelError("Password", "Wrong username or password");
}
}
return View("Logon", new LogonModel { Username = model.Username });
}
Note that this ONLY solves authentication and not authorization.
You can also use membership providers, but if you are looking for an easy solution I think this should do the trick.
Site Details which uses the single sign on,
1. http:\\webgate.abcltd.com
2. http:\\sales.abcltd.com
3. http:\\emp.abcltd.com
webgate application does the authentication and authorization. others(sales,emp) uses the webgate application. when any one access the any page from sales/emp site, they will be redirected to webgate's login page(here i have used form authentication. the configurations are below)
<authentication mode="Forms">
<forms loginUrl="Login.aspx"
protection="All"
name="WebGateSecurity"
path="/"
domain="abcltd.com"
defaultUrl="ApplicationList.aspx"
enableCrossAppRedirects="true"/>
</authentication>
<authorization>
<deny users="?" />
</authorization>
<machineKey validationKey="2C0904BC344116CC6FFD3DD7087C942878C41B7F861555651E69C7B72F9A7DF6BC3B63BFF0F1438DFB863EE3EAC62CBFFECA7482D3758888E7CDACDBBAE136D5" decryptionKey="A60EC9E480CB3BBC48D1D2B7FFF9E945FBA46196AD3029187022ADE8F7B99B25" validation="SHA1" decryption="AES" />
User credentials is validated against the data store and the authentication ticket/cookies are being created as below
var authTicket=FormsAuthenticationTicket(1, username, DateTime.Now, DateTime.Now.AddMinutes(30), false, userActions, FormsAuthentication.FormsCookiePath);
string encryptedTicket = FormsAuthentication.Encrypt(authTicket);
var authCookie = new HttpCookie(FormsAuthentication.FormsCookieName, encryptedTicket);
Response.Cookies.Add(authCookie);
If the given credentials are correct, i am tring to redirect to requested url as below
if (Request.Params["ReturnURL"] == null || Request.Params["ReturnURL"].EndsWith("/Logout.aspx") || Request.Params["ReturnURL"].EndsWith("/Error.aspx"))
Response.Redirect(FormsAuthentication.DefaultUrl);
else
{
//Response.Redirect(FormsAuthentication.GetRedirectUrl(username, false));
FormsAuthentication.RedirectFromLoginPage(username, false);
}
I have used the LoginStatus Control(placed in master page) which is let the user to perform the sign in/sign out from webgate app. When user sign out, the following code will be executed in order to remove the cookie.
protected void LoginStatus1_LoggingOut(object sender, LoginCancelEventArgs e)
{
FormsAuthentication.SignOut();
HttpCookie httpCookie = Request.Cookies[System.Web.Security.FormsAuthentication.FormsCookieName];
if (httpCookie != null)
{
httpCookie.Domain = "abcltd.com";
httpCookie.Expires = DateTime.Now.AddDays(-1);
Response.Cookies.Add(httpCookie);
}
}
Configuration in other applications(sales and emp) are follows
<authentication mode="Forms">
<forms loginUrl="http://webgate.abcltd.com/Login.aspx" name="WebGateSecurity" protection="All" path="/" domain="abcltd.com" />
</authentication>
<authorization>
<deny users="?" />
</authorization>
<machineKey validationKey="2C0904BC344116CC6FFD3DD7087C942878C41B7F861555651E69C7B72F9A7DF6BC3B63BFF0F1438DFB863EE3EAC62CBFFECA7482D3758888E7CDACDBBAE136D5" decryptionKey="A60EC9E480CB3BBC48D1D2B7FFF9E945FBA46196AD3029187022ADE8F7B99B25" validation="SHA1" decryption="AES" />
My problem is: sign out is not working. In details if i say: after sign out, i able to access the any pages from webgate,sales and emp application.
Please help me.
That's because you are using a different domain name in web.config:
domain="vrxstudios.com"
and
domain="abcltd.com"
so no single sign on possible. In your sign out method you cannot remove a cookie that belongs on abcltd.com from vrxstudios.com:
if (httpCookie != null)
{
httpCookie.Domain = "abcltd.com"; // this is not possible from vrxstudios.com
httpCookie.Expires = DateTime.Now.AddDays(-1);
Response.Cookies.Add(httpCookie);
}
What you could do is redirect to a sign out page on abcltd.com which will do the job.
I've a quick question and request you all to respond soon.
I've developed a web service with Form based authentication as below.
1.An entry in web.config as below.
<authentication mode="Forms">
<forms loginUrl="Loginpage.aspx" name=".AuthAspx"></forms>
</authentication>
<authorization>
<deny users="?"/>
</authorization>
<authentication mode="Forms">
<forms loginUrl="Loginpage.aspx" name=".AuthAspx"/>
</authentication>
<authorization>
<deny users="?"/>
</authorization>
2.In Login Page user is validate on button click event as follows.
if (txtUserName.Text == "test" && txtPassword.Text == "test")
{
FormsAuthenticationTicket ticket = new FormsAuthenticationTicket(1, // Ticket version
txtUserName.Text,// Username to be associated with this ticket
DateTime.Now, // Date/time ticket was issued
DateTime.Now.AddMinutes(50), // Date and time the cookie will expire
false, // if user has chcked rememebr me then create persistent cookie
"", // store the user data, in this case roles of the user
FormsAuthentication.FormsCookiePath); // Cookie path specified in the web.config file in <Forms> tag if any.
string hashCookies = FormsAuthentication.Encrypt(ticket);
HttpCookie cookie = new HttpCookie(FormsAuthentication.FormsCookieName, hashCookies); // Hashed ticket
Response.Cookies.Add(cookie);
string returnUrl = Request.QueryString["ReturnUrl"];
if (returnUrl == null) returnUrl = "~/Default.aspx";
Response.Redirect(returnUrl);
}
3.Webservice has a default webmethod.
[WebMethod]
public string HelloWorld()
{
return "Hello World";
}
4.From a webApplication I am making a call to webservice by creating proxy after adding the webreferance of the above webservice.
localhost.Service1 service = new localhost.Service1();
service.AllowAutoRedirect = false;
NetworkCredential credentials = new NetworkCredential("test", "test");
service.Credentials = credentials;
string hello = service.HelloWorld();
Response.Write(hello);
and here while consuming it in a web application the below exception is thrown from webservice proxy.
<html><head><title>Object moved</title></head><body>
<h2>Object moved to here.</h2>
</body></html>
Could you please share any thoughts to fix it?
You need to set
service.AllowAutoRedirect = true
If you are planning to redirect in your code.
Just tried this and worked: Go to the website where you are hosting the web service in IIS, click on Session State, change the Cookie Setting's Mode to Use Cookies. Done.
You need to set both
service.AllowAutoRedirect = true;
service.CookieContainer = new CookieContainer();