Scenario: An intranet ASP.Net application using Integrated Windows Authentication and a SqlRoleProvider for authorization. The application is used by a small subset of users within the domain.
If there are only a few users within the domain that should be able to access the application, can IWA be narrowed to allow authentication for that subset of users only, say via a domain group? Is this possible or even logical? This would certainly be the case if you predefined user accounts and used forms authentication. I understand that you can manage authorization within the application but wonder if the above is possible to add some security in depth. Appreciate your thoughts.
With anonymous access disabled, you can set the NTFS permissions on the web application directory to let only specific users in.
IWA will authenticate all valid users. But you can do the following,
allocate the subset of users into a group, and use role rrovider for them. Then you can allow only this group to use the application.
Or use forms authentication instead and write your own membership provider to authenticate users. Then you have all the controls and can block unwanted users.
You can also try some of the more traditional authorization techniques I outlined here:
Is it possible to restrict windows authenticated users in an ASPNet app to specific domains?
Related
We have an ASP.NET website set up using Active Directory as the Membership Provider. The site uses the Forms authentication mode and the .NET Login control. We recently merged with another company and now they also need access to the site, but they are of course on a different domain. Our IT people have set up the two Active Directories in a two-way trust.
I can log on to their domain using a test account from our network. But when I use the same DOMAIN\username + password combo on my website it does not work.
How can I make our site able to see users on the second domain? Is this not possible using the Login control? Or is there something else I'm missing?
I don't think it's possible to authenticate against a remote AD domain, via a trust with the built-in provider. You could setup a second provider which is configured to point at the other domain, and then add addition logic to your Login control to pick the right provider to authenticate against. I use a similar approach to support "pass-through" authentication of domain users while also support non-domain users with standard forms authentication.
I am designing ASP.NET website for Intranet users. At the end of Phase-I this will be available to Intranet users.
But after Phase-II, the same site needs to be opened to certain users that are outside this office.
Can I can use ASP.NET Membership provider?
Any other design recommendations?
I appreciate your input.
This is what I would do.
I would use ASP.net MembershipProvider and use SQL server to store it.
Create roles (internal user and external user)
I would use high encryption for passwords for all users
user roles to limit the information external users can see
Yes, you can use the ASP.Net membership provider to allow external users to register and login to the site. Using this would ensure that the passwords are hashed with a salt and encrypted, thus making the user data more secure. The ASP.Net membership provider has a huge API set which might be confusing for developers, among other things. There is a simplified membership provider which is available in the WebMatrix suite called SimpleMembershipProvider, which is available in the WebMatrix.WebData namespace. This gives just enough API needed to create, manage, authenticate and authorize external users.
It depends on what you mean by "outside this office". You can use the ASP.NET membership classes with any sort of provider that may suite your needs. Do you mean by intranet users, that you want the users to be able to sign in to your web site with their windows domain account?
Generally you can use the SqlMembershipProvider to authenticate users against a SQL Server dabase with a given set of tables using the ASP.NET login controls. If you want to use the login controls and but want users to be able to login using their windows account you can use the ActiveDirectoryMembershipProvider. If none of the above is suitable for you, there's always the option to implement a custom provider.
I am going to setup a custom role provider, but I don't have a very good idea of how it works behind the scenes.
[Questions]
What is the difference between setting roles in a form authentication ticket and using a custom role provider? Which is better to use?
If I create a custom role provider can I user role names in the web.config to allow / block users?
Thx!
1- Not sure that there is a "better" choice, that has to do with the requirements of the project. I created a role provider based on Windows Authentication rather than Forms Authentication for an internal project because I didn't want to create a bunch of AD groups and I wanted Windows Auth to allow users into the site. As far as what does it do, it interacts with authenticated users to define who is allowed in what areas of the site.
2- Yes.
some additional info
This will probably turn out to be a doozie.
I'm developing an application in ASP.NET to be put on our company's intranet site. I've been handed a specification in regards to security and have no idea how to do it.
First part: The application is to use Windows Authentication. This part seems easy enough; I opened IIS in Administrative Tools, right clicked the node of my website, properties and checked 'Integrate Windows Authentication'. However, I have no idea how I will govern which people have access to my site. I'm thinking this should be taken care of at the database level. This is Q#1
Second part -- I have to implement a process for the following scenario: User 'Jane' can log in to our network, but does not have rights to my application. User 'Bob' does have rights to use my application. Bob needs to be able to sit at Jane's computer (under her network account), but be able to enter his credentials into my application and use it (even though Jane is logged into the local machine and network). This is Q#2
Any help, general direction, or advice would be appreciated. The winning lottery numbers would be appreciated even more.
Thanks,
Jason
You're looking for Windows Authentication and Authorization in ASP.NET
How To Use Windows Auth in ASP.NET
Authentication/Authorization Explained
How To Implement Windows Auth in ASP.NET
Part 2...you're right, that's tough. You'll need to roll your own custom security provider.
You'll have a login page, then check that against Active Directory yourself. From MSDN
ASP.NET also supports custom solutions
for using Windows authentication,
which bypasses IIS authentication. For
example, you can write a custom ISAPI
filter that checks the user's
credentials against Active Directory.
With this approach you must manually
create a WindowsPrincipal object.
You've got requirements around authentication and authorization here.
Authentication: The act of confirming identity
Authorization: The act of correlating an identity to a privilege (eg Read/Write/Delete)
Windows Authentication is useful if you want "auto-signon" capability. The site will "know" the user by ID without them having to sign in.
The need for users to login from multiple locations means that you must implement a login page. This would fulfill your requirement in which one user may sit at another's workstation and log in.
You will want to authenticate users against the Windows domain. This can be done with a custom membership provider. Here's a walkthrough:
http://msdn.microsoft.com/en-us/library/ms180890(v=vs.80).aspx
This will allow you to present a login page that will authenticate users with their domain username and password. This will authenticate users- the identity of the user will be stored in the HttpContext.User. You can then also maintain a user list in a database to store authorization data.
Also found this -- a pretty good resource for anybody out there who's in the same boat:
Mixing Forms and Windows Security in ASP.NET
http://msdn.microsoft.com/en-us/library/ms972958.aspx
Other than forms authentication, what are other common forms of authentication that an application should ideally support?
Is it just active directory or is LDAP a must also?
Generally, you only need to support one kind of authentication.
With forms authentication, you have to provide a database table containing user names and passwords. And you should provide the ability for users to change their passwords, etc. This is all made easier with the Membershp provider.
If you have the option of using Active Directory or another LDAP, that removes the burden from you of establishing logins and maintaining them. If that choice is available to you, I'd recommend using it.
Likely you only want to support one form of authentication. Here are a couple other than Forms authentication that you can use.
Windows Authentication: http://msdn.microsoft.com/en-us/library/ms998358.aspx
OpenId: http://www.eggheadcafe.com/tutorials/aspnet/4b3c7c9b-fe80-4e6e-a34e-0e9efed5c575/integrate-openid-authenti.aspx