All our inhouse projects use Active Directory authentication and impersonation as this is the accepted security policy for the company.
I currently have a scenario where I need to store user profile information, and I would like to use the built-in Profile Providers which is standard in ASP.Net. I've previously used this happily with Forms Authentication, however I can't find any helpful information on how to implement this when using Windows Authentication.
Is there any way I can get just the Profile Provider working with Windows Authentication out of the box?
Will I be forced to create a custom profile provider?
The data will be stored in the database, not in Active Directory. However if the latter is possible some guidance would be appreciated.
Notes
I don't need to use the Role provider, this is handled by AD.
I am not sure if I need to implemented the AD Membership provider to get the Profile Provider to work.
you can just use the standard SqlProfileProvider. As username, use the Context.User.Identity.Name property. ASP.NET will create a user entry in it's standard tables himself to keep track of it. The role provider also works in combination with windows authentication. See this link for more information: http://weblogs.asp.net/scottgu/pages/Recipe_3A00_-Implementing-Role_2D00_Based-Security-with-ASP.NET-2.0-using-Windows-Authentication-and-SQL-Server.aspx
if you enable and configure the profile provider in the web.config, you can use it like this:
ProfileBase profile = ProfileBase.Create(Context.User.Identity.Name, true);
profile.SetPropertyValue("MyProfileProperty", propertyValue);
profile.Save();
Good luck!
Related
I see in UseWsFederationAuthentication that multiple Claims Providers can be specified.
My question is at Challenge time how do I specify which provider to use?
This is a winforms website.
Thanks for any help.
By default, With single claim provider , ADFS will proceed with available claim provider without prompting the selection page.
If you have more than one claim provider, ADFS will show the claim providers in the home realm page. You can select the right provider based on the user identity.
You will be able to customize the Home Realm Page, please look at the document for more scenario.
As the question states I would like to check what type of user is logged in by using data annotation
[Authorize(Roles="Admin")]
I have seen multiple questions and tutorial but none of them explain it clearly or use older mvc.
Is there a simple way to achieve that without using the stock authentication system provided with individual account authorization?
I simply do have a table for users with usernames passwords etc.
You have to deal with two things Authentication and Authorization.
Authentication
You can authenticate users using Owin forms Authentication or the old fashioned Forms Authentication if you prefer.
Authorization
For authorization you can create a custom Role Provider if you want to use Roles (as your did in your sample code) or you can use Claims Authorization.
This article is from 2013 but I successfully followed it to implement a custom role provider in my MVC5 application.
I am designing ASP.NET website for Intranet users. At the end of Phase-I this will be available to Intranet users.
But after Phase-II, the same site needs to be opened to certain users that are outside this office.
Can I can use ASP.NET Membership provider?
Any other design recommendations?
I appreciate your input.
This is what I would do.
I would use ASP.net MembershipProvider and use SQL server to store it.
Create roles (internal user and external user)
I would use high encryption for passwords for all users
user roles to limit the information external users can see
Yes, you can use the ASP.Net membership provider to allow external users to register and login to the site. Using this would ensure that the passwords are hashed with a salt and encrypted, thus making the user data more secure. The ASP.Net membership provider has a huge API set which might be confusing for developers, among other things. There is a simplified membership provider which is available in the WebMatrix suite called SimpleMembershipProvider, which is available in the WebMatrix.WebData namespace. This gives just enough API needed to create, manage, authenticate and authorize external users.
It depends on what you mean by "outside this office". You can use the ASP.NET membership classes with any sort of provider that may suite your needs. Do you mean by intranet users, that you want the users to be able to sign in to your web site with their windows domain account?
Generally you can use the SqlMembershipProvider to authenticate users against a SQL Server dabase with a given set of tables using the ASP.NET login controls. If you want to use the login controls and but want users to be able to login using their windows account you can use the ActiveDirectoryMembershipProvider. If none of the above is suitable for you, there's always the option to implement a custom provider.
I am going to setup a custom role provider, but I don't have a very good idea of how it works behind the scenes.
[Questions]
What is the difference between setting roles in a form authentication ticket and using a custom role provider? Which is better to use?
If I create a custom role provider can I user role names in the web.config to allow / block users?
Thx!
1- Not sure that there is a "better" choice, that has to do with the requirements of the project. I created a role provider based on Windows Authentication rather than Forms Authentication for an internal project because I didn't want to create a bunch of AD groups and I wanted Windows Auth to allow users into the site. As far as what does it do, it interacts with authenticated users to define who is allowed in what areas of the site.
2- Yes.
some additional info
I have an existing production application that uses vanilla ASP.Net Membership for authentication.
However, I'd like to provide other means of authentication as well as the current ASP.net membership system, such as Facebook.
The Windows Azure Access Control Service makes this extremely easy and straight forward. Provided, that is, you're starting a new web application from scratch.
So, in this case, how do I
Integrate the Access Control Service authentication into my app without affecting the current login system and its users?
Migrate users over or Link logins? ( not sure if this is even possible)
Thanks all
Roberto
You need to create a custom identity provider based on your membership database. See this article on custom WS-Federation Identity Providers that can be integrated to access control: http://msdn.microsoft.com/en-us/library/windowsazure/gg185933.aspx
Also see this article on one that was written on top of the membership database: http://blogs.msdn.com/b/vbertocci/archive/2009/04/23/enhance-your-asp-net-membership-based-website-by-adding-identity-provider-capabilities.aspx
Approach of creating an identity provider (IP) based on your ASP.NET membership database which Paul Tyng suggested is valid.
However, it means that if you just create an IP you'll allow log in to all people who are authorised with other IPs (e.g. Google or Facebook). I'm guessing it's not what you want - you'd still want people to first register (either plainly with username-password or with their external identity). If that's the case then your task is the following:
Add a data store for users' external identities which is related to your existing Users table.
Modify the ACS login handling within your application to check that the identity returned from ACS actually exists in your members database.
Perform member log in (instead of federated log in) if you found the returned identity in your db.
Add external identity tie in during the registration process so your Identities table can be actually populated.
(optional) Re-use the bulk of the #4 mechanism to provide an ability to attach external identity to existing user accounts (i.e. I already have a normal membership with you and now want to add an ability to log in with Google as well, for example).
There is no one single tutorial/walk-through to achieve this (or I have not found one) so I had to pull bits from a variety of sources to make it work. Please let me know in the comment if I understood your requirement correctly and I'll add a guide on how to set this up. Cheers!
Might be a bit late, but check out the following blog posts by fellow Windows Azure MVP - Dominik Bayer:
Mixing Forms and Token Authentication in a single ASP.NET Application
Mixing Forms and Token Authentication in a single ASP.NET Application (the Details)
Replacing ASP.NET Forms Authentication with WIF Session Authentication (for the better)
Invaluable readings which will help you in any way!