Any user who logs in needs to provide username, password and domain. For that user a windows identity shall be created on the server side. In this scenario what is the best way to handle user's session across the pages using his identity in ASP.Net?
Maybe i don't understand the question here but to me it seems like you could just created a custom membership/profile provider that authenticates to AD. If the the account can not be found then create them. this would allow you to act as normal on the asp.net side of things while still allowing you to interact with AD.
MS Howto:
http://msdn.microsoft.com/en-us/library/ms998360.aspx
sorry if this is not what you are looking for, but this seems right based on the question.
I'm guessing the username, password, domain is authenticated against an Active Directory? If so, you'll be interested in this article: How To: Use Forms Authentication with Active Directory in ASP.NET 2.0
If you are just using session to 'remember someone is logged in' this will handle it all for you.
Use session variable to store user details.
Related
I see in UseWsFederationAuthentication that multiple Claims Providers can be specified.
My question is at Challenge time how do I specify which provider to use?
This is a winforms website.
Thanks for any help.
By default, With single claim provider , ADFS will proceed with available claim provider without prompting the selection page.
If you have more than one claim provider, ADFS will show the claim providers in the home realm page. You can select the right provider based on the user identity.
You will be able to customize the Home Realm Page, please look at the document for more scenario.
I need a good advise and wanted to know whether a solution is feasible or not. Right now one of my customer has a common login application which is based on Forms authentication(ASP.NET) using membership provider. All internal users use their AD credentials to logon and external users use custom username and password. Both are wrapped via Forms authentication. Now the new proposal is to replace this Forms authentication with ADFS. I have gone through various articles over internet and not able to come to a conclusion. Let me list my findings so far with ADFS extension points.
1) It is possible to add a custom attribute to ADFS claims by the approach mentioned in https://blogs.technet.microsoft.com/cloudpfe/2013/12/27/how-to-create-a-custom-attribute-store-for-active-directory-federation-services-3-0/.
2) It is possible to add a second level of authentication( or multifactor authentication) via the approach https://blogs.msdn.microsoft.com/jenfieldmsft/2014/03/24/build-your-own-external-authentication-provider-for-ad-fs-in-windows-server-2012-r2-walk-through-part-1/. Here I understand that after first level authentication done by AD then only our external provider will come into picture.
So I have a general question that is it really possible to achieve what I am looking for with ADFS. Please let me know.
This is based on where the user accounts are stored. If both internal and external users are in AD, you can just redirect to ADFS.
If internal is in AD and external is in an untrusted or other LDAP source, using ADFS 2016 you can link to both these account stores and still offload authentication to ADFS.
If external is in SQL, you can either use a virtual directory in front to project it as an LDAP store (previous option) or use IdentityServer.
If externs is something else, you'd need IdentityServer.
Thanks //Sam (#MrADFS)
Yes - you can add a custom attribute store.
Yes - you can add a custom authenticator.
A better way might be to use thinktecture's IdentityServer 3.0 for the ASP.NET Identity part and then federate IdentityServer and ADFS.
I have a .NET Web API with a bunch of end points/methods that an Angular App calls. I want to now implement the login system against our active directory, and wondering what my options are.
Back in the days, it was simple: windows or forms authentication, and then just some simple configuration in the web.config, and may be a custom provider. But now it seems like there are a lot more options with OWIN, OAuth, token based authentication, etc.
Where do I start? I have a form with username, password, and a login button on the Angular app, and I have the active directory in the backend. What should happen after the user hits the login button? Any direction would help.
Thanks.
Well, it depends on what you actually need.
If you want to authenticate only AD users then you can try authenticate in AD on their behalf and in case of success you return either token or authentication cookie.
But I don't think it is a good idea to make users use their domain password unless you have two factor authentication.
It's better to extend AD schema with additional data for authentication through your service or even to have standalone auth server with associated domain user info. Look how it is done in SQL server (but in reverse direction): you need to define internal user corresponding to domain login. This approach allows you to have users that do not belong to AD, sometimes this can be important for outsourcing some tasks.
Look at IdentityServer
We are trying to create some .Net applications that will run in the same domain.
eg: www.myintrasite.net/myapplication
We need to create a SSO system, we read some articles but what we see is cookie driven solutions.
The problem is that we need to share the session only in Login context.
If we manage the cookies to share the same session, all applications will share the same session keys, but we need to share only one session key, like "id_person".
A simple example is two applications that have a session key named "order_id", with a shared session, the application A will override the session key of application B, that can cause some weird behavious.
There is any solution for a "session context" or something else?
Thanks in advance.
The best solution is going to be found here. It shows you how to set it up properly.
The way I have done it, is set up a "Central Login" that handles all logging in. Then I have multiple applications that are shown once the user is authenticated. I have App 1, App 2 and then App 3. If a user only has access to App 2 then he only sees that app. You will need to place what is mentioned in the link in all of your applications. On my login button click, I placed
FormsAuthentication.SetAuthCookie(User.Identity.Name.ToString(),
false);
This will set the authorization cookie that be used to verify that the user is logged in and can view your other apps. Here is another link will help you as well.
Mine was a bit more complicated than this since I was using Active Directory and Forms Authentication. Hope this helps you get started.
This will probably turn out to be a doozie.
I'm developing an application in ASP.NET to be put on our company's intranet site. I've been handed a specification in regards to security and have no idea how to do it.
First part: The application is to use Windows Authentication. This part seems easy enough; I opened IIS in Administrative Tools, right clicked the node of my website, properties and checked 'Integrate Windows Authentication'. However, I have no idea how I will govern which people have access to my site. I'm thinking this should be taken care of at the database level. This is Q#1
Second part -- I have to implement a process for the following scenario: User 'Jane' can log in to our network, but does not have rights to my application. User 'Bob' does have rights to use my application. Bob needs to be able to sit at Jane's computer (under her network account), but be able to enter his credentials into my application and use it (even though Jane is logged into the local machine and network). This is Q#2
Any help, general direction, or advice would be appreciated. The winning lottery numbers would be appreciated even more.
Thanks,
Jason
You're looking for Windows Authentication and Authorization in ASP.NET
How To Use Windows Auth in ASP.NET
Authentication/Authorization Explained
How To Implement Windows Auth in ASP.NET
Part 2...you're right, that's tough. You'll need to roll your own custom security provider.
You'll have a login page, then check that against Active Directory yourself. From MSDN
ASP.NET also supports custom solutions
for using Windows authentication,
which bypasses IIS authentication. For
example, you can write a custom ISAPI
filter that checks the user's
credentials against Active Directory.
With this approach you must manually
create a WindowsPrincipal object.
You've got requirements around authentication and authorization here.
Authentication: The act of confirming identity
Authorization: The act of correlating an identity to a privilege (eg Read/Write/Delete)
Windows Authentication is useful if you want "auto-signon" capability. The site will "know" the user by ID without them having to sign in.
The need for users to login from multiple locations means that you must implement a login page. This would fulfill your requirement in which one user may sit at another's workstation and log in.
You will want to authenticate users against the Windows domain. This can be done with a custom membership provider. Here's a walkthrough:
http://msdn.microsoft.com/en-us/library/ms180890(v=vs.80).aspx
This will allow you to present a login page that will authenticate users with their domain username and password. This will authenticate users- the identity of the user will be stored in the HttpContext.User. You can then also maintain a user list in a database to store authorization data.
Also found this -- a pretty good resource for anybody out there who's in the same boat:
Mixing Forms and Windows Security in ASP.NET
http://msdn.microsoft.com/en-us/library/ms972958.aspx