Inside my ASP.NET application, I would like to add an iframe where I can display the emails from our exchange server for the logged in user. The web application uses forms authentication with custom authentication (passwords are hashed and stored in db).
Is there a way to show OWA within my web app without prompting the user for password (OWA uses windows authentication)? Can I use impersonation in some fashion or establish a trust between my IIS server and the server running OWA?
Has anyone tried this before?
If you are using an iframe for that, then it is a separate process in terms of authentication. Requests from the iframe are sent to OWA server just as you had opened the page in full screen.
However, it is possible to configure your Exchange server to allow windows authentication, see here: http://support.microsoft.com/kb/300656
This way you will authenticate with windows forms authentication to your web application and with windows auth to the OWA server.
I think you would have to have the Windows authentication be the authentication source for the website - or at least map accounts in the website to accounts in OWA
DNN does something a little like this with its Active Directory security provider. Might look at the source of that for some ideas - http://dnnauthad.codeplex.com/
Related
My company just finish set up a reporting services server 2017.
The service run under a domain name.
At the same server, an IIS has been setup to run a web application in ASP.NET which will server the report from a report viewer. The IIS is currently running with default App Pool.
GOAL : We want client to be able to access the report from the web application without having to fill in the username and password from anywhere be it on intranet or internet.
Before this, we have ssrs 2008 with similar setup but for authentication we go with anonymous authentication, which is what we want, they can view report from anywhere.
But from microsoft site, they stated that authentication isn't supported anymore in the latest version, and we have tried doing it which results in error 401: Unauthorized.
Currently, I'm trying to do a kerberos authentication,
Things that I have done :
SPN for reporting services account.
Delegation for reporting services account.
Web application web.config I've added authentication mode="Windows" identity impersonate="true"
On IIS, I've enabled windows authentication and impersonate.
But when I try to request a report from the web application, I still got the prompt for username and password, when I fill in my domain and password, I still got the same error 401: Unauthorized.
Am I doing something wrong? Is Kerberos really suitable for my GOAL?
Thanks in advance.
EDIT : Sorry, If I am posting in the wrong section. I don't know where is the correct section for this question.
When you are planning to deploy the reporting service on the internet its batter to use the custom authentication instead of the windows authentication. Creating a custom authentication extension requires custom code and expertise in ASP.NET security.
If you do not want to code a custom authentication extension, you can use Microsoft Active Directory groups and accounts, but you should greatly reduce the scope of a report server deployment. The following guidelines describe how to support this scenario:
Create a low-privileged domain user account with read-only permissions. The account must have access to the computer hosting the report server. Provide a custom Web form so that users can log on using the low-privileged domain account.
Create role assignments that map the user account to specific items in the report server folder hierarchy. You can limit access to read-only operations by choosing as the role assignment the Browser predefined role.
Configure reports to use stored credentials to get data for the report. This approach is useful if you want to query the external data source using an account that is different from the account that allows access to the report server.
you could refer to the below links for more detail:
https://learn.microsoft.com/en-us/previous-versions/sql/sql-server-2005/bb283249(v=sql.90)?redirectedfrom=MSDN#configuring-authentication-for-extranet-and-internet-access
https://learn.microsoft.com/en-us/sql/reporting-services/security/authentication-with-the-report-server?view=sql-server-ver15
https://forums.asp.net/t/2095478.aspx?401+Unauthorized+SSRS+authentication+from+NET+IIS
https://forums.asp.net/t/1273411.aspx?Setting+up+Reporting+Services+with+IIS+Access+Denied+Error
Is it possible for the browser to know the currently logged in AD user without explicitly logging in? I want the code in the server to execute with the same permissions as the user in the browser. Is that possible or do I have to require the user to explicitly log on?
Context: ASP.NET, mostly IE 7, IIS 7.
Thanks.
If you...
use Integrated Windows Authentication in IIS
in web.config where relevant
and your users and IIS server are on the same domain
...then it is possible to pass credentials through the browser. IE (being Microsoft's creation) can do this without prompting, other browsers may still insist on users inputting their credentials at the start of a new session.
OK there are a couple parts to this question so I'll take them one at a time:
First, you would like to authenticate "without explicitly logging in". This is definitely possible with Internet Explorer using Windows Integrated authentication. Please see this article (Internet Explorer May Prompt You for a Password) for more details on requirements for your environment. You will want to enable this with ASP.NET Windows Authentication mode.
Second, you want server side code to run as the client's locally logged in user. This is called Identity Impersonation, and you should read this MSDN article to show how to configure it: Using IIS Authentication with ASP.NET Impersonation
Also See: MSDN Windows Authentication Provider
I have ELMAH setup on an ASP.NET site and I would like to use the elmah-loganalyzer on it remotely, while still keeping ELMAH secure from prying eyes. Basically, I want to be able to search the logs from home in an emergency without busting out the work-laptop and using the super-slow VPN.
I know I can secure ELMAH using forms authentication and/or IP addresses via the web.config as addressed elsewhere. The problem is that the elmah-loganalyzer can't login with forms authentication (that I know of) and I would want to check it from a dynamic IP address, so those options are out. The elmah-loganalyzer can login as a Windows user, but the website is not using that form of authentication.
Does anyone know of another way to secure ELMAH that the loganalyzer can use, or a way to secure just this one section of the site with Windows Authentication?
Just use it to connect directly to the database. Forms and Windows auth are used for protecting the web-based handler but the log analyser can connect directly to the DB (obviously with the appropriate credentials).
We have an ASP.NET web application that we offer as a Service (it's hosted and it's accessible on the Web). We use Forms Authentication and our users have to enter a username/password to connect to our application. Some of our customers ask that we support single sign-on by authenticating users with their own Active Directory.
Our application has a different URL for each customer
www.ourapp.com/client1/
www.ourapp.com/client2/
www.ourapp.com/client3/
and each URL has its own web.config file (where asp.net settings can be specified and can vary for each customer).
What do I have to change in my ASP.NET application to support that?
What do I have to change on my Windows server configuration?
What will the customer have to do on his side to enable that?
Regards,
Check How To: Use Forms Authentication with Active Directory in ASP.NET 2.0 In short, you configure an ActiveDirectoryMembershipProvider to verify each username/password with the customer's AD. The customer must create an AD account for you that is allowed to perform the verification - which may be a problem with some customers. What's more, your code will handle the actual username/password used by users in their internal network, which can be an even bigger problem with customers.
A more secure solution is to use federation (using ADFS) or Claims Authentication using Windows Identity Foundation. In this case you "only" have to set trust relations between your domain and theirs.
I have a website with a large user base configured with asp.net 2.0 forms authentication. Before the user logs in via forms authentication is it possible to retrieve the windows login name/user account name on the machine they are using?
Many thanks
It certainly is possible--by adding another web application to your system. Here's roughly how I have done it:
Your primary web app uses Forms authentication. On the forms login page, any user that is determined to be on the local LAN (check IP address), redirect them to another app that uses Windows authentication. In this second app, you can determine the user (assuming the browser is configured to send credentials automatically to the zone in which your app resides), then set a cookie which your first app can read, and redirect the user back to the original app.
This does work.
This would only be possible if you were using Windows Authentication in your web application and then only if the user had logged in.
The kind of information you are after is not sent as part of the web request (quite rightly) and is therefore unknown to the web server.
Unfortunately no - if the user has not logged on, they are browsing anonymously, and are therefore unknown to the server. There is no way to identify them.
Once they're logged on, if you're using impersonation use WindowsIdentity.GetCurrent().Name. However, for forms authentication there's no direct way to ask the browser for their Windows credentials as they may not even be running Windows!
Not BEFORE no (not from the server).
Depending on the type of Auth you use, though, and the way the site is configured, you CAN get them to log in with their windows details.
See Mixing Forms and Windows Security in ASP.NET on Microsoft's MSDN.
The main difference with #TheObjectGuy answer is that instead of using 2 websites, this does all in a single website by configuring IIS to use the Integrated Windows authentication just in a "single" page (WinLogin.aspx).