I want to be able to authenticate an NT username/password combination through an ASP.NET site, completely separate from the username that's recognized through Request.ServerVariables("LOGON_USER") and the like. There are accounts that will have the rights to completely override others, but the users will still have to enter the correct password to do so.
I tried using the LoginUser function from advapi32.dll, but that only tries the login for the local machine (which would be the application server). Is there something that will work for checking the network in general?
You could authenticate against Active Directory.
An ASP.NET application can use Forms
authentication to permit users to
authenticate against Active Directory
using the Lightweight Directory Access
Protocol (LDAP). After the user is
authenticated and redirected, you can
use the
Application_AuthenticateRequest method
of the Global.asax file to store a
GenericPrincipal object in the
HttpContext.User property that flows
throughout the request.
http://msdn.microsoft.com/en-us/library/ms180890
Have you thought of using LDAP and ADAM (Active Directory in Application Mode)?
That would allow you to authenticate users in the manner you're seeking. I found a few articles for you:
http://www.c-sharpcorner.com/UploadFile/wojtekpiaseczny/AdamAuthentication10262006124310PM/AdamAuthentication.aspx
http://www.15seconds.com/Issue/060525.htm\
http://msdn.microsoft.com/en-us/library/aa302397.aspx
Related
I have an Intranet application with Windows Authentication. Everything works fine. However, for some sensitive operations (it could be approving AP check, or grading a student) I need to get user's id and password. The goal is to prevent somebody walking to unattended terminal, and generally for non-repudiation. Trivial with forms authentication - but I can't figure out how to do it with Windows authentication.
I don't think it matters, but it's MVC application and authentication is done against Active Directory
Typically, server application needs to issue HTTP Status Code 401 to tell client for authentication information. However, in case of windows authentication, once user is authenticated, the token is cached by client system or browser and used subsequently whenever needed. So in your case, even if you issue 401, client will send the same token again - so your main problem of abusing unattended terminal will not get solved (as user already logged in there into the system).
One of the way could be simulate forms authentication from the application - i.e. on sensitive operations, prompt user for his/her windows password again (note that you will be already having user's name(identity) if you are using windows authentication) and then re-validate that password using active directory API (or logon user windows API).
Personally, I feel that you are trying to solve the problem at server which is wrong end - I would rather have a IT policy that prohibits unlocked unattended terminals - either user should lock the workstation or have a password protected screen saver. Typically, these things can be somewhat enforced via group policy.
In my webforms app I've got one page set as only allowing Windows Auth and no others, and then to get the username (since they have to have already done the 401 auth procedure via the browser) I get their username like thus:
string username = Request.ServerVariables["LOGON_USER"];
and then I can query the Membership provider to get the user information from the infrastructure.
Or are you trying to manually do the 401 auth process?
how to manually authenticate user in asp.net windows authentication
This will probably turn out to be a doozie.
I'm developing an application in ASP.NET to be put on our company's intranet site. I've been handed a specification in regards to security and have no idea how to do it.
First part: The application is to use Windows Authentication. This part seems easy enough; I opened IIS in Administrative Tools, right clicked the node of my website, properties and checked 'Integrate Windows Authentication'. However, I have no idea how I will govern which people have access to my site. I'm thinking this should be taken care of at the database level. This is Q#1
Second part -- I have to implement a process for the following scenario: User 'Jane' can log in to our network, but does not have rights to my application. User 'Bob' does have rights to use my application. Bob needs to be able to sit at Jane's computer (under her network account), but be able to enter his credentials into my application and use it (even though Jane is logged into the local machine and network). This is Q#2
Any help, general direction, or advice would be appreciated. The winning lottery numbers would be appreciated even more.
Thanks,
Jason
You're looking for Windows Authentication and Authorization in ASP.NET
How To Use Windows Auth in ASP.NET
Authentication/Authorization Explained
How To Implement Windows Auth in ASP.NET
Part 2...you're right, that's tough. You'll need to roll your own custom security provider.
You'll have a login page, then check that against Active Directory yourself. From MSDN
ASP.NET also supports custom solutions
for using Windows authentication,
which bypasses IIS authentication. For
example, you can write a custom ISAPI
filter that checks the user's
credentials against Active Directory.
With this approach you must manually
create a WindowsPrincipal object.
You've got requirements around authentication and authorization here.
Authentication: The act of confirming identity
Authorization: The act of correlating an identity to a privilege (eg Read/Write/Delete)
Windows Authentication is useful if you want "auto-signon" capability. The site will "know" the user by ID without them having to sign in.
The need for users to login from multiple locations means that you must implement a login page. This would fulfill your requirement in which one user may sit at another's workstation and log in.
You will want to authenticate users against the Windows domain. This can be done with a custom membership provider. Here's a walkthrough:
http://msdn.microsoft.com/en-us/library/ms180890(v=vs.80).aspx
This will allow you to present a login page that will authenticate users with their domain username and password. This will authenticate users- the identity of the user will be stored in the HttpContext.User. You can then also maintain a user list in a database to store authorization data.
Also found this -- a pretty good resource for anybody out there who's in the same boat:
Mixing Forms and Windows Security in ASP.NET
http://msdn.microsoft.com/en-us/library/ms972958.aspx
I have an ASP.NET application that uses Forms Authentication.
I need to call the Sharepoint search.asmx web service to retrieve a list of files from the network satisfying the search criteria (there's a good reason for me doing this outside of Sharepoint)
I'm not sure of the security information I need to pass the search.asmx. I've tried:
queryService.ClientCredentials.Windows.ClientCredential = System.Net.CredentialCache.DefaultNetworkCredentials
queryService.ClientCredentials.Windows.AllowedImpersonationLevel = Security.Principal.TokenImpersonationLevel.Impersonation
-which works in my development environment as my user has access to the File Shares Sharepoint is accessing. What I can't understand, and can't infer from debugging or event viewers, etc. is what credentials are passed in the above code once I deploy this code on a server.
Will it pass the windows credentials of the user who opened the IE window prior to using forms authentication. Will it pass the credentials of the account that is running the asp.net components i.e. the account of the AppPool I'm running in, or will it pass something else?
I can't seem to get Sharepoint to return any files and I guess it's because the credentials being passed don't have access to the File Share.
Thanks
Andy
To get this working quickly you can access the SharePoint webservices with your username & password. This isn't the best solution long term obviously.
Set the Credentials property on the SharePoint webservice proxy to your username & password:
spProxy.Credentials = new NetworkCredential("username", "password", "domain");
You'll need to make sure the credentials property is set before you call the webservice.
I'm not a SharePoint expert (I've only used it as a developer), but I believe it only uses Windows authentication to secure the webservices. So forms authentication isn't going to help you out here if you want to access the webservices as the logged in user (unless you're validating the username & password manually with LDAP). ASP.NET Impersonation & Delegation only makes sense if you are using Windows authentication.
As stated by pseudocoder you might want to setup a special account to access SharePoint from the web server.
I'm wanting to secure ELMAH in an internet facing application. The system uses Forms Authentication, but doesn't currently have any non-user accounts (e.g. Admins). The user accounts are set up in an automated fashion.
I don't really want to shoehorn any admin accounts into the system (the current DB schema for the users would be quite inappropriate for storing an admin user in), so I was thinking of corrupting the Forms authentication by checking for an SSL client certificate. If I pick all the right options in IIS, I believe I can ensure that only certificates issued by our internal CA (currently used for non-production sites needing SSL certs) will get passed through to ASP.Net.
I can then use the presence of a Valid ClientCertificate (checking IsPresent and IsValid properties of Request.ClientCertificate) to know that this is a connection from an internal user, and set the Forms Authentication cookie as "Diagnostic" or "Admin" (Or any other special username), and then secure elmah.axd using any of the usual methods suggested for doing it via Forms Authentication.
So my question is - am I overcomplicating things, missing something obvious, opening a massive security hole, etc?
Why don't you just store an admin user account credentials within Web.Config and lock down the URL using Forms Authentication anyway?
Edit
Ok, if the application is entirely internal anyway, why not secure a subdirectory of your site (e.g. myapplication.domain.com/exceptions/elmah.axd or even just myapplication.domain.com/elmah.axd) using Active Directory and set authorisation through IIS?
We have a SSO solution with ADFS for logging into our web app, we also have standard setup that uses authentication with our database. I want to setup a solution that allows for both. So now I am trying to figure out, is there any way for ASP.NET to detect if a user is authenticated with Active Directory so I could do this on the fly? If user is logged in through AD, send through ADFS, else, show login screen. Any idea?
I also realize that this may not work if they are setup to use forms based authentication only after the ADFS process is started.
Yes... In IIS, enable both integrated authentication, basic, and anonymous. All the real work is done in HTTPModule that are registered in the root Web.config (e.g. in the runtime CONFIG folder). The built-in Authentication HTTPModule will set the user Principle once authenticated if authenticated via integrated credentials. You can add your own to be fired after it. If the IIdentity (e.g. User.Identity) has the IsAuthenticated set to false then you know they were not authenticated and can then redirect them. If it is set to true, you can then replace the IPrinciple with one that contains roles that are germane to your application.