We are doing the analysis phase of a call centre system. To get round a potential tricky authentication problem, we might need to read the LAN ID of the agent and use that as their user id in the system.
Is it possible to read the LAN ID from ASP.NET, or even from Javascript?
If you switch on Integrated Windows authentication for the website (and switch off anonymous access) then the user will be authenticated by their domain account whenever they access the website. You can retrieve their username in code using
Page.User.Identity.Name
I have done this successfully in several intranet applications in the past.
I'm not sure what a LAN ID is exactly. I'll just assume you mean a MAC address?
If so, I don't believe it's possible to obtain that via ASP.NET without an ActiveX control or something being installed on the client side.
And of course, MAC addresses can be changed (new network card, etc.) and be spoofed, so that may or may not be potentially problematic in your situation.
You can get the caller's Lan IP form the Request.http://msdn.microsoft.com/en-us/library/system.web.httprequest.userhostaddress.aspx
Related
Im currently in the process of exposing our internal CRM system to the web so our employees can use it outside out network. The data is being surfaced to our web application via asp.net WebAPI.
We have SSL setup on the website. But am thinking how else I can make sure the WebAPI is secure from malicious use. My ideas are:
Tracking what IP addresses are accessing the WebAPI and only allow addresses that we have validated are from employees. Problem with this having dynamic IP addresses we might be constantly updating a data store of valid IP addresses.
The user has to login to the system. So every request to the webapi will send across their login details which will be validated before the webapi will process any request.
Pass the device ID of the device using the webAPI and validate (pretty much the same as IP Address tracking in idea 1)
Having a unique clientside generated access token which much match up at the server side.
Has anybody got any advice on my security ideas I outlined? Is it to little or is it overkill?
Just want to make sure the data cannot be hacked, because my butt would be on the line if it did.
Thanks in advance
I would actually choose a totally different solution - updating valid dynamic IP's will be hell.
I would:
Create a new Project using the "Intranet Application" instead of using "Internet Application"
Host the application on your local office network
Set up VPN to your Office for your colleagues
Would this solution be possible for you?
I use Windows Authentication with a load balanced website. The load balance is based on two IIS web servers. There is a feature in my site which allow users to relogon like Sharepoint sign-in as different user.
But I notice that while I relogon, the User.Identity in one site is changed but the other site still keep the prior account.
I suspect there are something in the cookie should be clear.
Has anyone faced this problem while playing with loading balance? Or do you know some related article which might help?
I don't know how to fix the problem. Any help will be appreciated.
by the way
I use this method to archieve the relogon it works on single server. http://www.roelvanlisdonk.nl/?p=825.
Hello guys,
I still work on this feature.
I print the User.Identity.Name in my home page. when I change the account, the User.Identity.Name output is changed correctly. but when I refresh the home page, sometimes the prior account will be displayed on the home page.
If I'm reading your comments correctly, your setup involves two web servers, each with a local user with the same name (and presumably the same password), and you're attempting to use Windows authentication in the web farm scenario.
In your situation, each computer has it's own account with a name - assume your username is "AuthorizedUser". Bear in mind that if AuthorizedUser is a local account on both machines, then these are two completely different user accounts. Each computer checks it's own user account information to verify the identity of the person, and in a non-Domain situation, Computer A has no reason to trust a user that was authenticated on Computer B.
If it were possible that computer A trusted computer B without a domain scenario - just two random computers that happen to have a user with the same name, imagine how easy it would be to hack into anyone's web server that's using Windows Authentication. All you'd have to do is guess a valid username, rather than a valid username/password combination. It's easy to see why this is a bad idea.
For Windows Authentication to work in a web farm scenario, you need to be using a Domain user (A Windows NT Domain) and that Domain User needs to have the same permissions set up on two servers. This way, there is only one AuthorizedUser, and both web servers can verify the identity against the domain. Both web servers will automatically trust that the Domain Controller has authorized the user properly and will trust the domain.
We've recently released the latest version of our intranet application, which now uses windows authentication as standard, and needs to be able to connect to a configured SQL server with the end-user's domain credentials.
Lately we've found that on a couple of customer deployments, although IIS can see the user's domain credentials, it will not pass these on to SQL server. Instead, it seems to use the anonymous account. This is in spite of following all the correct steps (changing the directory security to Win Auth, updating Web.Config to use Win Auth and denying anonymous users).
I've been doing a lot of reading that suggests we need to make sure that Kerberos is in place, but I'm not sure (a) how valid this is (i.e. is it really a requirement?) or (b) how to go about investigating if it's set up or how to go about setting it up.
We're in a situation where we need to be able to either configure IIS or the application to work for the customer, or explain to the customer exactly what they need to do to get it working.
We've managed to reproduce this on our internal network with a test SQL server and a developer's IIS box, so we're going to mess around with this set up and see if we can come up with a solution, but if anyone has any bright ideas, I'd be most happy to hear them!
I'd especially like to hear people's thoughts or advice in terms of Kerberos. Is this a requirement, and if it is, how do I outline to customers how it should be configured?
Oh, and I've also seen a couple of people mention the 'classic one-hop rule' for domains and passing windows credentials around, but I don't know how much weight this actually holds?
Thanks!
Matt
This is called the Double-Hop Problem and prohibits the forwarding of user's credentials to third parties. This occurs when they browse from one machine, against a site on another (first hop), and forwarding the credentials to a third machine (second hop).
The problem will not appear if you host IIS and SQL Server on the same machine.
There's alot more technical details published on this at How to use the System.DirectoryServices namespace in ASP.NET, which explains the double-hop issue, and primary and secondary tokens.
To run your application under the user's Active Directory or Windows credentials, ensure these:
the IIS application is set to NOT allow anonymous access
the IIS application uses Integrated Windows authentication
your connection string should have Integrated Security=SSPI to ensure the user's Windows/AD credentials are passed to SQL Server.
i.e. Data Source=myServerAddress;Initial Catalog=myDataBase;Integrated Security=SSPI;
You state you're not sure "how to go about investigating if it's set up or how to go about setting it up".
For this I'd heartily recommend a tool called DelegConfig. It's a very handy app that you can tell you if kerberos is setup properly.
Unzip it into a directory, configure a virtual directory in IIS to point to it. Browse to the main page and you tell it which backend server you want to allow access to (e.g. UNC, SQL, HTTP etc..) and it tell you its setup correctly or not and explain why.
It even has the abilty to recongiure the kerberos to fix the issue if you so desire (although I've not used this - I'd rather reconfiguire it myself to understand what I've done in future)
I realise this comes too late for your particular problem but thought it worth sharing for others that follow - especially the tools ability to explain why delegation is or is not working. I've found it invaluble.
I have my website, and it records the number of visitors, IP and time of access...
I want to identify each visitor... I think that this was possible recording IP Address... but when the IP is dynamic, my system fails. So I think that I can solve it recording MAC address... is possible? What language should use? PHP, ASP, Javascript?
Thanks
Edit: What I can use to identify each user without having login information (username & pwd).
The MAC address, by TCP/IP standards, is never communicated outside of the local-area network to which it pertains — routers beyond that LAN don't even get the information you're trying to record.
There are many other ways to try and identify unique visitors, including matching the user-agent's details in addition to the IP, serving cookies as part of your response, etc… it is, after all, a core functionality in the field of "web analytics".
MAC addresses are simply not part of the gamut of techniques that it makes sense to utilize for it!
It is only possible if you use a technique where you install a "native" app on the client machine. For example, an activeX component, java applet or a client application. Then that application, once installed can get the MAC and then call to your web server with the MAC as an argument. In other words, you have to build your own front end "browser" to handle logging in. Then once the user is logged in, you can launch the app in the default browser.
It would be nice if future browsers allowed users to give permission to specific sites to access the MAC. Then if a site had a button that said "Register this device" the web application could do so without needing an additional native app installed (after all, the browser IS a native app).
Can't you just have them store a cookie, so that when they come back they can be uniquely identified? No username/password requirement.
http://en.wikipedia.org/wiki/HTTP_cookie
Sorry but sending MAC address isn't part of the HTTP. However, you can use cookie to identify different users. Any backend language will do (add cookie in the server side). You can set the cookie in the client side using JavaScript too.
I've built an ASP.NET application that's using Forms Authentication. In our hosting account control panel, I set up an automated task that requests a web page once per week. When the page loads, a number of emails are sent out.
I'd just like to know if there's any way to determine in the code-behind if the request is coming from the local machine (as with Windows authentication). Using a separate web.config file in the page sub-directory with Windows authentication mode doesn't work.
The application will work fine either way. I'm requiring that a specific Guid value be present in the query string, so it's very unlikely that the task will be executed by mistake. I'd just like to learn something new while I'm working on this, and I'd like to see if I can add this little bit of extra verification.
Thanks very much for any advice.
Request.IsLocal
The IsLocal property returns true if
the IP address of the request
originator is 127.0.0.1 or if the IP
address of the request is the same as
the server's IP address.
Request.Url.IsLoopback