Asp.net and windows authentication - asp.net

My application needs to be designed so that an administrator can, via a web interface select if their users login via windows authentication or forms authentication.
This means I cant specify the authentication mode in the web.config i.e.:
<system.web>
<authentication mode="Windows"/>
</system.web>
How do I approach this?

Use Forms authentication mode, whereby the login form can determine the user and the preferred authentication method for that user. If the user can be windows authenticated, you don't need to present the login form, just set the user as authenticated and redirect accordingly.

Related

How to get the current logon user name in asp.net?

I have a web app, in the web.config, I have following settings:
<authentication mode="Windows"/>
<identity impersonate="true" userName="domain01\user01" password="***"/>
I deployed the app to Windows 2008 (IIS 7), the Identity of the application pool is domain01\user01, and in the Authentication of the app, I have following set:
Anonymous Authentication Disabled
ASP.NET Impersonation Enabled
Basic Authentication Disabled
Digest Authentication Disabled
Forms Authentication Disabled
Windows Authentication Enabled
Now I need to get the user name who is currently logged on the machine, could be any authorized user with different domain. But no matter what I tired, I always got the impersonated user domain01\user01. I tried, HttpContext, WindowsIdentity, etc. Does anybody know how do I get the correct user name without changing my settings?
You are specifying domain01\username as the identity that you want to impersonate. That is why the current user is always that. If you remove the configured identity you will get the actual logged in user.
<identity impersonate="true" />
This is documented here:
http://msdn.microsoft.com/en-us/library/xh507fc5(v=vs.85).aspx

ASP.NET Forms authentication requires Anonymous enabled

I am working with ASP.NET application that uses Forms Authentication. However, if I turn off all authentication methods except for forms, I will get a
HTTP Error 401.2 - Unauthorized
When trying to browse any page. However, enabling Anonymous authentication fixes it. What causes this behavior? Thanks!
By doing this your only allowing users to visit pages (other than the login page) if they have logged into your site.
Direct from MSDN:
Forms authentication lets you authenticate users by using your own code and then maintain an authentication token in a cookie or in the page URL. Forms authentication participates in the ASP.NET page life cycle through the FormsAuthenticationModule class. You can access forms authentication information and capabilities through the FormsAuthentication class.
By setting a loginUrl in the web.config you're instructing your app that the login page is ok to visit for anonymous users. If the user tries to visit a page OTHER than the loginUrl then they will be redirected TO that loginUrl.
Quite often a site would use both anonymous as well as forms. Anonymous to allow visiting of public pages and the forms auth to hide the pages from those not logged into your website.
It's great to use (forms auth) if you're using the ASP.Net Membership and login controls along side, though if you don't plan on using these then you won't need to worry about Forms Authentication as you can build your own method of letting users gain access.
So all that's to say, if you want to lock it all down bar one page, then set a loginUrl in your web.config
<authentication mode="Forms">
<forms name="myLogin" loginUrl="/Login.aspx">
</forms>
</authentication>
An element of answer here:
http://forums.iis.net/t/1159935.aspx/1
A more detailed explanation:
http://www.asp.net/learn/security/tutorial-02-cs.aspx
http://www.asp.net/learn/security/tutorial-03-cs.aspx

ASP.NET windows authentication should always ask for credentials

Problem statement :
I have implemented windows authentication on my website.
I have used following code in my web.config for authentication
<authentication mode="Windows">
</authentication>
<authorization>
<deny users="?"/>
</authorization>
Now, the problem is that when I access the website, it takes the default ( windows) credentials and tries to login.
But I need that it should prompt the user for credentials so that user can enter domain-name\id and password of separate domain for authenticate (User will have VPN access to this other domain)
You can achieve this using Digest Authentication mode in IIS. Once enabled it will prompt always for UserName/Password to the end user.
You can read more about this type authentication here:
http://technet.microsoft.com/en-us/library/cc778868(v=ws.10).aspx
http://technet.microsoft.com/en-us/library/cc754104(v=ws.10).aspx
Instead of using Windows Authentication use Forms Auth and check entered login and password in Domain.
There is a nice article on MSDN: How To: Use Forms Authentication with Active Directory in Multiple Domains

Mixed Mode Federated authentication and Forms Authentication

I am trying to make a mixed mode authentication to be able to put some users on Federated authentications and others on Forms authentication.
I am working with WIF, I set up my STS and everything is happy, when I am in federated mode by turning off all the authentication this way:
<authorization>
<deny users="?" />
</authorization>
<authentication mode="None" />
I log in to my main application then when I log in to my side application it will let me log in silently since the session cookie is already generated and the user is authenticated.
but when I use Forms authentication, when I log in to my side application it will take me to the login page which I understand because the user is not authenticated but it seems even with having the session cookie it is not silently redirecting it.
I know that I need to redirect onEndRequest to the STS to authenticate the user and if the user is already authenticated then it will generate FedAuth cookie and and it will log me in silently,
does anybody know how to implement this, I didn't find resources about it when I researched.
Alaa
For all who needs to setup federated user authentication in asp.net app the following link might be extremely helpful:
http://blog.elis-co.com/wif-sso-and-forms-authentication-in-asp-net/
Also http modules included to the config from the link above are outdated. So correct them with ones from the following article:
https://learn.microsoft.com/en-us/dotnet/framework/security/how-to-build-claims-aware-aspnet-web-forms-app-using-wif

proper IIS 6 configuration for forms authentication

I'm using Forms Authentication in my current ASP.NET Web Application (not MVC) and my IIS 6 server is configured with the following options:
in the [directory security tab] -> [Authentication Methods] I have:
the anonymous access Enabled
Integrated windows authentication Enabled
Do the above options prevent Forms Authentication from working properly? In other words, what is the proper IIS 6 configuration for Forms Authentication?
EDIT
I just made test with the two options above enabled and the Forms Authentication session expired and redirected me to the login page, but all the answers so far advise that [Integrated windows authentication] should be off!
Here is a check list for using ASP.NET Forms Authentication on IIS6
Configure IIS:
In IIS, Site Properties -> Directory Security -> Authentication and Access Control
Enable Anonymous Access
Disable all Authenticated access methods
Configure Forms Authentication:
Configure Forms Authentication in your site's web.config:
<authentication mode="Forms">
<forms name="MySite"
path="/"
loginUrl="~/logon.aspx"
protection="All"
timeout="30"
slidingExpiration="true" />
</authentication>
Your name and loginUrl may vary. The slidigExpiration attribute is used to keep extending the forms authentication cookie lifetime rather than just kicking the user off of the site after the timeout has expired. The timeout value is in minutes.
Configure Session Timeout:
You need to configure your session state timeout to be longer than your Forms Authentication ticket expiry. If you don't do this then an idle session can time out the session but leave the user logged in. Code that expects Session values to be present will throw exceptions because they are gone even though they are still authenticated. The timeout value is also in minutes.
<sessionState mode="InProc" timeout="40" />
Because forms authentication does not rely on IIS authentication, you should configure anonymous access for your application in IIS if you intend to use forms authentication in your ASP.NET application.
See here http://msdn.microsoft.com/en-us/library/ff647070.aspx for more information.
The anonymous access should be enabled, I don't think integrated windows authentication makes a difference but if you're not going to need it then it's best to turn it off. The important thing to remember is to make sure it's turned on in web.config:
<authentication mode="Forms" />
Here's a basic tutorial that might be useful:
Overview of Forms Authentication
Anonymous access -> checked
All other option on the security tab -> unchecked
Note, forms authentication is done by .NET - not by IIS. Also, Windows Authentication MUST be off as well.
Rather technical explanaitions by MS.

Resources