i wish to require a popup window for users to type, to access my website. For the username, password .. i was hoping to have a few hardcoded names/passwords in some file. I was told that Digest Authorisation could be used, to do this.
If i've got a stock standard ASP.NET website, where can i define the username's / password?
please note, this username/password only 'unlocks' the site .. but doesn't log them INTO the site. they will need their website username/password for that.
i hope that makes sence.
please help!
Depending on your access to the machine, a really simple option is a program called IISPassword, some providers have this installed, which allows you to use apache style .htaccess .htpassword files.
Once this is installed, setting up takes about 5 mins, just find a unix crypt function to handle the passwords, and it just works, don't have to touch aspnet at all.
Have only used this on IIS 5 and 6, but might work on 7.
Hope that helps.
I think that your users will not appreciate having to enter two passwords to use your site. I think you would be better served to stick with the web site login as the sole means to access the site and simply redirect non-logged in users to the logon page. You may also want an "about us" page that is publicly available for potential future users if your site is public.
You can find a pretty comprehensive guide to authentication in ASP.NET here. According to the article, Digest Authentication requires that you store user ids/passwords in Active Directory.
Related
I have looked at numerous articles and tried a multitude of settings, but I can't seem to achieve what I'm looking for in my intranet site. Even if I don't get a solution, a definitive "you can't do that" will help me move forward. Here is what I'm trying to do:
Web site recognizes the user's network login credentials - ONLY so I can get their user ID without a login
The website uses some generic account (IUSR or something like that) to access a SQL Server that the same network users can NOT access EXCEPT through the website
Users can upload files to a set of folders created on-the-fly by the website to contain their files for later reference by them
The website can construct web pages on-the-fly with links to the users' files - and ONLY theirs - so they can open / download them through the web pages
Users can NOT access the uploaded files through a network share on the web server
All of the folder creation, file upload, and file serving occur under some generic account like IUSR
I currently have things configured to use Windows Authentication and I could probably live with that except I don't want to require a login to the site. Apparently, in order to make this happen, I need to have the server configured as a trusted delegate and IT is dragging their feet on doing that. Also, this config allows the users to access the SQL Server and folders/files through means other than the web site and I don't really want that. I only need to pick off their user ID so I can use it to get information about them out of Active Directory and keep track of their interactions with the web app.
In reviewing your post I must first say "Yes" it seems like what you want to accomplish can be done. However the enormity of your question precludes simple posting answers. From what I gather there are three security issues you want to navigate 1) Windows Authentication, 2) Admin only SQL access, 3) User only Access to files and directories while authenticated using Active Directory.
I have been building ASP.net intranet web applications using Active Directory (Windows logins) for a few months. I would encourage you to explore this article: http://www.mikesdotnetting.com/article/216/windows-authentication-with-asp-net-web-pages for details on setting up windows authentication in an ASP.net web application. You can add elements to your web pages using a section of Visual Studio [Toolbox] called 'Login', which contains elements such as 'LoginName'.
Next I am pretty sure you can control the SQL server query access using authentication parameters of your choosing. In the portion of the connectionString that is normally 'Integrated Security=True;' you will need to switch that to 'Integrated Security=False;username=sqlAdminUserName;password=sqlAdminPassword'. For more information I suggest reviewing this post: Integrated Security = False.
For the third security issue once you have isolated the user's windows login identity you should be able to dynamically build web pages, files, directories, and whatever other resources you require all customized for that individual user. I believe the generation of all those materials can be done with an IUSR account with the only needed ingredient being the Windows login user identity.
Good Luck and I hope my suggestions help move you ahead.
Actually, the answer is not all that complex and it is a real mystery why it is so difficult to find a single source on the web to spell it out. Here is my IIS authentication for an intranet app that acts exactly how I want:
Enable ASP.NET Impersonation and edit to Authenticated User
Enable Windows Authentication
Advanced Settings->Extended Protection->Off
Advanced Settings->Enable Kernel-mode authentication->unchecked
Providers->Available Providers->Negotiate:Kerberos and move that to the top
Disable all other authentications
Most critical: Make the server a 'trusted delegate' in Active Directory
That should do it.
I am working on a project of developing a web UI. The project requires .NET implementation. I currently published the website on Windows server 2008 with IIS 7.5 for testing. The project asks for and login/out page as the entrance to the main UI. The login/out page should asks for username and password with some security questions. And it also enables user to change and save the password. The authentication technique has to be implemented using digested authentication.
I have already tested the digest authentication after enabling it in IIS. It works good with popping up a window asking for the username and password.However, I have a doubt whether the digest authentication allows for customized login/out page and ability of changing and saving the password (which will most likely be realized with form authentication to the best of my knowledge). I believe there might be (or not?) some ways of doing it, anyone can guide me to some references or sample codes?
Try this article: http://www.eggheadcafe.com/articles/20030701.asp
And maybe this one: http://msdn.microsoft.com/en-us/library/Ee817643%28pandp.10%29.aspx
I don't have much experience with ASP.NET and IIS -
But I created some simple web site and i put it on IIS server -
I want to make the access to be only for those users, who are know the access password.
How can I do it ?
You can easily do this with Forms Authentication in asp.net. Take a look at some information on the web about this.
http://msdn.microsoft.com/en-us/library/ff647070.aspx
http://www.codeproject.com/KB/aspnet/ASPDOTNETauthentication.aspx
http://msdn.microsoft.com/en-us/library/7t6b43z4.aspx
It is pretty easy to get this working, most of the work is in the web.config and it gives you a lot of control about what pages are secure and what pages are not.
I have a question that doesn't need any specific answer, just a general direction of what to do. I work for a company that has many sites. Each site requires a login at some point. We have a single Accounts database that all of the sites hit.
One of the requirements for the login system is that if we login on one site, we should automatically be logged in elsewhere.
The way it works right now is that on page load (or init, forget which) at any of our sites (let's say site1.com), it redirects to a "master" site (let's say sitemaster.com). On sitemaster.com there is a web service which checks to see if a cookie exists on sitemaster.com for that user. If it does, it redirects back and lets site1.com know that the user has already logged in (site1.com then creates a cookie for site1.com so we don't have to redirect to sitemaster.com in the future). If the user is not logged in at sitemaster.com, site1.com will then ask the user to login and, on submit, it redirects the user to sitemaster.com which logs them in, creates a cookie under sitemaster.com domain, redirects back to site1.com and lets site1.com know that the user is logged in (which then creates the cookie for site1.com).
On logout a similar method is employed.
Is this the best way of handling universal logins, or auto-logins across multiple sites? Is there a better way of doing things?
Some requirements:
Most of our sites are in .NET 2.0, but there are plans to update them all to .NET 4.0. We want the best method for this auto-login system so if something requires .NET 4.0, that's ok.
The solution should not require javascript (our current solution requires javascript during the login process).
The solution should not require Flash.
It's ok to use iframes, as long as javascript is not requred.
We would like to be able to do AJAX logins (using jQuery) without having the site refresh. The current solution, due to the redirects, prevents us from doing that. (eg: Pop up a modal box asking the user to login, and when they do, the modal box disappears and some content is changed, but no site refresh required). This isn't absolutely necessary, but at the very least we should be able to verify a login using AJAX before any redirecting takes place.
Any articles or suggestions will be very helpful. I also have some questions related to the best way of re-using the auto-login code across sites (varying from ASP.NET 2.0 Forms to ASP.NET 4.0 MVC, but I'll save that for another question).
Bara
At a simple level, your system works very much like OpenID. It might be worth implementing your own internal OpenID provider and save yourself all of the custom work and maintenance/bugfixes etc for a bespoke system. OpenID is supported by many many sites, including stackoverflow.com.
http://openid.net/
and
http://wiki.openid.net/Run-your-own-identity-server
which leads to:
http://www.dotnetopenauth.net/
-Oisin
What you've described is a federated Web Single Sign-On scheme. Ultimately, I'd recommend that rather than rolling your own, you adopted the WS-Federation standard. The advantages being that you're less susceptible to introducing security vulnerabilities and also have the ability to achieve Single Sign-On with applications other than bespoke ASP.NET apps.
Is there a way to implement forms authentication, but only for a specific URL. For example, I would want the formsAuthentication to protect the site on staging.mydomain.com but not hinder access to www.mydomain.com if the web.config accidentally got moved over to the production site.
This can be achieved, but you'll have to implement your own IHttpModule for it. Alas FormsAuthenticationModule is sealed, meaning that you would have to start from scratch, but Reflector can be a great help there.
we have used a simple workaround in the past.
We set the default Login page to be a simple page that is accessible to anonymous users, lets call it checkDomain.aspx
In that page, we do a quick check of the domain and based on that we redirect users to the login.aspx page in the staging site, or to the original requested url in the production site. this wasnt pretty but it was quick and easy to implement for a short period of time when we feared something like that could happen.
Forms auth is implemented on the web site instance. Its not going to work that way.
The web.config is where you can manage what FormsAuthentication does. So, the answer is kind of in your question and #Andrew is right.
However, you might be able to do something in your global.asax to recognize the server or domain that the site is running on and disable FormsAuthentication. Maybe create a user that has access to everything and manually set a FormsAuthenticationTicket to that user on session start if the domain is www.mydomain.com.
This is a bit hackish and I would suggest coming up with an out of band way to control your web.config instead.