My production environment involves a pair of IIS 6 web servers, one running legacy .NET 1.1 applications and the other running .NET 2.0 applications. We cannot install .NET 2.0 alongside 1.1 on the same machine because it is a tightly-regulated 'Validated System' and would present a bureaucratic nightmare to revalidate.
Websites on both servers use Basic Authentication against Active Directory user accounts.
Is it possible for a web application on the 1.1 server to securely redirect a user to a page served on the 2.0 server, without requiring users to re-authenticate?
No, because you're not using cookies for authentication in that scenario, so ScaleOvenStove's link won't help.
Basic authentication sends the login information in the HTTP headers with every request, but it's the browser that does this, when it sees a new server, new password request.
(Or indeed as suggested change the authentication on both systems to support single signon)
In order to achieve this you could implement a single sign-on solution.
This solution would have one server be your master authentication server. This server would be responsible for authentication and creating a cookie for the user. When you redirect to the other server (on the same domain) check to see if the authentication cookie exists that was created by the authentication server, and if it exists, and has valid data, auto login the user. Make sure that you set the domain on the forms authentication ticket and cookie, and then both servers which exist on the same domain will be able to access this cookie.
I would google single sign on asp.net. There's a number of ways to achieve it, but it's definitely achievable.
yes, check out here
http://weblogs.asp.net/scottgu/archive/2005/12/10/432851.aspx
Related
I have three asp.net applications. Only one of them has a forms authentication login. I redirect anonymous users to that one login page for all three applications to login. Once they log in, they automatically redirected back to the application and page they were attempting to access.
I enabled this functionality by setting the same MachineKey in all three applications.
Is there a way to do this for ADFS 3.0 WIF authentication as well? It doesn't seem to work the same in my testing. When I log into the application that is wired up to ADFS, I still can't access the other two.
WIF and ADFS don't work the same way as traditional forms authentication. These technologies rely on issuing access tokens, and require that dependent applications (also known as Relying Parties, or RPs) configure a trust relationship with the token provider (AKA Identity Provider, or IP). You can't share the cookie with MachineKey between apps that have not directly authenticated with an IP, and to be quite honest you don't want to.
The typical web scenario (also known as Passive Federation) is to have a separate application that functions as a Security Token Service (STS). This application houses the Login.aspx page and is protected with Forms or Windows Authentication like you would find in a classic ASP.NET scenario. When you attempt to access a web application that requires authentication, it needs to be set up to redirect you to the STS website, rather than handling it by itself. Once you log into the central STS, it will issue you a token that you then provide to applications to gain access. If you use WIF properly, this is all handled behind the scenes and is just a matter of configuration.
Each of your three web applications should be configured with a trust relationship to your IP. You said that you have a web application wired up to ADFS already, if that's via the proper trust relationship, then you should simply have to replicate that set up to your other 2 applications.
I have an ASP.NET web application that is entirely protected by Forms Authentication.
Is there a configuration under which web requests coming from another application on the same machine, either web or console, can bypass the form authentication and access the page as if it were authenticated?
#merlin2011,you have two chose.
1.use cookie with same machineKey in the different application.(simplest)
the Forms Authentication in ASP.NET use cookie to Encryption and decryption your identity and indicates whether you are logged.the application use different key to encrypt you identity in the different application by default.
see more:
Forms Authentication Across Applications
notes:this solution only for the between application in the same web domain.
(for example,www.example.com,a.example.com,if the www.example1.com will not work)
2.the application in the different web domain(Complex)
in this situation,you need the Single Sign-on solution .this will required you need to write code to authenticate a user whether is logged.
this article will can help you Cross Site Authentication and Data Transfer
good luckly!
HI have the following scenario:
1) i'm authenticated against some aSP.NET web site and my session time out expires in 24 hours.
2) after several time I would like to run query against asp.net Web Service located on the site using existing authentication.
What should I add to cookie Container? I how do sent existing cookie to Web service?
Thank you in Advance.
Danny.
A web service call is just an http call so it will come under the existing authentication.
I am assuming here that you are issuing this from the browser?
If not - e.g. if you are doing it from a console application, then you will have to interact with the site as if you were a user. Some more details are her http://www.ksingla.net/2006/08/sample_forms_authentication_test_in_csharp/
Basically you need to issue a post to login to the login page - track all of the cookies etc - and then start issuing your WS calls with those cookies.
Another option is here http://en.gli.sh/Blog/post/NET-Interoperability-Between-Smart-Client-and-Internet-Explorer-Using-Cookie-based-Authentication.aspx which is reading the correct cookie info from the windows machine you are on - relies on you being logged into the website and also trusted to be able to get to that file.
Alternatively you can look into implementing WSE or WCF solution.
I'm looking for a way to pass some sort of credentials or Authorization token from a VB.Net Client to an ASP.Net web application that allows the Client to auto-login to our Forms-Authenticated website. If a user is logged into a local application, I want them to be able to view some web pages without having to login to the website as well. The credentials are not the same between the apps, but I would just like to pass some sort of encrypted token or key to the web page so I know they are coming from the desktop application. Is this possible without requiring a username and password login?
I also need to make sure this URL that is used cannot be simply copied and used from another location, so I'll need to include some sort of information in the encrypted value to know where it's coming from.
I know how to login the user with Forms Authentication and all that, just need to figure out the best way to secure this. Thanks!
OAuth is commonly used to allow desktop applications to access a user's private data on a web site. Since you're using .NET, I suggest you check out DotNetOpenAuth which includes sample OAuth web sites and client applications. It allows for this secure token to be passed that can tell your web site that the desktop app is the one making the requests and (usually) whose data is being accessed.
The best part about the OAuth solution is your desktop app never has to ask for the user's credentials. No credentials are in the URL. And if the desktop application is ever compromised (perhaps by the computer being stolen), the web site can kill the secure token the desktop app was using to cut off access without requiring the user to change their password.
You might want to look into issuing client-side certificates for these applications. Basically, you generate a certificate that you install with the client application and then on the server side, you check the ClientCertificate property of the HttpRequest instance exposed by the Request property on the current context.
Note that what you are doing is really a very bad idea, in that applications should never be assigned identity, only users. To that end, you should be authenticating each and every user that is using your app, not considering the application to be the identity. It's commonly considered a bad practice to do such a thing.
You can share credentials between the applications using ASP.NET Client Application Services.
Here are some resources:
Client Application Services
Client Application Services with Visual Studio 2008
Is your desktop app running on machines that are in the same domain as your web server (i.e. all in the same company)? If so, Integrated Windows Authentication is your easiest solution.
I think its best idea to use a web browser control inside the desktop application .
Then use the WebBrowser1.Document most probably
WebBrowser1.Document.Cookie
get if the user is singed in.
I also need to make sure this URL that
is used cannot be simply copied and
used from another location, so I'll
need to include some sort of
information in the encrypted value to
know where it's coming from.
If you store the encrypted value in a cookie or as a field in a form (POST request), then the credential is no longer in the URL and so it can't be easily copied (note that I said "easily").
I have a website with a large user base configured with asp.net 2.0 forms authentication. Before the user logs in via forms authentication is it possible to retrieve the windows login name/user account name on the machine they are using?
Many thanks
It certainly is possible--by adding another web application to your system. Here's roughly how I have done it:
Your primary web app uses Forms authentication. On the forms login page, any user that is determined to be on the local LAN (check IP address), redirect them to another app that uses Windows authentication. In this second app, you can determine the user (assuming the browser is configured to send credentials automatically to the zone in which your app resides), then set a cookie which your first app can read, and redirect the user back to the original app.
This does work.
This would only be possible if you were using Windows Authentication in your web application and then only if the user had logged in.
The kind of information you are after is not sent as part of the web request (quite rightly) and is therefore unknown to the web server.
Unfortunately no - if the user has not logged on, they are browsing anonymously, and are therefore unknown to the server. There is no way to identify them.
Once they're logged on, if you're using impersonation use WindowsIdentity.GetCurrent().Name. However, for forms authentication there's no direct way to ask the browser for their Windows credentials as they may not even be running Windows!
Not BEFORE no (not from the server).
Depending on the type of Auth you use, though, and the way the site is configured, you CAN get them to log in with their windows details.
See Mixing Forms and Windows Security in ASP.NET on Microsoft's MSDN.
The main difference with #TheObjectGuy answer is that instead of using 2 websites, this does all in a single website by configuring IIS to use the Integrated Windows authentication just in a "single" page (WinLogin.aspx).