I have a WinForms application that uses custom authentication (username/password).
In addition to this, I would like to associate Windows/AD users to app users so that if a Windows/AD user is logged in, my app does not request login credentials.
In app user management I could associate the Windows/AD user SID to the app user, and then check it later: when app is launched, if an app user with the currently logged in SID associated is found, then this user is authenticated on the app without requesting password.
I wonder if there may be security issues with this approach.
Related
i have windows service which is deployed using service.msc using c#,
i want to access the current logged in users download folder
eg: if the current logged in username is admin, then i want to access
C:\Users\admin\Downloads
and if the current logged in username is tomas, then i want to acess
C:\Users\tomas\Downloads.
You can use SHGetKnownFolderPath(FOLDERID_Downloads), passing in a token for the desired user account. The trick will be in knowing which user you want. There may be more than one user logged in at the same time. There may be no users logged in at all. If your service is running under the SYSTEM account, it can enumerate active user sessions via WTSEnumerateSessions() and get their user token via WTSQueryUserToken().
a c# windows application give privilege to users with a specific profile in its database. The application does not handle user and password but get the username of the authetcated user in Windows session.
They asked me to authenticate the user by a IAM service such as Microsoft IAM. But I'm a bit confused. It means that I have to ask username and password to user and verify them with IAM? I don't want to store in my db password.
I cannot figure how to use an external IAM.
No, you will not need to deal with passwords.
In short, your application will need to display a mini browser window (WebControl, WebView, etc.) where the IAM provider's login screen is displayed. Users provide their credentials directly to that login screen. Your application never touches those credentials and only receives the valid tokens afterwards from which it can get information like unique user ID, email address, etc.
Check out this WPF tutorial from one of the best IAM providers, auth0 (disclaimer: I'm not affiliated with auth0 in any way).
https://auth0.com/docs/quickstart/native/wpf-winforms/01-login
You can sign up for a free trial account to quickly try it out.
Side note: This method is not entirely safe from abuse as your malicious application could intercept key strokes as users type in their credentials into the IAM login page (since it is hosted within your application's process).
I'm building a windows service using C#, that syncs AD users with a Table in Db.
usually to access AD we need to use user name and password, and to avoid saving these sensitive data, is there a way that I can validate the user and password once and then the service will be granted the access to AD permanently so it does the job with no need to re-enter the user name and password again?
I have a windows forms project that uses PrincipalContext.ValidateCredentials Method
Everything works fine, but...
First, a user logs in to windows environment by using his/her windows username and password. Then, this user logs in to my app by using his/her windows username and password. This is a duplicate work isn't ?
My goal is to create something like SSMS's windows authentication (if you connect to DB selecting windows authentication it doesn't ask for your windows password because you are already logged in). So I want to get currently logged-in user's username and something like (Hash, GUID, SID etc.) and use that info to authenticate user.
Is there any way to achieve this ?
How the process Authentication is differ from authorization? In my winforms application with c# and mySQL I have a login page for validating an user, then shows the admin page if the user is admin and user home if he is not an admin, Actually what we are doing through a process of login? whether it is authorizing or authenticating an user?
Authentication: The process of a user, authenticating(Log In) themselves to a system to use the features provided.
Authorization: Being authorized to, for instance, see a specific page of your application.
Quick example: If a user logged in to your system, and they are authenticated as a user with user permissions, you will not allow them to see your admin pages, since the user does not have the same authorization as a Admin in your application.
In your scenario, when the user logs in, it is the process of authentication.
in short
when you try to login is Authentication (verify user by his identity like login credential)
after successful login user have some authority(like admin can change everything and user can only view they can add or edit some thing depends on access) is called Authorization
The first process, the process of validating an user is called authentication where we check whether such an user with some user id and password is belongs to our database.
The second process, based on the type of user or the level of user in the hierarchy we are disable or enables some/few pages and/or redirecting to admin home/user home these processes are called Authorization.