There is an example in gRPC:
Channel channel = new Channel("127.0.0.1:30051", ChannelCredentials.Insecure);
it works. Now I would like to authenticate the user on server either using the login / password pair or using Windows trusted authentication.
The authentication documentation https://grpc.io/docs/guides/auth/ shows some examples:
either with some PEM certificate that has nothing to do with windows account
or with a "trusted" authentication, but not in the meaning that one Windows computer trusts to the other Windows. The meaning is that credentials are trusted with Google.
Is it possible to do Windows-trusted authentication between two Windows PCs using gRPC?
I believe client-side SSL is what you are looking for: https://grpc.io/docs/guides/auth/#using-client-side-ssltls
You want to authenticate both ends of the connection. This won't be a simple task, since you have to manage and update certificates in clusters.
If what you are looking for is Windows account specific integration, I don't think gRPC is providing one today. You may post a feature request to https://github.com/grpc/grpc/issues.
Related
I'm working on securing some Azure Functions endpoints. I tried with Certificate, but I hit a few walls
In the FunctionsStartup (from which derives my startup) I could not find a way to connect my AddAuth and Auth methods/classes. (I tried to search, read more on this topic, but all the answers were either for web API other type of Authentications)
I tried to check for the existence of a certificate at least, but that didn't worked either. I tried to get the certificate from request-context-connection-ClientCertificate or to read it from headers. Didn't worked locally or on deployed version. The certificates are always null.
I saw that there are some options to secure it with AD(also with facebook, google and so on), but first I'm curious if someone successfully implemented another Auth method, more like in a classic web api approach (JWT tokens, certificate, other similar stuff)
Access restrictions enable you to define a priority ordered allow/deny list that controls network access to your app. The list can include IP addresses or Azure Virtual Network subnets. When there are one or more entries, there is then an implicit "deny all" that exists at the end of the list.
Also you can request a client certificate when the client request is over TLS/SSL and validate the certificate. This mechanism is called TLS mutual authentication or client certificate authentication.
First, your App Service plan must be in the Basic, Standard, Premium, or Isolated tier.
Secondly, enable client certificates:
az webapp update --set clientCertEnabled=true --name <app_name> --resource-group <group_name>
Finally, Access client certificate. App Service injects an X-ARR-ClientCert request header with the client certificate. Your app code is responsible for validating the client certificate.
For more details about how to configure TLS mutual authentication for Azure App Service, please refer to this article.
I have created an ASP.NET website that has to access Active Directory on another server and change users passwords. The problem is that I need to authenticate with existing AD account and I cannot send AD user's password in plaintext when communicating with the Active Directory server. How do I communicate with AD server from ASP.NET website, so that connection is secure? My AD server supports LDAP protocol, but I do not know how to enforce communication with LDAP via a secure channel.
ASP.NET Website --------------LDAP/another protocol (secure)------------> AD Server
Fairly simple, you need to do two things :
Configure your Active Directory instance to accept connections over LDAPS, or port 636. You'll need a certificate (it can be self-signed) to set that up.
Update your LDAP authorization code to use this the new connection. This shouldn't be anything more than changing the server to "ldaps://{{IP OR DNS}}", and ensuring you're setting SessionOptions.SecureSocketLayer = true;
If you want to verify that it's working properly, Wireshark the traffic leaving your ASP.Net site that's going over port 636, and you should notice it's now heavily encrypted, and impossible to discern anything meaningful from.
I've done a ton of this stuff over the years, so I've had a few other questions surrounding this that should also help you out :
Set callback for System.DirectoryServices.DirectoryEntry to handle self-signed SSL certificate?
(This contains a full implementation of LDAPS)
Custom Multi-factor Active Directory Authentication
(This is a much more simple example, but would work perfectly fine for your purposes)
We have a Windows application which is communicating fine via the WebHDFS Client (In the Incubator phase) http:/ /hadoopsdk.codeplex.com/wikipage?title=WebHDFS%20Client&referringTitle=Home
to a Cloudera Hadoop installation. The next phase is to establish Kerberos authentication via http. I am having difficulty finding much on this topic between a Windows client and a Linux/Apache server.
Most of the examples I've seen are using cURL --negotiate as the mechanism :
http://hadoop.apache.org/docs/r1.0.4/webhdfs.html#Delegation+Token+Operations
Everything else I've found for .Net has been really low level
http://msdn.microsoft.com/en-us/library/ms995331.aspx
Is there anything out there that I can use or am I going to have to write custom code?
I found the solution to my problem being that I misunderstood how Kerebros SNEGO was implemented.
For those of you that are in the same predicament I hope this helps..The authentication is done between the client (Windows machine) and the kdc (Linux) at the time of the users logon of the client (for one configuration). After the ticket has been issued WebHDFS communication can be established in a more secure manner. This quote is from the Cloudera team (which were extremely helpful BTW).
"If the Cloudera cluster is kerberized then WebHDFS on the server side will accept SPNEGO Kerberos authentication. If the cluster is kerberized directly in AD realm and if the end user has logged into the same AD domain, that should be enough if the Microsoft clients supports it. Otherwise they either have to authenticate to the same kerberos realm with a MIT kerberos client and kinit or one way trust should be setup between the cluster kerberos realm and the AD realm where the endusers are authenticating."
I'm configuring an ADFS Server and are trying to achieve user-friendly sign-on for our relying party applications.
Currently there are two relevant options as far as I know:
Windows authentication: this works great as a single-sign-on provider, but provides a user-unfriendly pop-up if the user is not currently in the correct windows domain.
Forms Authentication: this will always ask for a login method regardless of where the user is coming from.
My question here is, is it possible to satsify these requirements:
If the user is logged in with the windows account, provide SSO
Otherwise, display the forms login page and let the user enter his windows credentials.
Generically speaking, there is no programatic way of detecting if the user is on the domain or not from a website. Because the moment your site is configured with Windows Auth (and disable Anonymous), an ntlm challenge is sent to the browser and the credentials prompt popup if you are not in the domain.
https://serverfault.com/questions/380302/can-i-detect-authenticated-domain-users-in-iis-asp-net-without-prompting-every
The way you achieve that is with DNS and that's what ADFS recommends by introducing the proxy role. You will have the internal DNS resolving login.yourcompany.com to the internal ADFS which has windows auth enabled and the external DNS resolving login.yourcompany.com to the proxy ADFS role which has forms auth enabled. So you need another server hosted on the DMZ so users outside the network/domain can reach it.
There is no way to do this with a single ADFS server unless you do some hack (i.e. not supported) having an artificial website on the same ADFS server bound to the external IP and that website has a redirect to "/adfs/ls/forms"
More info about proxy and its setup
http://blogs.technet.com/b/askds/archive/2012/01/05/understanding-the-ad-fs-2-0-proxy.aspx
Matias
You may find it interesting, directing to form authentication or integrated authentication based on the user-agent string informed by the browser: https://blogs.ncl.ac.uk/isg/?p=296
I am attempting to validate a certificate using X509Certificate2.Verify() (and/or it's C++/CAPI equivalent).
The issue is that when Internet Explorer's connection settings specify a proxy which requires authentication, the OCSP check will always fail (the OS can't check that the certificate hasn't been revoked, since it doesn't have credentials to pass through the proxy.)
Microsoft has a KB similar to this, but doesn't really offer any sort of a fix.
http://support.microsoft.com/kb/915787
Even if I have the credentials (username and password), I am unable to pass them to the cryptography API (in either .NET or native).
Is there a solution which allows certificates to be validated even when there is an system default proxy which enforces authentication?
Thanks!
Edit:
Some indications from Microsoft that this is simply impossible:
"CryptoAPI also may not be able to authenticate to a proxy or to caching servers that require basic authentication to reach the HTTP URL that refers to the CRL distribution point."
http://technet.microsoft.com/en-us/library/bb457027.aspx#EFAA
"Authentication to proxy servers that do not use Windows Integrated Authentication in certain programs may be unsuccessful. This issue occurs because the Winhttp.dll process is designed for use by non-interactive services and does not prompt the user for network credentials."
http://support.microsoft.com/kb/887196