I've been tasked with setting up default admin credentials for a .NET desktop application. As of right now, the application uses Windows admin credentials to access the manager page and I would like to add a local default admin account.
I imagine the user will go through the following process:
(1) Clean install of application
(2) User launches application
(3) App is in "logged out" state
(4) User logs in as manager with the provided default credentials (provided in user guide)
(5) Once logged in for the first time, prompt user to update local default credentials to a more secure password
After doing some research on google and stack overflow, I read that I definitely should not hard code the user credentials in the source code. I'm thinking of storing the default username/password in the app.config file. Then, in the manager page, the user can update the current username/password to something more secure. There will only be ONE local admin account so the username/password from the app.config file will need to be updated?
In other words, the default user credentials will be stored in app config. Then, modified whenever the user updates the local credentials. Does this approach work for the situation I described above? If not, I would appreciate any ideas. I've looked into DPApi as well but would prefer a simpler approach.
If you don't want use Active directory, AZMan or other popular solutions, you can store credentials in multiple ways:
In binary file with your own coding pattern.
In embedded databases such as SQlite.
Save credentials in windows registry.
Storing sensitive data in app.config is bad way.
Related
We have a machine that basically runs as a local system in kiosk mode by auto-logging in as a local machine user.
The user needs to launch a program that runs in a domain account. What we've done in the past is to encrypt the domain, user and password details in a file. Then decrypt them to launch the program (C# Process.Start). This program needs a domain account to use Windows authentication for accessing a SQLServer database.
However this is a security hole, the decryption password is inside the launcher program so someone could inspect the code and get access to a domain account.
Also, we cannot require the users to type in the account details, the users don't know these details, it's a one user for all type of account.
One thought is maybe there's a way to store an access token that I could use to launch the domain program. At least in that scenario the access token wouldn't have the clear text of the password. I looked at Windows Credential Manager but that seems mainly to be used for web sites and wants to store details as text.
Another option I'm investigating is a Windows service. The service would run in a third account and would hold the "secrets". However, I'm not sure how I would launch a process for the kiosk user and have it work properly with the user desktop / UI.
I am working in C# on a web application that requires a login username and password. This application is made to be compatible with Windows and is being written in VS 2013. In this company's network, all computers require user credentials, and in all cases the user's credentials for the app will be the same as their Windows logon credentials. Therefore we are trying to implement a system where, instead of signing onto Windows and then entering the same credentials again in the app, the app can access the Windows credentials that were given by the current user and attempt to sign in automatically with those. I know there is a way to do this using active directory with Azure, but for the time being we are trying to avoid using Azure. I have tried using WindowsIdentity.GetCurrent() and Environment.UserName so far, but both of those only supply the username, not the password, and we need the full credentials. It wouldn't shock me if this cannot be done in this way for security purposes, but if there is a way it would be incredibly helpful. Does anyone know of a way to access the current user's credentials? Thanks
You don't need Azure to accomplish this. Your application pool simply needs to have Windows Authentication enabled. You will not have access to the password, however.
After that, you will need to most likely write a HttpHandler which will get the HttpContext.Current.User.Identity value and check it against a database or collection of authorized users. You don't need to "re-authenticate".
What is my purpose?
I would like to save user credentials at the first start of my application.
What is the starting situation?
At the first start I have a configuration dialog, which allows the support-employee of my company to configure the application firstly. At these dialog he can also set sundry credentials. I need these credentials for every user, who starts the app. (it is a network-based application)
May some solutions?
I know, there are 'user settings' in WPF. But these are not persistent. That means, I lose the credentials, if the application is closed and another user is starting the app. But I need these credentials persistent. And for every user.
Of course, there are also 'application settings'. But these settings I cant set dynamically at the first start of my app. So I need to set the credentials for every customer at the development and compile one executive per customer.
Furthermore I can also save these credentials in a special database. But to create a database, only for this purpose seems a little bit to huge for me.
Would be really nice, if somebody could help me. :-)
You could store it in a local SQLite database, it takes just a few lines of code and one table but either store the hashes or make sure credentials are encrypted.
Also, user settings are persisted and as long as the other user is using his or her own Windows logon their user setting will not overwrite user settings of other users. However these are stored in a plain text config file so if storing credentials you should at least encrypt the values...
Now my team is working on a project involving a Windows application (C#).
The application has a option for saving the username and password in the client machine for the current logged in user. The user can start the application without entering username and password. Please check the snapshot of my requirement.
Please suggest a good example or reference.
Alt text http://www.freeimagehosting.net/uploads/0ff58473e0.jpg
To persist user credentials easily and in a secure way you can write them to the application configuration file using the ConfigurationManager class, secure the password using the SecureString class and then encrypt it using tools in the Cryptography namespace.
Edit: This might help: Encrypting Passwords in a .NET app.config File
Here's a class you can download and possibly use. It uses the windows Credential API and provides a dialog, much like the credential dialog in windows, that allows you to save credentials.
It was a proof of concept I did, but it was never need in a production application. So use at your own risk :)
If you're looking for a simple solution, saving the user name and password in user settings would work. However, this approach is not very secure at all because any other user with sufficient privileges on this machine could simply read the saved settings and steal your login details.
For an ASP.NET application, how can I prompt the user for their username / password when Integrated Windows Authentication is used? I would like to use C# in the code behind of the pages to do this.
I want some pages (e.g. http://intranet/admin/) to prompt for a password, while others automatically go though (via IWA/NTLM). I would then like it to remember that the user has logged in as they visit other pages in the folder / site and offer a logout link for when they are finished.
Edit:
What I want to do is send a 401 status and WWW-Authentication headers to the user, so they then log in using their Windows Credentials.
Basically, how Firefox / IE do it if the site isn't trusted.
Edit 2:
SharePoint does this kind of thing, where you automatically log in, but can log out and log in as someone else without needing to log out of Windows.
Edit 3:
An example (other than SharePoint): You are logged in as a standard (limited access) Windows / Active Directory user to a trusted site, which passes on your credentials. You then want to log into an admin part of the site with different credentials (but still Windows, not WebForms). The only other way of doing it is if you log off Windows, then log in again. Not practical if you have files open (that you may wish to access) or the administrator can't log in locally (Interactive Login Privilege disabled). Impersonation may be set, as the page allows access to applications the regular user account doesn't (e.g. databases, files, Active Directory admin).
Basically making a page within the site behave as though it is not part of the Trusted Sites zone.
Sounds like you need to use Impersonation. This allows you to "run as" another Windows user. See here: ASP.NET Impersonation
Here are a couple CodeProject examples:
Windows Impersonation using C#
User Impersonation in .NET
No seperate code for this.
When the user/client open the particular pate eg., http://intranet/admin/index.aspx
if you configure the particular folder with windows authentication, the browser will
automatically ask for the username and password of the particular user/client.
so this is the configuration that you have to do in the IIS to the particular folder
to which you would like to apply the integrated windows authentication.