I want implement .NET web site with AD authentication, If site is accessed internally then it should automatically login with current user.
BUT if site is access out site organization then it should redirect user to custom login for where user can enter AD login details.
Can anyone guide how we can achieve this functionally what configuration required.
ASP
.NET
IIS Configuration
Firewall (if required)
Any other configuration required.
Thanks in Advance
I believe you can do that by enabling Windows Authentication and dealing with 401 Not Authorized results by checking, if user is authenticated(means he is Windows user, but is not authorized to access resource) or he is not authenticated it means he is not Windows user and you can redirect him to login page.
You have to take care of restrictions on Windows users and stuff around, but I believe it is possible to do that, even I am not a big fan of such authentication solution.
Related
We have an ASP.NET/MVC website that's using FormsAuthentication. As is usual, when the user tries to access a page, and doesn't have a valid FormsAuthentication cookie, IIS redirects him to the login view. When the user does a HttpPost to the login controller, our controller action makes a call to our WebApi webservice, which validates username, password, and customerid against a Sql Server database. If the authentication passes, the controller action sets a FormsAuthentication cookie, and redirects to the page the user had asked for.
Now sales is making noises about "Single Sign-On", though I'm not clear exactly what they mean by that. From what I've read, in the Microsoft World this usually means accessing MS's Active Directory Federation Services.
At this point I have almost no idea how this would work, but before I dig into this too deeply, would it be possible to put the authentication code within the WebApi webservice, where we could choose to validate against the Sql Server database, or against whichever ADFS server was appropriate for the specified customer?
Our problem is that we have I don't know how many thousands of users, working for some hundreds of customers. Many customers will not have ADFS running, and those who do will each have their own ADFS server.
Most of what I see with respect to Single Sign-On seems to involve doing browser redirection to the ADFS server, then redirection back, and looks to be avoiding login at all, if you're already logged in. I don't think we can do that, in our case. We can't know which ADFS server to redirect to, until we hit the database.
So, the question - is it possible to do ADFS authentication entirely from C# code in our WebAPI web service?
(One possible complication - the website itself has zero access to any database. The sole configuration setting in its web.config is the base URL of the webservice. Whatever authentication happens has to happen in the webservice, not in the website.)
First of all, "Single Sign-On" (SSO) is not limited to ADFS. It simply means that you type your credentials only once, and then all systems you access automatically "recognize" you; all subsequent authorizations request are transparent. For instance, if you have several web sites using Windows Authentication in your company Intranet (same AD domain), you have SSO: you authenticate once when you log in to your computer, and then your web browser authenticates automatically to these web sites using NTLM or Kerberos. No ADFS in this case.
What ADFS (and "Federation" more generally) allows, is SSO accross security boundaries. In Windows world, a security zone is typically created by an Active Directory forest; everything within this forest is accessible using SSO provided by Windows authentication. But as soon as you leave this zone (SaaS application, web site in another company network), you need another authentication protocol to perform SSO, and these protocols are implemented in ADFS.
Then about your particular problem:
What you could do is instead of using FormsAuth, you use AdfsAuth. When a unknown user accesses a page, he would be redirected to ADFS for authentication (using browser redirects as you correctly mention). To know which ADFS server should authenticate your user, you need a way to differentiate them indeed: a list of IP range per customer? a different URL per customer? If you don't have something like this, then the only way is to show them a list of choices such as: "I work for CompanyA", "I work for CompanyB", "I work for CompanyC", "I don't work for any of these companies and want to authenticate using FormsAuth."
In this case, what your WebApi web service has to do is: if I know which ADFS server to use, redirect the user there. Otherwise authenticate the user as usual using the database.
When you use AdfsAuth for a customer, your database is useless. You can delete all credentials related to this customer.
do ADFS authentication entirely from C# code in our WebAPI
Well it's possible to "re-implement" ADFS in your service, but you won't get SSO if you do that. When you use federation, your redirect the user to the ADFS server of his company. This ADFS server is in the same domain as his computer, so the user gets SSO here. Once again, your users can't get SSO if you authenticate them yourself, because your users are not in the same security zone as your site.
When authenticating to multiple identity providers, it is typical redirect to your own STS. So, in this case, you would have www.yourapp.com redirecting to sts.yourapp.com, which redirects to sts.somecustomer.com.
The specific tools to enable such a dataflow is the home realm parameter (whr), and the AD FS Powershell API (to allow IDP maintenance).
Your RP-STS acts as the trust-point for the app, and manages selection of the appropriate IDP. One RP-STS, many IP-STS's. Each of your Customer's IP-STS gets set up as a Claims Provider Trust in AD FS.
As always, Vittorio has already covered the subject better than I could.
I'm developing a MVC application that will require a user to be authenticated against an AD. how to create log in page in MVC to create an Intranet Application that automatically authenticates a user against an AD
Why don't you use the Intranet Template provided by Microsoft Visual Studio, which does exactly what you want out of the box?
Your requirement is paradox. Why do you want a login page, which does login a user automatically, while being logged in by visiting the (main-)site automatically, does not require the visitor to do anything at all, because he is already authenticated by entering his credentials at the windows-logon
More information: http://msdn.microsoft.com/en-us/library/gg703322(v=vs.98).aspx
you can use the built in windows authentication feature. the example is in here
if you need mixed authenticated for example you want the user can access from outside using their AD it will involve either two applications or two different pages for authentication types. find the example here
I'm not entirely sure if you actually want a login page that automatically authenticates a user that visits the main site. Maybe your wording is a bit confusing there.
I'll asumme you want your Web-App to be able to authenticate users against AD after having to log in with intranet credentials. If that's the case, you might want to have a look at this article detailing how to set that up using IIS and an ASP.NET app.
If not, please disregard this answer.
I have a deployed application that is using the Active Directory Membership Provider in order to authenticate users to our domain on an extranet. The application is using the .NET 3.5 framework. If you run the application locally it goes straight to the login page. But if you run the application from its deployed location on the server it first prompts with a Windows Security login prompt and after logging in, you are taken to the login page where you must login again. Why is this?
Your web application seems to be configured to use Active Directory Authentication (and doesn't allow anonymous access). Your users internally are already logged on to the domain and so IIS simply lets them past.
Your login.aspx page is protected by IIS so that you must be a member of the domain in order to even see the login.aspx page. This is a configuration issue in IIS and has very little to do with asp.net or C#.
If you are using forms authentication, you should be able to allow anonymous authentication in IIS and handle authentication using Forms only. However, this entirely depends on the web app and enabling anonymous access may inadvertently expose information you didn't intend to be publicly accessible.
Without knowing more about your application it's difficult to offer any more advice. Good luck.
I'm trying to achieve the simplest functionality related to windows authentication in DotNetNuke. What I need is just the user to be authenticated using windows authentication when accessing DNN site (no need for user to be logged in within DNN) and read his username (HttpContext.User.Identity.Name).
How can I achieve this as simple as possible?
Is it possible without using any 3rd party authentication providers e.g. DNN Auth: Active Directory?
If you need the user to be in the domain to get to the site, but don't want them in the actual DNN site as a user, simply deny "anonymous" access to the website and require windows authentication. IIS will handle this for you.
This is all configured in IIS under the AUthorization option.
I bet I know what your problem is...
Try this: create a new user in DNN whose username is: DOMAIN\username
Where DOMAIN\username matches that of a Windows User on that machine. As Mitchel pointed out, deny Anonymous and enable Windows auth for the DNN site in question in IIS.
For fun, do cmd iisreset, restart your browser and hit your DNN site.
When prompted, use DOMAIN\username and the Windows user's password, NOT the password you assigned that user in DNN.
We are building an intranet for a client, the client doesn't want the users to log on, as they have already logged onto the domain (Active Directory)
But they do want to know the AD username of each user so that if they post on the blog, their identity can be recorded.
Our thinking so far has been, that our web.config file should say:
<identity impersonate="false" />
so that each user browses the intranet site as themselves and not the App Pool user configured in IIS.
Would this be the right way to go about it?
If so, what IIS authentication should we be using? NOTE: we are not authenticating the user, so we don't want the logon prompt, all users will already have logged onto the domain, we just want to see their username.
Is this even possible? And are we on the right track?
In C#, we can retrieve the username like this:
System.Web.HttpContext.Current.Request.LogonUserIdentity.Name.ToString()
but we just can't find an IIS authentication setting that will not prompt a domain/network login.
You need to turn on windows authentication. After you did that, the identity token will be passed to the server as I remember, and you can manage the authentication with that.
Also note that only Chrome and IE supports this fully, Firefox will ask at least for pressing an ok button before authenticating the user.
Other thing to note is the set the trust levels correctly in the browser, or it wont do the automatic authentication.
You already know how to get the LogonUserIdentity and set up IIS correctly. What is lacking is to get the browser to automatically authenticate with the AD account of the user. To enable that you have to configure the browser to do so, which I think only is enabled for Intranet zone sites by default.