I have a very strange requirement and I want to know how
feasible its.
A customer wants a web application, but in it, they want the administrator to be able of:
Create users in Active Directory
2. Be able to change users password or generate random ones and then it must be changed on AD
3. Be able to change minimum login length and maximum login length for new users in AD.
4. Be able to change password complexity in case users change their password, then the web app should show an error message.
Update 1. More questions About Nr 3. Users want to be able to define if login length is between 5 and 10 characters from the web application, is there an API for this on AD?, I am not an AD expert so I dont even know if AD has the option to configure the username length.
More questions
5. Can I with AD API, view and audit log?, when were users authenticated, was login succesfull or failed?
6. Configure the number of attempts before the account is locked? and alert and administrator when an account is locked due to # of failed attempts.
7. This one is like a stupid question, can I make a functionality for users to recover their passwords via email? (literally they asked me that), but if the account is locked they wont be able to access their email either, lol
8. Configure via API when the user must change password or when it expirtes
9.
Completely feasible
Completely feasible
Not sure what this is - can you provide an example? Still don't understand.
You can enforce complexity on password change programmatically. If you want to dynamically change the password policy, this is also possible.
You would need to consume the event log on each domain controller. You could look at something like Windows Event Forwarding to aggregate the data in one place.
Configure, yes you can do this programmatically. Alert, you'd need to build a trigger on the appropriate event ID.
Passwords are stored in an irreversible (and inaccessible) manner in AD.
Yes you can configure when they need to change it, but, you can't alter the expiration date.
Related
I've read some related questions, but they are not 100% related, as the requirements vary a bit.
I have a .NET5 web application, some kind of custom CRM for the company I work in.
We have multiple users (employees, my colleagues), which can create quotations, etc.
Also, they can send these quotations to customers. Every user has its email account name attached to it.
The current way this application works is that I've created and enabled Gmail API for each email account, and authorized it, by myself, manually.
The problem is that every time we need to add a new user (new employee for instance) - I need to enable Gmail API of his email account (company's one, but it doesn't matter), add the credential file and token manually to the server, authenticate it, and only then - the application can use the email.
I know that there are many sites (like Monday, etc) - that have automations and integrations with Gmail, and any time I want some integration - I get notified with the OAuth screen, and approve it. I want the same thing in my application.
I understand that I have to create some kind on "Gmail global credential", which will be "added" with account tokens or something like that (every app user will oauth and allow access)?
Just can't find the correct documentation for it.
My backend is written in Blazor Server, .NET5.
I would appreciate if one could explain the main stages of this procedure.
Thanks!
I have a web app and I can login as admin or customer in it. Admin has access to all pages, customer has access to certain pages only.
When customer logs in, the required pages, say 3 pages are shown, after he logs out and the admin loges in, still only those 3 pages are shown. Although, After manual refresh, I'm able to see all the required admin pages.
How do I refresh automatically when user logs out? I'm using Angular 10 framework.
Since you're question is pretty generic, it is hard to get into specifics.
You must have some login code, so presumably you are loading a users permissions from some system and storing those permissions as part of the app--presumably as a cookie?
You can protect routes using auth guards. We primarily use canActivate guards.
You can hide elements on a page--such as screen navigation links--with an *ngIf. We created our own structural directive to accept in a list of allowed user permissions, and the current user's permissions and use that to determine if certain dom elements should be created or not.
I'm not sure about C#, but in Java we created a Spring Annotation to validate user permissions when a user tries to access a REST Endpoint. I suspect something similar must exist in the .NET world.
Conceptually it is not much different than our Angular custom structural directive; comparing allowed permissions to perform the action with user permissions, and then either allowing or denying the action.
It sounds like your users are getting elevated permissions by reloading the app; so I suspect there are some underlying security issues with your full implementation, but without a code review cannot begin to speculate what that is.
I have an app where users are not self-registered, i.e. another user adds them to the system, and they are emailed with their login details. What's the best way to handle this in terms of creating the user and handling the password?
It's the sort of thing where a user is invited in to the system by someone else, answers a questionnaire, then doesn't need to log in again until some point in the future where they might be invited again by someone different, so ideally they will need to be reminded of their login details in the email rather than having to reset their password every time. Obviously in an ideal world people would just remember their passwords but the situation it's used in and the infrequency of access means that people simply don't remember, and the process needs to be as hassle-free as possible to ensure user participation.
The old version of the site used Webforms and ASP.Net Membership with encrypted passwords, which could be retrieved and sent to the user each time they are invited. What is the best practise for Identity, where the user does not supply their own password? Are there other options for logging in users such as:
A unique-link provided in the email which authenticates the user?
A separately encrypted 'passcode' field stored in the AspNetUsers
table which can be decrypted and sent each email?
It's worth pointing out that users with admin-level access to the site would still have the usual secure Identity user/pass setup, my problem is just with the lower level users.
I would forget completely about passwords in this case. ASP.NET Identity provides you with one-time codes that you can use for this.
This tutorial shows you in the section "Set up email confirmation" how to send one-time codes through mail (these are generated by ASP.NET Identity itself):
string html = "Please confirm your account by clicking this link: link<br/>";
You can easily modify that as well as the behavior when the user clicks that link to match what you want to do here.
I need an advise. I'm building a Web API for my app and I need to auth users who use it. The user will have access to his data, but may have access to others users data as well. In my database I manage the users and what other users they have access to (you might think of it like in Facebook where a user has access to his profile and his friends profiles, but not to other people profiles).
In my app, the user enters a username and password, and those are saved encrypted on the devise. They are later sent (via SSL) to the API on each call - what I've done is implement a Basic Authentication. If there is a better "best practice" to work please feel free to suggest - I'm new to this.
So far it works - but the problem is that working like this
the user once authenticated also has access to other profiles - what I would like to do is have him only get the profile (http://myaddress.com/Users/{id}) that belongs to him and the items that he owns (http://myaddress.com/Users/{id}/items) - and not for profiles and items by other users.
If the user is trying to access a profile or items of another user that he is connected to - allow that access.
What I thought about is passing the requested URI to my login method, and then check what user / resource the user is trying to access and than check the database - but that seems like a lot of work and a lot of IF statements.
So before I start writing, I thought I'd ask to see if there's a better way to do this. I have the HttpActionContext, I just don't know how to use it to my advantage.
Hope I was clear about my question. If not, feel free to ask for clarifications.
So you identify the user from his/her credentials that are sent on every API request. Could be switched some token based flow, that user authenticates just once and gets token(acts like user credentials) which is then sent to back-end API on every resource request. Then you can control the token, revoke access etc. What you could is make some kind of permission service, that all resources/objects have permissions attached to it and then just assign needed persmission to users read/write to this object maybe. Might be a massive task to implement. My opinions.
I've got an ASP.NET site. I want to forbid user to log in with the same login from two computers. If someone is logged in and somebody else wants to log in with the same login it should show him a message that this user is already logged in. I don't have any Forms Authentication or something like that. On button "LOG IN" I just connect to the database and check if user and password are valid.
I thought that when user is logged in, I would update his status in database and when somebody else will try to log in, I will check in database if this user is already logged, but it isn't good idea, because when user doesn't click button "LOG OUT", it will not update his status in database that he's inactive.
Is there any other way to do this without Forms Authentication and something like that?
There is no perfect solution
You can't reliably solve this problem, but you can come close. There will be edge cases where a legitimate user will be frustrated by this restriction.
What you can do
The ASP.Net membership provider keeps track of the last time that a given user was seen, meaning the last time they were logged in and accessed a page. You can follow a similar strategy, also noting the IP address of the user and perhaps the user agent of the browser.
If you see two different IP addresses and/or user agents for the same login credentials within a short window (say, 20 minutes) you can assume they are most likely from different devices.
Be aware
As I said, there are edge cases where you will be wrong. For example, someone on a mobile device will frequently get a new IP address.
Honestly, it would be easier to let Microsoft take care of the details with the forms authentication but here is how I would do it if I was "challenged" to not use forms authentication. (There are other ways, this is just one that I like).
On log in I would create session cookie for the user (say 10 mins), this cookie would contain an id to a table where I would store their userid, the login time, and the ip they referenced from. I would include this information in the cookie too (with a simple encryption), on every page load I would update the cookie to last an additional 10 mins and check the credentials against the database. This means the session would time out if the user did not access the web site every ten mins. This would also allow you to know when the user was logging in from another location.
Side note: Almost all of the above is taken care of for you if you use a custom authentication for windows forms. Using the windows forms authentication means you don't have to worry about the time out and cookie management.
You could have the user last_activity_time file in your database which is updated whenever a logged in user access any of your page. You can now have a window e.g. 30 mins (a period of time when it is valid that the user is logged) comparing the last_activity_time with the current time, if the time difference if greater than the required window (30 mins), you consider the user is inactive