I have a web application which is largely a content system - that is, it displays help for another system. It doesn't matter who views it. However, there is a list of users I would like to display, and also provide a way to edit the list. On that one page I want to detect the user's Active Directory information, and if the user is in the list of users authorized to change the data, then display an edit icon button to provide a means of editing some element. I do not need nor want Windows Authentication determining whether the user can get to the page, only to discobver the user's logon creds.
In short, I want this:
// Get the user's creds
// Is user a page editor?
if (IsPageEditor(UserCreds))
{
// put icon buttons for editing
}
else
{
// don't put icon button there
}
First of course is, getting the user credentials. I should add that this will all be on a private company intranet, and every user will be signed into the network.
I do not need nor want Windows Authentication determining whether the user can get to the page, only to discobver the user's logon creds.
Why not? Windows Authentication is the obvious, secure way to discover the Windows identity of the connected user.
Any other mechanism is insecure, i.e. a user who is not authorized to edit could spoof an authorized user's identity. Using Windows Authentication doesn't preclude you from allowing any user to access the application.
My understanding of setting Windows.Authentication ON is that it will challenge the user to give user name and password before allowing to view the page
No, this isn't correct. If the server is in the same domain as the client, and the server is configured to allow all domain users to connect, there doesn't need to be a prompt to the end user.
Our trouble ticket system "knows" who we are when we access the page -- it must be getting this information from Active Directory, from the current logged in user.
Probably it is using Windows authentication. Try examining the HTTP flow between the browser and your trouble ticket system with a tool such as Fiddler: you'll probably see an authentication challenge/response.
To get the current logged in user you need to call WindowsIdentity.GetCurrent();
From there you can do a lot of things depending on your requirement, get users groups, get OU information etc. For a full AD wrapper I have a full article here
http://macaalay.com/2010/06/28/active-directory-c/
Related
I have a web app and I can login as admin or customer in it. Admin has access to all pages, customer has access to certain pages only.
When customer logs in, the required pages, say 3 pages are shown, after he logs out and the admin loges in, still only those 3 pages are shown. Although, After manual refresh, I'm able to see all the required admin pages.
How do I refresh automatically when user logs out? I'm using Angular 10 framework.
Since you're question is pretty generic, it is hard to get into specifics.
You must have some login code, so presumably you are loading a users permissions from some system and storing those permissions as part of the app--presumably as a cookie?
You can protect routes using auth guards. We primarily use canActivate guards.
You can hide elements on a page--such as screen navigation links--with an *ngIf. We created our own structural directive to accept in a list of allowed user permissions, and the current user's permissions and use that to determine if certain dom elements should be created or not.
I'm not sure about C#, but in Java we created a Spring Annotation to validate user permissions when a user tries to access a REST Endpoint. I suspect something similar must exist in the .NET world.
Conceptually it is not much different than our Angular custom structural directive; comparing allowed permissions to perform the action with user permissions, and then either allowing or denying the action.
It sounds like your users are getting elevated permissions by reloading the app; so I suspect there are some underlying security issues with your full implementation, but without a code review cannot begin to speculate what that is.
I am using office 365 credentials to login to windows 10 machine. I have written a desktop winform application in c# where I just want to get email address and ad group assigned to that login user.
I don't want to relaunch login from desktop app. Just want to use existing user info to get email address and user groups. I am only able to get local groups assigned to that user but required AD groups too.
You must throw login challenge from your desktop app at least once to get the auth token to be able to query graph api (details in the next para) and keep the token cache so that it does not prompt the user again next time onwards. There is no other way I am aware of. You need to create a native client app in AD (or if you want to reuse some existing one, that will do too) and grant Graph API user.read permission to it. Here is an end-to-end guide for that. https://learn.microsoft.com/en-us/azure/active-directory/develop/tutorial-v2-windows-desktop (well, the example is for WPF, but Winforms would be very similar except the XAML part). If you follow this example, the login screen which will show for the first time will automatically have O365 Windows logged-in user populated (because of .WithPrompt(Prompt.SelectAccount) part in the bootstrapping) if that gives a bit of relief to you app users.
Once you get the access token, you need to query Graph API for that. Here is the programmatic way (C# based on your tag in the question) to get the user details for a logged in user (me) and to get the user groups for the user (me).
I am developing a project for Google Apps for Education.
It is using domain wide delegation, to access user account's data across a domain.
This is done with the Google Service Accounts (https://developers.google.com/identity/protocols/OAuth2ServiceAccount)
But in order to log the user in, and get his email, i use a normal oAuth login procedure. (https://developers.google.com/identity/protocols/OAuth2WebServer)
This does however result in a consent screen for the user, asking for his email and "Know who you are on Google".
Is there a way to log in the user, and get a object from Google, containing email etc., without showing this consent screen?
Thanks in advance
You should pass the domain in hd= parameter. Soon we are changing the "approval page" to a simple account selection page when only email scope is requested. So this experience will become what you would ideally want, just that user would need to confirm the account with one click (not an approval).
I have an MVC ASP .NET application that needs to verify whether the user that is logged in is currently an active user or not. The issue is that I don't have this info on my machine.
In order to check for the active/inactive bit, it seems that I have to go to an XML view, somewhere on the web, which also requires a login (from me).
Is it feasible to do the following in C#:
For each user logging in to my application:
Go to a specific URL
Login
Search the XML view to see if user is active
Return to my application with the result
Whitelisting the IP to skip Login wasn't an option according to IT.
I have a few websites which allow both anonymous and window auth users at the same time. Basically if you hit the site with IE or Webkit based browsers on a windows system, the server instantly recognizes your active directory user and group.
In the past I've provided a link to a windows auth only page which allows the current user to login, or bounce back to where they started.
I find the management of this kind of frustrating as I need to make certain that IIS has the correct security settings for that single page after every deployment.
Is there a better way for me to allow a user to elevate from anon to authenticated?
There is no other way to do that elevation automatically. The server can't know that the current user is a Windows user and elevate them, or automatically redirect them to the Windows auth only page. On the other hand, if every user will get through the Windows auth only page, all of them which are not inside the domain will see the challenge/response dialog box (user + password).
As for the management part of making sure that this special page has the correct security settings, you can (and should) automate the check somehow. For example, by querying the IIS metabase for that setting when the application starts (in Global.asax) and if the setting is not there, log it as an email message or so.
Personally I prefer a different attitude - a special "integration/deployment" page which contains a series of tests against my application so I can make sure everything's set up correctly on the server, i.e. NTFS write permissions to certain folders, availability of the SMTP server set in web.config to send emails through, etc.
Note: You're using Windows authentication along with anonymous access. Just keep in mind that if you consider implementing Forms Authentication in the future, a misarchitecture (I don't know if by design or due to a flaw) of IIS 7 does not allow you to set the app to be Forms Authentication and set one specific page to be Windows Authentication. The override just doesn't work and it's very frustrating.
Good luck!
OK, I figured out a fairly nice way to do this...however it's not as elegant as I had hoped since it doesn't work across applications.
Basically, if you create a single page within your Anon + Integrated Auth IIS6 website or virtual directory, let's call it auth.aspx, then you can use this page to prompt authentication.
Go into IIS settings and specify that auth.aspx is Integrated Auth ONLY (no anon). Then create a hidden iframe somewhere on your page. I then created a simple JavaScript action to update the src attribute of the iframe to the auth.aspx page. This forces the browser to try and authenticate using NTLM. Once you enter valid credentials you've successfully elevated your current user beyond the generic anonymous user.
One final touch was to then include a Response.Redirect into the auth.aspx which reloads the current page. Assuming your ASP.net session tokens are set correctly, the page will reload and the user will be authenticated.