I am programming a web application for a company, they require that the user should not enter any username and password, the user should be allowed to login to the system by their windows identity.
i have tried WindowsIdenity.GetCurrent() , its working on if the application is on the client.
How do i get the WindowsIdenitiy of the Client User to be sent to the server.
Internet Explorer has a mechanism for transferring the client's windows credentials to the server. You'll need to make your clients use IE, and of course make sure they are on the same domain forest as the server.
You can read here a little about using integrated windows authentication with ASP.NET .
Related
We have an MVC application that validates windows users by instantiating a principalcontext, locally and for domain users. However, this immediately fails when a connection to the domain cannot be made. Is there a way to leverage the capability of windows to still validate domain credentials when disconnected from the domain?
We see that in SSMS you can also use windows authentication after the server has lost access to the domain.
To be clear, the machine is joined to the domain but does not have access to the domain controller, i.e. a corporate laptop that is taken home.
Thanks for the help in advance.
The answer is in how Kerberos (and I believe NTLM is similar) works in that they use session tickets. So once authentication is successful against a domain controller, you have a "ticket" that proves you authenticated. When you authenticate to anything else that requires Windows authentication, the ticket is sent.
To take advantage of this, you must use the built-in Windows authentication. You cannot take a username and password and try to authenticate them that way.
If everyone who uses your website can use Windows authentication - then you can enable it for your whole site.
If you have a mixed audience - some who have a domain account and some that don't - it's a little trickier, but still doable. I've done it. You can look at the OWIN-MixedAuth project. I haven't used that specifically.
That project seems to use a separate button for the Windows authentication. When I did it, I made it seamless (it tries Windows auth and fails back to a login page). I did that by doing an AJAX request in the background to a page that requires Windows authentication, and if it succeeds, just forward on. If it fails, show the login fields.
All that said, I don't know it will work if the server cannot reach the domain. It will probably work for users who have already authenticated to the site before it lost connection to the domain, or if the site is hosted on the same computer that it is being accessed from. But it might not work if a user it has never seen before tries to login while there is no access to the domain. You will have to test.
But the benefit of using Windows authentication anyway is that you can make the login seamless. As long as the site is in your Trusted Sites (in the Windows Internet Options) then IE and Chrome will automatically send the user's credentials.
We have developed a product which is a web application. While configuring it in IIS, we disable all the authentication modes except Windows authentication (app works on Windows authentication only).
We create a service account and provide admin access to that account on all the servers, and on database servers.
We configure the connection string in web.config with username and password of that service account. Everything was working fine till now.
We received a new requirement which says, no service account will be created and individual users will be granted database access. We have to configure our application in such a way that Windows credentials are used to access the app gets passed to SQL Server. Reason for this change: we can log the user accessing the database.
I set Integrated Security=SSPI in the connection string and tried with different App Pool Identity but to no avail.
We are even ready to change the code if same is required to achieve the functionality.
Can someone please help me what am I missing, or how it can be achieved? Please let me know if more information is required and I will be happy to provide the same.
App server and database server are on the same domain and network but different machines. Users accessing the application will be on the same domain and network. This is a intranet based application.
You need to enable and configure constrained delegation. Follow this document: How to Implement Kerberos Constrained Delegation with SQL Server. Your app pool need to be configured to impersonate, see Using IIS Authentication with ASP.NET Impersonation.
Also this will be a hop scenario so you will have to enable delegation for the IIS server and if you intend to pass user credentials then you need to enable delegation for the user accounts too. You can use the tool delegconfig to troubleshoot this.
I have made a webform that inserts work items to a tfs 2010server. On the tfs server I need to be able to see which user created the work item. If I run the webform code locally on my machine this works, because my machine is logged in to my user on the tfs server. But after deploying the code on a server I get a (401) unauthorized error message if I don't hardcode in my credentials like this
TfsConfigurationServer configurationServer = new TfsConfigurationServer(configurationServerUri, new NetworkCredential(user, pwd, domain));
(Locally the code below works)
TfsConfigurationServer configurationServer = new TfsConfigurationServer(configurationServerUri);
Is it possible to tell the webserver which user is logged into the machine accessing the webform, or is it any way I can prompt the user for username/password when he/she submits the webform?
thx for any help!
There are several things you need to do and approach this issue
First most likely you have anonymous authentication allowed for your website. Meaning users can access your site without any restrictions and wont need to provide any information. Webserver doesn't know who they are. This will need to be disabled as by your question you need their info. You web app will try to connect to tfs under the webservers identity - either the dedicated account running the application pool or computer account.
http://technet.microsoft.com/en-us/library/cc770966(v=ws.10).aspx
The most simplest method is to enable basic authentication for your website, this will request users to provide username and password, downside is this method transmits data in base64 plain text, as such you channel must be secure
http://technet.microsoft.com/en-us/library/cc772009(v=ws.10).aspx
Forms authentication will allow you to use custom form to collect login info from users, and validate it yourself but works much like basic authentication
http://technet.microsoft.com/en-us/library/cc753252(v=ws.10).aspx
If clients are users in your domain and application is used in intranet the best option is to use Windows authentication, it will try to automatically get users identity from domain, and will issue popup if that fails. Depending how your servers are setup getting this to work may be as easy as enabling it (tfs and your app on the same server) or require configuring your domain controllers for kerberous.
http://technet.microsoft.com/en-us/library/cc754628(v=ws.10).aspx
Once users are in have been authenticated you must make the webserver impersonate them when your code calls tfs. Complexity again depends on your setup.
http://technet.microsoft.com/en-us/library/cc730708(v=ws.10).aspx
Alternativly you can use tfs impersonation to get similar result, this can be also used if for example you dont have users in tfs for each user connecting but instead want to impersonate and ClientCompany, Project or Team account
http://blogs.msdn.com/b/paulking/archive/2010/11/04/using-the-new-tfs-2010-impersonation-apis.aspx
Ok, I have looked around and could not find a solution to this problem. I have an ASP.NET web application that is using Windows Authentication.
I have a public web services that I use for an iPad App I have developed. For security reasons all of my Web Services requires a header with login information.
Right now, I have a separate database that I authenticate users from. Its a built in authentication for when my application is installed using Forms Authentication.
What I would like to do is when the user on the iPad logs into the system, it passes the Login and Password to the Web Service in the hearder... which it does now.
But, how can I Authenticate that User and Password against the Active Directory to make sure the user has access?
Thannks,
Cory
But, how can I Authenticate that User and Password against the Active
Directory to make sure the user has access?
That's straightforward in c#: Validate a username and password against Active Directory?
More AD tasks in c# (including authentication)
Right now, I have a separate database that I authenticate users from.
Its a built in authentication for when my application is installed
using Forms Authentication.
Based on this statement, it sounds like you have a database of credentials which duplicates credentials in AD? If that's the case, not sure that's a good idea.
And/or it also sounds like credentials which match those in AD are being passed around (possibly in plain text?) This might be a business requirement, but I would recommend that all communication is done over SSL and that the AD accounts belong to a domain setup specifically for this purpose that is not trusted (or only partially trusted) by the rest of the network.
I'm trying to implement SSO on a windows domain. I already have a service that allows a user to log in via username and password, and this works great. What I'm looking for is a when a user logs into their machine via a domain (controller), what do I need to send the other server to allow it to verify that the user is authenticated against the domain. So what I'm asking is, is there a way to get an authentication hash/key from the user, that can be sent to another server, and that server use it as credentials against the domain?