I'm trying to achieve the simplest functionality related to windows authentication in DotNetNuke. What I need is just the user to be authenticated using windows authentication when accessing DNN site (no need for user to be logged in within DNN) and read his username (HttpContext.User.Identity.Name).
How can I achieve this as simple as possible?
Is it possible without using any 3rd party authentication providers e.g. DNN Auth: Active Directory?
If you need the user to be in the domain to get to the site, but don't want them in the actual DNN site as a user, simply deny "anonymous" access to the website and require windows authentication. IIS will handle this for you.
This is all configured in IIS under the AUthorization option.
I bet I know what your problem is...
Try this: create a new user in DNN whose username is: DOMAIN\username
Where DOMAIN\username matches that of a Windows User on that machine. As Mitchel pointed out, deny Anonymous and enable Windows auth for the DNN site in question in IIS.
For fun, do cmd iisreset, restart your browser and hit your DNN site.
When prompted, use DOMAIN\username and the Windows user's password, NOT the password you assigned that user in DNN.
Related
I want implement .NET web site with AD authentication, If site is accessed internally then it should automatically login with current user.
BUT if site is access out site organization then it should redirect user to custom login for where user can enter AD login details.
Can anyone guide how we can achieve this functionally what configuration required.
ASP
.NET
IIS Configuration
Firewall (if required)
Any other configuration required.
Thanks in Advance
I believe you can do that by enabling Windows Authentication and dealing with 401 Not Authorized results by checking, if user is authenticated(means he is Windows user, but is not authorized to access resource) or he is not authenticated it means he is not Windows user and you can redirect him to login page.
You have to take care of restrictions on Windows users and stuff around, but I believe it is possible to do that, even I am not a big fan of such authentication solution.
I have a deployed application that is using the Active Directory Membership Provider in order to authenticate users to our domain on an extranet. The application is using the .NET 3.5 framework. If you run the application locally it goes straight to the login page. But if you run the application from its deployed location on the server it first prompts with a Windows Security login prompt and after logging in, you are taken to the login page where you must login again. Why is this?
Your web application seems to be configured to use Active Directory Authentication (and doesn't allow anonymous access). Your users internally are already logged on to the domain and so IIS simply lets them past.
Your login.aspx page is protected by IIS so that you must be a member of the domain in order to even see the login.aspx page. This is a configuration issue in IIS and has very little to do with asp.net or C#.
If you are using forms authentication, you should be able to allow anonymous authentication in IIS and handle authentication using Forms only. However, this entirely depends on the web app and enabling anonymous access may inadvertently expose information you didn't intend to be publicly accessible.
Without knowing more about your application it's difficult to offer any more advice. Good luck.
Ok, I have looked around and could not find a solution to this problem. I have an ASP.NET web application that is using Windows Authentication.
I have a public web services that I use for an iPad App I have developed. For security reasons all of my Web Services requires a header with login information.
Right now, I have a separate database that I authenticate users from. Its a built in authentication for when my application is installed using Forms Authentication.
What I would like to do is when the user on the iPad logs into the system, it passes the Login and Password to the Web Service in the hearder... which it does now.
But, how can I Authenticate that User and Password against the Active Directory to make sure the user has access?
Thannks,
Cory
But, how can I Authenticate that User and Password against the Active
Directory to make sure the user has access?
That's straightforward in c#: Validate a username and password against Active Directory?
More AD tasks in c# (including authentication)
Right now, I have a separate database that I authenticate users from.
Its a built in authentication for when my application is installed
using Forms Authentication.
Based on this statement, it sounds like you have a database of credentials which duplicates credentials in AD? If that's the case, not sure that's a good idea.
And/or it also sounds like credentials which match those in AD are being passed around (possibly in plain text?) This might be a business requirement, but I would recommend that all communication is done over SSL and that the AD accounts belong to a domain setup specifically for this purpose that is not trusted (or only partially trusted) by the rest of the network.
We are building an intranet for a client, the client doesn't want the users to log on, as they have already logged onto the domain (Active Directory)
But they do want to know the AD username of each user so that if they post on the blog, their identity can be recorded.
Our thinking so far has been, that our web.config file should say:
<identity impersonate="false" />
so that each user browses the intranet site as themselves and not the App Pool user configured in IIS.
Would this be the right way to go about it?
If so, what IIS authentication should we be using? NOTE: we are not authenticating the user, so we don't want the logon prompt, all users will already have logged onto the domain, we just want to see their username.
Is this even possible? And are we on the right track?
In C#, we can retrieve the username like this:
System.Web.HttpContext.Current.Request.LogonUserIdentity.Name.ToString()
but we just can't find an IIS authentication setting that will not prompt a domain/network login.
You need to turn on windows authentication. After you did that, the identity token will be passed to the server as I remember, and you can manage the authentication with that.
Also note that only Chrome and IE supports this fully, Firefox will ask at least for pressing an ok button before authenticating the user.
Other thing to note is the set the trust levels correctly in the browser, or it wont do the automatic authentication.
You already know how to get the LogonUserIdentity and set up IIS correctly. What is lacking is to get the browser to automatically authenticate with the AD account of the user. To enable that you have to configure the browser to do so, which I think only is enabled for Intranet zone sites by default.
Is it possible to mix all these access controls in one site?
I have a requirement saying
a) Users from the AD must be allowed
access, using integrated security
b) Users from some other AD must be
allowed access; potentially by
logging in
c) Users not in the AD's
should be able to create a new
account on the site.
Now, ofcourse, i would like the site not to care about where a user was authenticated; just that he was.
What is the best way to achieve this?
I did something like this on a project a while ago, and it worked like this:
I set the application to use Forms Authentication, with anonymous access enabled in IIS.
I created a standard Forms Authentication login page that accepted a user ID and password to do non-integrated logins.
I also made a special .aspx page for integrated security login and set ONLY that one page to use integrated security (and not anonymous access) in IIS. This page manually created a Forms Authentication ticket based on the credentials from IIS.
In the main Forms Authentication login page, I looked at the incoming address on the request to see if it was from the LAN, and if so, redirected to the integrated security login page (so the user did not get prompted for user ID and password, it just logged them in with integrated security).
I also made the Forms Authentication login page smart enough to determine, based on your user ID, if you were an AD user, and do an LDAP lookup against the AD if so to check your password. This enabled users who had AD accounts to log using their AD credentials even when not on the LAN (and thus not using integrated security). For non-AD users, verification was done against a separate list of user IDs and password hashes maintained by the application.
I think that there is an answer from the man himself. Basically you should use the usual asp.net membership provider model. But create your own custom provider that wrap the active directory and the sql provider. Maybe two different active directory providers.