I'm trying to implement SSO on a windows domain. I already have a service that allows a user to log in via username and password, and this works great. What I'm looking for is a when a user logs into their machine via a domain (controller), what do I need to send the other server to allow it to verify that the user is authenticated against the domain. So what I'm asking is, is there a way to get an authentication hash/key from the user, that can be sent to another server, and that server use it as credentials against the domain?
Related
I have made a webform that inserts work items to a tfs 2010server. On the tfs server I need to be able to see which user created the work item. If I run the webform code locally on my machine this works, because my machine is logged in to my user on the tfs server. But after deploying the code on a server I get a (401) unauthorized error message if I don't hardcode in my credentials like this
TfsConfigurationServer configurationServer = new TfsConfigurationServer(configurationServerUri, new NetworkCredential(user, pwd, domain));
(Locally the code below works)
TfsConfigurationServer configurationServer = new TfsConfigurationServer(configurationServerUri);
Is it possible to tell the webserver which user is logged into the machine accessing the webform, or is it any way I can prompt the user for username/password when he/she submits the webform?
thx for any help!
There are several things you need to do and approach this issue
First most likely you have anonymous authentication allowed for your website. Meaning users can access your site without any restrictions and wont need to provide any information. Webserver doesn't know who they are. This will need to be disabled as by your question you need their info. You web app will try to connect to tfs under the webservers identity - either the dedicated account running the application pool or computer account.
http://technet.microsoft.com/en-us/library/cc770966(v=ws.10).aspx
The most simplest method is to enable basic authentication for your website, this will request users to provide username and password, downside is this method transmits data in base64 plain text, as such you channel must be secure
http://technet.microsoft.com/en-us/library/cc772009(v=ws.10).aspx
Forms authentication will allow you to use custom form to collect login info from users, and validate it yourself but works much like basic authentication
http://technet.microsoft.com/en-us/library/cc753252(v=ws.10).aspx
If clients are users in your domain and application is used in intranet the best option is to use Windows authentication, it will try to automatically get users identity from domain, and will issue popup if that fails. Depending how your servers are setup getting this to work may be as easy as enabling it (tfs and your app on the same server) or require configuring your domain controllers for kerberous.
http://technet.microsoft.com/en-us/library/cc754628(v=ws.10).aspx
Once users are in have been authenticated you must make the webserver impersonate them when your code calls tfs. Complexity again depends on your setup.
http://technet.microsoft.com/en-us/library/cc730708(v=ws.10).aspx
Alternativly you can use tfs impersonation to get similar result, this can be also used if for example you dont have users in tfs for each user connecting but instead want to impersonate and ClientCompany, Project or Team account
http://blogs.msdn.com/b/paulking/archive/2010/11/04/using-the-new-tfs-2010-impersonation-apis.aspx
I am programming a web application for a company, they require that the user should not enter any username and password, the user should be allowed to login to the system by their windows identity.
i have tried WindowsIdenity.GetCurrent() , its working on if the application is on the client.
How do i get the WindowsIdenitiy of the Client User to be sent to the server.
Internet Explorer has a mechanism for transferring the client's windows credentials to the server. You'll need to make your clients use IE, and of course make sure they are on the same domain forest as the server.
You can read here a little about using integrated windows authentication with ASP.NET .
Basically, if you use WindowsAuthentication to grab the username, store in a variable and then pass that to any services you use, what's to stop someone from hacking your code and passing in another username?
On the client end you can check the IsAuthenticated, but then after that it only lets you grab the Windows Username, not the Windows password.
Is there some way to just pass that authentication object itself without letting it be hacked? Otherwise, I might have to switch back to not using Windows Authentication as my Authentication and custom rolling a user/pass with a db table.
You can't pass user's credentials outside of your server due to "NTLM one hop" behavior. You may be able to configure Kerberos authentication to handle cases when you need user's credentials flow between front end and backend servers.
The other option is to establish trust between servers (i.e. HTTPS with client certificate) so backend server is able to trust user name coming from your server (as it would be the only one with correct client certificate). You will not be able to impersonate the user on backend server as you will on ly have a name.
We have the following setup for authenticating users. A wcf authentication service that is hosted as a windows service on a server machine. The client is a C# CAB based application that communicates with the authentication service and other services (auditing,..) as needed.
We want to give an option of using Active directory to logon to the application.
The steps that were proposed are as shown below.
Authentication service running on server
user opens application on client
machine and chooses login by AD.
application, uses the userName and
password to authenticate user
against AD.
application sends some token from
the authenticated user to the
authentication service, to get back
information about sql server and sql
db name.
authentication service uses token against Active Directory
and verifies that user is logged on
and authenticated and returns back the required sql information.
Are steps 4 & 5 possible without the client app needing to send the username and password to the server for authenticating against AD? I want to avoid as much as possible sending passwords on the network.
You can't do that with AD and a client only, you need to involve a service in the authentication mechanism. If I were you, I'd send the username and password to the authentication service, the client shouldn't talk to the AD directly at all. And if you need some SSO, you can create a token in the authentication service. AD doesn't issue tokens, only you can, or another, more sophisticated service, like ADFS.
I am writing a ClickOnce WPF app that will sometimes be used over VPN. The app uses resources available only to domain authenticated users. Some of the things include accessing SSRS Reports, accessing LDAP to lookup user information, hitting web services, etc.
When a user logs in from a machine that is not authenticated on the domain, I need to somehow get his credentials, authenticate him on the domain, and store his credentials.
What is the recommended approach for
authenticating domain users over
VPN?
How can I securely store the credentials?
I've found several articles but, not much posted recently and a lot of the solutions seem kinda hacky, or aren't very secure (ie - storing strings clear text in memory).
It would be cool if I could use the ActiveDicrtoryMembershipProvider, but that seems to be geared for use in web apps.
EDIT:
The above is kind of a workaround. The user must enter their domain credentials to authenticate on the VPN. It would be ideal to access the credentials the user has already entered to login to the VPN instead of the WindowsIdentity.GetCurrent() (which returns the user logged into the computer). Any ideas on how that could work? We use Juniper Networks to connect to the VPN.
Answer
I ended up doing basically what was suggested in the link below. When the app starts, I'll detect whether the user is on the domain. If so, I'll use those credentials when calling services. If the user is on the VPN (but not on a domain authenticated machine), I prompt for the user's credentials and authenticate via System.DirectoryServices. If the user gives valid credentials I'll store the domain, user and password in a SecureString. The app then uses that information to create credentials to pass to various services.
Thanks!
This answer to the question might help.
--EDIT--
If the client is logging under their AD credentials then WindowsIdentity.GetCurrent() would return a valid WindowsIdentity.
If client is not logged onto the domain then you can provide a pop up that would ask for AD credentials.
Well, just thinking...