I am writing a ClickOnce WPF app that will sometimes be used over VPN. The app uses resources available only to domain authenticated users. Some of the things include accessing SSRS Reports, accessing LDAP to lookup user information, hitting web services, etc.
When a user logs in from a machine that is not authenticated on the domain, I need to somehow get his credentials, authenticate him on the domain, and store his credentials.
What is the recommended approach for
authenticating domain users over
VPN?
How can I securely store the credentials?
I've found several articles but, not much posted recently and a lot of the solutions seem kinda hacky, or aren't very secure (ie - storing strings clear text in memory).
It would be cool if I could use the ActiveDicrtoryMembershipProvider, but that seems to be geared for use in web apps.
EDIT:
The above is kind of a workaround. The user must enter their domain credentials to authenticate on the VPN. It would be ideal to access the credentials the user has already entered to login to the VPN instead of the WindowsIdentity.GetCurrent() (which returns the user logged into the computer). Any ideas on how that could work? We use Juniper Networks to connect to the VPN.
Answer
I ended up doing basically what was suggested in the link below. When the app starts, I'll detect whether the user is on the domain. If so, I'll use those credentials when calling services. If the user is on the VPN (but not on a domain authenticated machine), I prompt for the user's credentials and authenticate via System.DirectoryServices. If the user gives valid credentials I'll store the domain, user and password in a SecureString. The app then uses that information to create credentials to pass to various services.
Thanks!
This answer to the question might help.
--EDIT--
If the client is logging under their AD credentials then WindowsIdentity.GetCurrent() would return a valid WindowsIdentity.
If client is not logged onto the domain then you can provide a pop up that would ask for AD credentials.
Well, just thinking...
Related
We have an MVC application that validates windows users by instantiating a principalcontext, locally and for domain users. However, this immediately fails when a connection to the domain cannot be made. Is there a way to leverage the capability of windows to still validate domain credentials when disconnected from the domain?
We see that in SSMS you can also use windows authentication after the server has lost access to the domain.
To be clear, the machine is joined to the domain but does not have access to the domain controller, i.e. a corporate laptop that is taken home.
Thanks for the help in advance.
The answer is in how Kerberos (and I believe NTLM is similar) works in that they use session tickets. So once authentication is successful against a domain controller, you have a "ticket" that proves you authenticated. When you authenticate to anything else that requires Windows authentication, the ticket is sent.
To take advantage of this, you must use the built-in Windows authentication. You cannot take a username and password and try to authenticate them that way.
If everyone who uses your website can use Windows authentication - then you can enable it for your whole site.
If you have a mixed audience - some who have a domain account and some that don't - it's a little trickier, but still doable. I've done it. You can look at the OWIN-MixedAuth project. I haven't used that specifically.
That project seems to use a separate button for the Windows authentication. When I did it, I made it seamless (it tries Windows auth and fails back to a login page). I did that by doing an AJAX request in the background to a page that requires Windows authentication, and if it succeeds, just forward on. If it fails, show the login fields.
All that said, I don't know it will work if the server cannot reach the domain. It will probably work for users who have already authenticated to the site before it lost connection to the domain, or if the site is hosted on the same computer that it is being accessed from. But it might not work if a user it has never seen before tries to login while there is no access to the domain. You will have to test.
But the benefit of using Windows authentication anyway is that you can make the login seamless. As long as the site is in your Trusted Sites (in the Windows Internet Options) then IE and Chrome will automatically send the user's credentials.
I am working in C# on a web application that requires a login username and password. This application is made to be compatible with Windows and is being written in VS 2013. In this company's network, all computers require user credentials, and in all cases the user's credentials for the app will be the same as their Windows logon credentials. Therefore we are trying to implement a system where, instead of signing onto Windows and then entering the same credentials again in the app, the app can access the Windows credentials that were given by the current user and attempt to sign in automatically with those. I know there is a way to do this using active directory with Azure, but for the time being we are trying to avoid using Azure. I have tried using WindowsIdentity.GetCurrent() and Environment.UserName so far, but both of those only supply the username, not the password, and we need the full credentials. It wouldn't shock me if this cannot be done in this way for security purposes, but if there is a way it would be incredibly helpful. Does anyone know of a way to access the current user's credentials? Thanks
You don't need Azure to accomplish this. Your application pool simply needs to have Windows Authentication enabled. You will not have access to the password, however.
After that, you will need to most likely write a HttpHandler which will get the HttpContext.Current.User.Identity value and check it against a database or collection of authorized users. You don't need to "re-authenticate".
I am a little new to IIS and am not 100% sure that this is possible. I am writing a C# application that needs to get the users network credentials and then connect to TFS using those credentials. I am able to do one or the other, but never both at the same time.
To obtain the users credentials that is accessing the site I have to use NetworkService as the AppPool's Identity with a call to credentials = System.Web.HttpContext.Current.User.Identity.Name. The reason i need to get the users username is to find out which items they have permission to access in TFS later using item.VersionControlServer.GetEffectivePermissions(credentials, item.ServerItem).
To connect to TFS I have to put the users credentials as the AppPool's Identity or give NetworkService access to TFS (not something that is going to happen) with a call to RegisteredTfsConnections.GetConfigurationServer("server");
I either need a way to use the credentials obtained by the application to access TFS, or I need a way to create a new user that has "Network Service like" abilities to get the user's credentials and then give this user access to TFS.
You are essentially hitting something called 'double hop authentication' and you will not be able to proceed without making sure that you have a Kerberos token.
Its quite complicated to configure Kerberos but once you have it up and running your code will just start working. The only other way to achieve this is to actually have the users username and password.
What I didn't know and recently found out is that if you set IIS to run as a user, you can enable Windows Authentication in the IIS > (Select Site) > Authentication settings and use HttpContext.Current.User.Identity.Name to obtain the current logged in user.
There is a requirement to implement Single Sign On (SSO) in our website so that users accessing it from the intranet won't have to type in their credentials.
The problem here is that the website is going to be hosted on the internet, on a remote server.
Is there some way this can be done?
--EDIT--
I looked at following link:
http://en.wikipedia.org/wiki/Active_Directory_Federation_Services
And the example scenario that is mentioned in there is exactly what we require.
Here is the detailed explanation on the situation:
There is an Active Directory Domain Controller that is used to authenticate users in the intranet.
Once the user logs into the machine, and opens up the remote website, the website should somehow verify that the user is already logged into the intranet using AD credentials and automatically allow access to the website.
Also, the website is supposed to be getting a Security Token that can be used to authenticate the user.
Of course, for example, Microsoft's way of doing that for connecting Office365 to your Intranet is called Active Directory Federation Services.
It is (as most single sign on solutions) not entirely straight forward, and it assumes a domain on your intranet, but since Office365 uses it, it is and will most likely continue to be well supported in the future.
It's just a matter of integrating your web app with the authentication provider that you are using for SSO. The details are going to vary dramatically if your using OAuth vs. Shibboleth vs. ADFS vs. etc, so there really isn't enough information in your question to give a helpful answer.
Ok, I have looked around and could not find a solution to this problem. I have an ASP.NET web application that is using Windows Authentication.
I have a public web services that I use for an iPad App I have developed. For security reasons all of my Web Services requires a header with login information.
Right now, I have a separate database that I authenticate users from. Its a built in authentication for when my application is installed using Forms Authentication.
What I would like to do is when the user on the iPad logs into the system, it passes the Login and Password to the Web Service in the hearder... which it does now.
But, how can I Authenticate that User and Password against the Active Directory to make sure the user has access?
Thannks,
Cory
But, how can I Authenticate that User and Password against the Active
Directory to make sure the user has access?
That's straightforward in c#: Validate a username and password against Active Directory?
More AD tasks in c# (including authentication)
Right now, I have a separate database that I authenticate users from.
Its a built in authentication for when my application is installed
using Forms Authentication.
Based on this statement, it sounds like you have a database of credentials which duplicates credentials in AD? If that's the case, not sure that's a good idea.
And/or it also sounds like credentials which match those in AD are being passed around (possibly in plain text?) This might be a business requirement, but I would recommend that all communication is done over SSL and that the AD accounts belong to a domain setup specifically for this purpose that is not trusted (or only partially trusted) by the rest of the network.