I have a parent web application which uses identity server to authenticate users across a suite of other web applications which act as children of that parent app.
We utilize a profile service within the parent application to set user claims which can be used with the child application. This profile service is registered with Identity Server on startup by using IdentityServerBuilderExtensionsAdditional.AddProfileService.
Within the user claims we store some user preferences for easy access within our child applications. Recently we added functionality within the parent application to allow users to directly update these preferences.
Unfortunately these updates do not seem to apply until the user's token is refreshed. This can be up to 5 minutes. There doesn’t seem to be any way for me to broadcast to the child applications that something has changed within the parent.
How can I, within the parent application, force the child applications to refresh their claims by making them call that user profile service?
I have tried logging the user out then back in e.g.
await SignOut();
await SignIn(user, rememberMe);
Interestingly this actually seems to work locally on my development machine, but once deployed to production environments this does not work. But I have not been able to determine any difference between my configuration and the production configuration. So, I am looking for a more robust way to force child apps to call this user profile service early.
Related
I have a single sign-off requirement from our customers as part of our next release. The existing flow is as follows:
User logs into their organization system (ad user) or main portal system using their email ID or user name as provided by the organization.
User clicks the link to my web (i.e. angular + web api)
User is automatically taken as a logged in user and he can access protected pages. If the user wants to log in from outside the organization he must use the login form on our site.
I have completed the login form web application using the email/password that we have stored in our local system, but I am still struggling to implement with window credential's.
My project is based on web api 2.0 with an angular fronted. It's hosted on IIS. I don't want to use any 3rd party DLLs to manage everything, so are there any appropriate solutions available in the .NET environment which would achieve my requirements in a simple way?
If your website needs to seamlessly authenticate user credentials in an AD domain, one way to achieve this is by creating a small IIS server with NTLM authentication inside the domain and forward some type of authorization/credential key to your outside website.
I'm currently developing a WFC RIA based Silverlight Business Application (intranet use only) for my company. I ran into a couple of problems when trying to authorize users. Here is the situation:
The app is running in our Windows domain and is therefore using Windows Authentication, which already works well. Access to certain domain service operations shall be restricted to members of a certain group (let's say "Admins"). This group is available locally on the server where the app is hosted and is already used to restrict access to the SQL Server instance. It will not be possible to add this group to the domain and make it available globally.
I know that I can restrict access to domain service methods via the RequiresRole[] attribute. The problem is, however, that the local group memberships of a user are not loaded into the user object that is available via WebContext.Current.User and therefore the authorization fails.
Is there any workaround or better way to do this?
Thanks in advance!
Have you tried setting the "PrincipalPermission" attribute on the service method you want to restrict?
[PrincipalPermission(SecurityAction.Demand, Role = "Admin")]
public string GetResult()
{
return "result";
}
Best regards,
Arjen
I solved my issue.
What I did was to copy the AspnetDb database to the SQL Server instance on my server machine. This database is holding all the information about users, roles, etc and is used by the ASP.NET role manager for authorization purposes. This database is usually located in the project folder of your Web project (inside the App_Data directory). To make the new configuration work, you have to change the connection string inside your Web.config
(for more details: http://weblogs.asp.net/scottgu/archive/2005/08/25/423703.aspx).
I manually added new users to the database. The user name you enter there must match the Windows user name (eg. DOMAIN\USER_NAME). Then you can add new roles to the database and give all your users their specific roles.
The ASP.NET role manager automatically loads the roles/users on application startup and you can restrict access to your domain service methods via the RequiresRole[] attribute.
In addition, there is also a way to dynamically show/hide/enable/disable user controls based on role membership, see here: http://blogs.msdn.com/b/kylemc/archive/2010/05/04/authorization-sample-201.aspx
... I want to grant a user temporary administrator privileges via a c# tool. Therefore i add the user to the administrator user group (a background service running under a priviledged service account does this job). However the changes take effect only in new sessions (after Logout/Re-Login) which is inconvenient. Is there a way to refresh the current user profile?
I tried several ways:
via .net Process.Start with the LoadUserProfile property set to true.
The next try was via the LoadUserProfile Win32 Api function.
Another way was to impersonate the user with .net Impersonation
All these tries did not recognize the privilege changes. It seems to me that there is a cached user profile which contains the old privileges and is reloaded anytime.
The only way where a new profile was loaded is the runas command, however we do not want the user to play around with the command line, it should be possible to do this from .net
Would be great if there is another option? Maybe there is a tool which can do this?
Ok, I relog-in the user and then I use the new Token in combination with e.g. CreateProcessAsUser to run a new process using the new token. Is there a way to assign the current windows environment the new token and therefore all actions the user performs in windows use this new token? Otherwise I could use some other tools like lsrunas to open a process in a new context and avoid the winapi calls.
From our perspective we trust the user (it is his private notebook), he can install the software he wants (for a temporary time), but we document each installation with our tool. We are running a service with local admin account in background which manages the group assignment and system documentation.
When logging on to Windows a security token is created, where all group memberships (including nested memberships) are resolved. The token contains a list of SIDs (Security Identifiers) that the user belongs to. The first SID is the user's own ID and then any groups and roles (such as interactive log on, everyone etc) are included. This means that group membership doesn not have to be looked up against the user DB - possibly an Active Directory Server - each time an access control is done. Instead the ACL (Access Control List) of the object (e.g. a file) is checked against the token.
To refresh the group membership you need to have a new token created. Either you can log out and then log in again as you describe it, or you have to do another login with LogonUser for the same user. That function is not accessible for normal user however.
I think that it all boils down to finding another design. Adding and removing a user from the admin group dynamically looks strange from a security perspective. Is there any other way you can give the user access to the resources needed? Can you do the actual work from within a Windows Service that runs under the LocalSystem account?
okay I have a web application that manages the logins for different client web applications, stored inside the root folder. Each client web application has its own login controlled by C# Roles class, where by they are routed to their site.
http://msdn.microsoft.com/en-us/library/system.web.security.roles.aspx
Now while logging in and using the site works perfectly, the problem is if a user enters the url for one of the other client sites, it allows them access to it.
Is it possible to restrict this access?
Your roles should be attached to a specific application. This can either be done with separate databases for each application, by adding and filtering based on the associated application within your role manager, or using application specific roles for each application (I'd avoid this, but it should work). If you have the role "user" that is used by multiple applications without any filtering, then the individual application won't know whether it's a user for their app or not, and thus by default allow any "user" to access any application that allows users.
We're currently migrating a portion of intranet apps to MojoPortal(an open source cms app). MP uses FormsAuth by default and we've set it to authenticate against our current Active Directory store.
All that being said, we are looking to automatically log in users from the current system to the new system to create a seamless experience. New system(mojo) residing on a different server than the current system. Both live under the same "company.com" domain, with different subdomains.
Mojo, checks authentication via a FormsAuthentication cookie that is created when a user logs in through the mojo interface. We're looking to recreate this functionality remotely. I realize FormsAuth is based on MachineKey and lives inside a single IIS Web Instance, but am curious for any ideas the community may have.
The current "best" guesses we've come up with here are:
Create a WCF web service that lives in a virtual directory under the mojo site, accepts a username/password and creates the cookie. This is untested as we are unsure if this will actually affect the client.
Redirect the user to an intermediate page under mojo which accepts a username/password and creates the cookie, after which redirects the user again to the desired mojo page.
This does use MojoPortal as a provider, but the real issue is how to create a FormsAuthentication cookie remotely.
Additional background info:
Current system already authenticates against the same AD store, so there is no concern over creating cookies for users that are non-existent. Both servers lie in the same AD domain(they're physically next to each other). The current system's source code is available to us and able to be modified as well.
If I understand correctly you are trying to have a single sign-on between your legacy system and mojo? I've done something similar in the past. Our legacy system creates an authentication token and passes it to the second system. A web service call is then made back to the legacy system to validate the token (you'll want to add some rules around what makes a token authentic. For example: one time use, time outs, etc..). If the legacy system validates the token then the cookie is set.
FormsAuthentication.SetAuthCookie(, true)
from there redirect back to your mojo main page.