I'm using the Novell.Directory.Ldap library to get communication between my intranet application and an Active Directory server.
However I need to implement an authentication where I verify if the user is authenticated in my local network and is part of a certain group.
All the user verification logic with the AD and if it is part of this particular group is already ready using the library mentioned above. However, I need this to work alongside ASP.NET authentication.
Has anyone implemented anything like this and can you help me with this?
Related
I am working on creating a website for my web systems class in which I will be implementing a login platform. The website after becoming authenticated the user will be able to send messages to other users, I will be implementing SignalR to perform the real-time messaging.
I want to create a system that within AngularJS I can call a C# backend provide a username and password and authenticate. I would also at the same time like to use SignalR's role based authentication to ensure my methods are secure.
Example:
[Authorize(Roles = "Admin")]
public class AdminAuthHub : Hub
{
}
Currently I've written my own code to accept a username and password and hash it and store the hash value. However, I don't want to reinvent the wheel here. I want to use a Microsoft based authentication system because I am working within a C# backend and SignalR technology.
I am currently hosting using Microsoft Azure and that works and all but I am eventually going to be switching to a locally hosted Windows Server I maintain. I have heard about using Active Directory but have never worked with it and would have to do extensive setup to get a fresh server ready for that.
My overall question is what path do I go? Also if I go the strictly Microsoft everything way, is setting up active directory simple on Windows Server 2016? During my research I found that there is a ASP.NET method of authenticating a user against a SQL Server database. Would this method be preferable because the system can be used outside of ASP.NET and the data is in a form that I've worked with before?
Do I write my own custom authenticate logic, accepting username and password and hashing and using my own tables and databases. Then within the SignalR side of things find a way of setting the user variable and setting their role from my database. Then simply performing a check at the beginning of each method call.
There is a lot of information on the internet about how to potentially approach some of those questions.
A quick google for "Angualr / Asp.net identity / signalr" returns a few resources that you may suite your needs, maybe not solely, but you should be able to combine some of the approaches.
Here a few links for you :
SignalR Authorization using Web API Token
https://logcorner.com/angular-js-token-based-authentication-using-asp-net-identity-and-asp-net-web-api/
https://www.codeproject.com/Articles/884647/Web-app-using-Web-API-SignalR-and-AngularJS
I cant seem to find the relevant resource for learning this. I am trying to achieve a simple login for my C# application where users will be required to authenticate to use the application, and such the users account level would determine what can be accessed inside the app.
Lets say i have a forum and i want my users to authenticate via the application using the forum credentials, is this possible? what should i know about Security and how is this accomplished?
My thoughts would be i should be able to authenticate using some kind of SQL library? though i am new to C# so i might not be on the right track here.
Thanks for your suggestions.
To authenticate with a web site (forum) you need something like OAuth, see this guide for example. The website needs to provide OAuth.
Authenticating with a web site that was not explicitly designed to support an app client is not really possible, at least not correctly.
I'm currently working on a project which has an authentication requirement which is causing me some problems and I'd like some guidance on the best way to achieve it.
I have an internet C# MVC 5 project which currently has OWIN cookie authentication in place for external users. We now need to allow internal users to be able to access the application through Active Directory. Basically, an internal user would log in to their Windows computer, navigate to the website and they'll be signed in.
I don't have any experience of doing AD authentication, so it's a bit of a black hole at the moment.
I'm assuming, using OWIN, I need to create a new authentication middleware that can run before my cookie authentication.
However, I'm not sure where to start with setting this AD middleware up, or whether there is an existing one I can use.
I've tried searching around but can't seem to find much information on doing AD authentication through OWIN, there's just a lot about Azure AD.
I did come across this one https://github.com/MohammadYounes/OWIN-MixedAuth, but running locally, it's using Windows basic authentication, perhaps this can be adjusted for my purposes?
Could someone offer some advice on how to achieve this?
Thank you!
I was facing the same problem not-so-long ago, and went the route to use NTLM authentication (which boils down to what you want, intranet users will be "signed-in" automatically) while keeping full application accounts (ASP:NET Identity 2.0), you may want to check my OWIN NTML authentication middleware:
https://github.com/pysco68/Pysco68.Owin.Authentication.Ntlm
You will need to add a route to you "accounts controller" to handle the sign-in with NTLM and the creation of a local application account (if required). As a comfort-feature you could add an automatic redirect to that sign-in route for users from your intranet.
I hope this helps.
The link you came across is using Integrated Windows authentication NOT basic authentication.
I think your situation is similar to this one. The same can be achieved using OWIN-MixedAuth as per this comment.
We have several Intranet websites that use MVC + .NET windows authentication. And then we have some Java based apps developed by 3rd party - which can be configured to use LDAP authentication. Both sets of apps use the same company URL, for instance, dotnet-app.company.org and java-app.company.org, and both sets use the same username.
Once a user has been authenticated against a .NET app, is there any way I can "post" that user information to Tomcat which can then generate a cookie for the user so they don't have to authenticate twice?
I have authorization to modify code on the .NET app only not on the Java app.
You are probably looking for a one sign-in option like on gmail and other google services. And yes, cookies are what you must be looking at.
I don't know how java authentication works(I assume it is Session based), and there is where you must read in user cookie information to get authentication details. On .NET, you will have to write custom logic in FormsAuthentication_OnAuthenticate in Global.asax file.
We provide a hosted web application for multiple companies. Now we see the need to provide the ability for uses to 'auto login' if the are already logged into/identified by their individual local domains. What would be the best solutions for this? Would it be to have a certificate associated to their local AD account that our web application knows and therefore can identify and logon the user?
Any thoughts how to go about this?
This need to be implemented on a ASP .NET MVC application. Any examples greatly appreciated :-)
Cheers,
Tommy
What you've described is really a textbook example for using the new "Geneva" claims-based identity framework. The idea is that your server establishes a trust relationship with each of your users' companies. Each company would set up Active Directory Federation Services, which would issue a claim to your application when the user attempts to access it. Your application, using the Windows Identity Framework would check the claim comes from a trusted party, then extract the user's identity from it. It is all explained in AD FS 2 Federation with a Windows Identity Foundation (WIF) Application Step-By-Step Guide.
This approach will have much less of a maintenance overhead than using certificates.