Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 5 years ago.
Improve this question
I'm developing a ASP.NET MVC application that runs on one server. The server has user accounts.
The user accounts are not allowed to RDP to the server, but I want to give them a way to change their password through my website.
The website has a home page that anonymous users can see, also an account page that users have to use their windows credentials to log in and see, and there is a Forget Password button. If the users forget the password, I can reset for them.
The users go to my website through Internet.
Is Windows authentication able to allow anonymous access to some page? Is Form authentication able to read Windows account credential? Which way is easier in implementing my requirements?
In general, there is extensive information on ASP.NET MVC authentication types available.
The Problem with Windows Authentication is, that it's quite limited. You can't really have a "Forgotten Password" function with Windows Authentication, it's basically read-only access, but on the other hand, the easiest/fastest solution for Windows Intranet Sites. That's by design, users should change their password through Domain functions. Anonymous access is easy, for example, simply decorate a single method ("Action") or a whole Controller with the [AllowAnonymous] attribute.
Your most flexible choice probably is to use ADFS. It's best of both worlds. You can have a combination of Windows authenticated internal users, Forms authenticated external users (with Username/Password incl. "Forgot Password" function etc.) and anonymous access, as described here. But it's not the easiest way obviously.
Related
Closed. This question is opinion-based. It is not currently accepting answers.
Want to improve this question? Update the question so it can be answered with facts and citations by editing this post.
Closed 5 days ago.
Improve this question
I've written .NET WPF desktop app for Windows OS and now I'd like to restrict access to it only for signed in users. Additionally, some features of the application should be available only for users with certain type of priviledges (admin/regular user). The application will be installed on numerous machines so some kind of remote database should be used to store and manage users credentials (login, password and username) so that they could sign in to the application from anywhere.
What is the best approach to achieve that? I've read about Azure AD and it seems to be the most popular solution for authentication and accounts management, but are there any other (maybe better) ways?
If I use Azure AD, I also have to use MSSQl or is it possible to use other type of db?
And do I even need to create a database as I want only create/manage accounts and perform authentication operations?
I've read about Azure Active Directory and relational databases. For now I struggle with sorting all those concepts out. As far as I understand, Azure AD is used only for authentication and once the authentication is successful, user gets access to db with certain priviledges. What I need is to know if my reasoning is ok and I'd be grateful if more experienced people advise me what are the best practices to achieve my goal
Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 1 year ago.
Improve this question
I am really new to Azure and honestly not so familiar with Active Directory since majority of my works were relying on different users and their logins completely saved in DB.
But I have got a new requirement for a little big application and its going to work in Azure.
Its an ecommerce application, but other than being a common ecom application, its little different. Each sellers can sell their goods from their own shop page. Customers never get a feeling they are buying from a common store like Amazon.
My concern is how to handle the users and their logins and transaction. I have got confused about Azure AD because many pages says Azure AD can be use for handling the users and roles.
So does it means I dont need to store user ID and roles separately in my table and Azure AD can handle those part??
Expecting kind help because I am a beginner..
What you are looking for is Azure AD B2C.
It's service to support user credentials and authentication flows. Users can use the authentication flows to sign up, sign in, and reset their password. Azure AD B2C stores a user's sensitive authentication information, such as the user name and password. The user record is unique to each B2C tenant, and it uses either user name (email address) credentials or social identity provider credentials
you can follow this on how to setup
Closed. This question needs details or clarity. It is not currently accepting answers.
Want to improve this question? Add details and clarify the problem by editing this post.
Closed 1 year ago.
Improve this question
I'm facing a problem developing the app for the client that uses a SQL Server with Windows authentication only, so the situation is that there is a number of Windows accounts in Active Directory that can access the database and some application are using those accounts.
My problem is I have to develop a C# application that has to get any modification in specific table with a SqlTableDependency the only way to access the database is by using an administrator account; is there a way to define any of the defined accounts to connect using Windows authentication for users to execute the app developed?
And many thanks.
You make this assertion about SqlTableDependency:
The only way to access the database is by using Administrator account
But that is not correct. ANY account can do this, no matter what kind of authentication it uses, if the required security permissions are granted. You will need to find out the exact permissions this item uses and communicate with your client about granting those permissions to their users.
At this point there's a good chance your client will get uncomfortable... they may not have realized what they were asking for! But that's okay. Now you can have a real conversation about what their needs are. Perhaps they need a special (sql-auth-based) service account for this. Or perhaps they want to change the architecture so this runs as a background task on the server. It doesn't matter: the important part is you and the client are now making better-informed decisions about the application.
Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 6 years ago.
Improve this question
I have created an asp.net MVC web API application which uses JWT token to authorise the users after normal login.
I am able to implement it correctly but I have following concerns regarding security:
If someone copies the token of valid user and tries to access the api
(my current implementation not able to identify it).
How to detect if someone logins from two different machines?
What are the other things needed to be included in JWT token generation? (I have now used userid in my current implementation)
I need some guidance.
Thanks In advance!!
Copying the token is not easy as you will store it in local storage of browser. It will be more secure than stealing cookie.
You can add one more claim : Mac Address. Then on each request compare the Mac Address of Request with Mac of Claim.
Use a long random string, it should be enough. I would recommend 25 characters as standard. Don't store the key in web.config. Your token is as secure as the secrecy of your key.
Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 9 years ago.
Improve this question
I am creating a MVVM application and the basic system allows a user to register, login, and add data to a database.
There are multiple users, so I want the system to be able to maintain the user's credentials/state after they login and have the application open.
So far I haven't been able to find any good tutorials online to advise me about this, so if anyone knows any or knows of a way to do this I would really appreciate some help.
Thanks.
You can use application settings as a store for user state and credentials. To store settings in user's profile, you should set corresponding scope for each setting you'll define.
Consider settings as a part of application model (Model in MVVM).
Build model when starting application, using application settings, and save it on application shutdown.
Also, do not store passwords in clear text. Use ProtectedData to encrypt and decrypt passwords.
Use cookies or local storage are 2 things that jump out to me.
Simply, after receiving the username and password of the user, if the credentials are correct generate a guid and save it to db for that user and add this guid in cookies also. And on every request search the guid value in db and authorize the user if the guid is existing.