How can I prompt a user for credentials and obtain its WindowsIdentity (or something like it)?
I assume I need to use CredUIPromptForWindowsCredentials from Credui.dll but I found this wrapper in C#: CredentialUI that only uses username and password while I need to support any method available (username/password, smart card, bio-metric and etc.)
I'm pretty sure that it can be done, because of the following:
The CredUIPromptForWindowsCredentials function creates and displays a configurable dialog box that allows users to supply credential information by using any credential provider installed on the local computer.
From CredUIPromptForWindowsCredentials.
So should I use CredUIPromptForWindowsCredentials or not? If not, then what else? if I should, How?
EDIT:
This is not a duplicate of Impersonate with username and password?, because my question regards to any method of authentication, especially not username/password based authentication, whereas the other question explicitly refers to username/password authentication only.
Related
I'm looking for an idea/solution that works on both Windows 8.1 and Windows 10.
For critical actions in my WPF application I want the user to explicitly authenticate again against the operating system. On the web exist many custom solutions like NuGet packages that look like a Windows prompt that asks the user for the password. Like the one that shows up, if you try to access network shares you are not authenticated for.
I do not want to use those custom solutions, I want to use those provided by operating system, if any.
In detail I'm looking for something like that:
WindowsIdentity identity = WindowsIdentity.GetCurrent();
bool authenticated = [WindowsAPI].Authenticate(identity);
if(authenticated)
{
//do critical action
}
Does such a WindowsAPI exist?
EDIT: The WindowsAPI should have an own UI and, in best case, validates the credentials and does not store any.
bool authenticated = [WindowsAPI].Authenticate(identity);
Should it ask user to enter the login and password one more time?
You can try to use Windows API LogonUser. However it does not supply UI to collect user name and password. You can try to create a dialog form with two textboxes by your own.
There is IPublicClientApplication and AcquireToken* methods. Please check the AcquireTokenByIntegratedWindowsAuth.
However it works with AzureAD to get the token so I'm not sure does it fit to your requirements.
The overall answer is: No, there does not exist a Windows API that includes an own UI and additionally validates the entered credentials.
In short, I used CredUIPromptForWindowsCredentials that pops up a configurable operation system dialog to enter credentials, CredUnPackAuthenticationBuffer to unpack credentials and LogonUser to verify the unpacked credentials. At the end clear the memory allocated by CredUIPromptForWindowsCredentials using CoTaskMemFree.
MS Docs:
CredUIPromptForWindowsCredentials
CredUnPackAuthenticationBuffer
LogonUser
CoTaskMemFree
P/Invoke Docs:
CredUIPromptForWindowsCredentials
CredUnPackAuthenticationBuffer
LogonUser
CoTaskMemFree
I have searched all over for an answer to this, and not found anything that seems to answer my question. Which feels like it should be an easy one (but clearly isn't).
I have an API which authenticates using a token. This token I generate from my application - more specifically, I have a new Token Generation web call that will return a token. Currently, I pass in a cookie with the user and password information, and it uses this to identify who I am and what I should be allowed to do. This is all working absolutely fine and hunky-dory.
I am achieving this process by making the Token Generation use OWIN Cookie Authentication, which means that the cookie is read and the Identity is set. I am then able to use this identity to confirm whether the user is allowed to access the system.
What I now want to do is replace this Cookie Authentication process by authenticating against a Windows User (everything is windows based, and this will be an option so non-windows users can still use the cookie authentication route). But I cannot discover how to straightforwardly do this.
Note that I don't actually need to validate that the user is genuine or refer back to the AD at all. If you provide a windows user that matches a user in the system, you can log in.
So how can I - easily - get the requesting user into the Identity Name? Or is this not possible?
If you are looking for information on the current user accessing your program, assuming the program is running on the user's machine and is windows based, you can simply query windows for the user's username or any other publicly available information about the user.
Refer to https://learn.microsoft.com/en-us/dotnet/api/system.environment?view=netframework-4.8 for information on the Enviroment class and what it's features are.
If you could provide some code or further clarity I could help you further.
There is a asp.net core web app on a local server, that uses windows authentication, users can connect to it and perform actions.
Now I want to prompt the user for a password, as a confirmation for a specific action. At this point the user is already authenticated, I just want an additional confirmation, is there a way to compare the prompted value to the password that they use to sign in to their windows account?
Note: What would I have to consider and perhaps is there a better way to handle something like this?
No, you can't get access to the raw password for comparison. Windows auth is not a great fit for dynamic prompts, most flows that do this are based on cookies. Windows auth provides credentials on every request, so it's up to the client/browser to prompt only when required. The average client is never prompted, it uses the current user's credentials.
Could anyone please share any thought on authenticating Active Directory users using the AuthType.Kerberos method.
Ideally, I would like to pass the Username and Password to validate the user credentials using the AuthType.Kerberos method
This type of validation uses LDAP connection (LdapConnection)
Any comments or feedback will be very appreciated.
Cheers! :)
Kerberos doesnt use a username and password in the sense you are talking about here, it uses a ticket based auth system with a central server. Kerberos is quite complicated to implement and is normally only used in cases where you want to do double hop authentication with the logged in user. This means the application wants to use the credentials of the user who has logged in to access a secondry system. For example if you have a SharePoint site which pulls data from exchange server you may want to pass the currently logged in users details from sharepoint to exchange. This is normally done with Kerberos and Constrained Delegation.
In reality what you probably want for your application is Windows authentication (NTLM) which allows the application to authenticate domain users, (However again in the common case this doesnt use a username and password at your application level either).
===EDIT===
To implement kerberos with a .Net webapp you will need to do the following
Enable Constrained delegation for the app pool http://blogs.msdn.com/b/dotnetremoting/archive/2006/07/06/662599.aspx
Setup SPN's for your site http://support.microsoft.com/kb/929650
Setup your code to use kerberos when you call the remote service, this is basically just setting the protocol. You dont need to actually send the username or password
This article has some good advice around how to troubleshoot problems with the system
http://blogs.technet.com/b/askds/archive/2008/05/29/kerberos-authentication-problems-service-principal-name-spn-issues-part-1.aspx
Anyone heard that it's possible to login to Windows xp programmatically,
I want to modify the way the Domain Controller authenticates the user and if the user authenticated in my special way it returns the user name and password to the service working on the client machine so it should login the user using its passed credentials from the DC without waiting for user to insert his original credentials.
Have a look at this: Gina.dll MSDN
Gina is the system that fingerprint readers etc. use to customise the login screen. You may be able to use this to achieve your purpose?
To future proof your app (Vista and Windows 7) you may wish to look into these: MSDN Mag Vista Credential Providers