I've just built my 1st asp.net mvc application and deployed it in remote IIS.I don't want to have any login option for the application but would like to authorise users based on their user-ids(eg:domainname\username) without any login.I tried using authorize attribute but it is working only when windows authentication type is enabled and is asking for windows login(windows login popsup) whenever the application is opened and doesnot work even after giving the login credentials.
Can someone please assist me on how to implement it without any authentication?
Please let me know if you would like me to add any other details.
Related
If I have an Asp.NET Core 2.1 Website set up using Windows Authentication how do I sign a user out who has signed in using Windows Authentication?
I saw this post but it was asked in 2009. Just wondering if signing out a windows user is now possible.
Short Answer: No.
You would need to use Forms Authentication. The Windows Authetication flow has not changed since that question was posted.
If you do not want to move to Form Authentication you could create your own form of "Logging Out" by mananging a logged on bool in the database for that user and then returning 401 Unauthorized. I strongly advise not doing that and you should implement Forms Authentication.
This still stands true:
No server-side logout button will work when using "Windows"
authentication. You must use "Forms" authentication if you want a
logout button, or close the user's browser.
Thus you would need to use a different form of authentication if you want to be able to logout the user
I'm using Visual Studio 2015 with MVC 5 and need to enable both Windows and Forms Authentication for the same app. I read that one approach is to have two apps: one has Windows Auth enabled; the other has Forms Auth (main app that contains all the pages).
If the user is authenticated via the Windows Auth site, their credentials are passed to the Forms Auth site; otherwise, they'll have to enter their credentials.
I've been searching for a way to do this. Would the Windows Auth app somehow send the person's username only to the Forms Auth app, which would then assume if a name is provided the user is authenticated?
How would you do this? Thanks.
The solution I found, which is quite effective, is to use the OWIN Mixed-Auth library by Mohammad Younes. This will allow your users to log on via either Windows or Forms auth. In addition, for Windows, you can customize it so it passes through seamlessly -- the users don't have to provide their credentials; the app fetches that from their system.
I suggest you download a sample from the link above and get it working; then apply the changes to your app.
I am using C# asp.net to get windows login account (domain\username) for login my web automatically. I can get the account correctly when run the statement "System.Security.Principal.WindowsIdentity.GetCurrent().Name.ToString()" locally on visual studio. However, after deploying the web page to deploy server, it returns "NT AUTHORITY\IUSR".
Most of the solution I found on internet is to use Windows Authentication instead of Anonymous Authentication. I have tried this solution and a user login window is prompted when run the web. It needs to enter the username and password for the deployed server. However, my windows user login account cannot login to the deploy server. Therefore I cannot run the web on my computer.
I would like to know is it possible to get the window user login account if my window account cannot login to the deploy server?
Please try to enable two Authentication methods. First you have to enable Windows Authentication like you already mentioned to pass your credentails automatically to the server (of course only in Intranet).
Additionally you have to activate ASP.NET Impersonation to allow the server to use the passed credentials.
The Help tells you why:
Use ASP.NET Impersonation authentication when you want to run your
ASP.NET application under a security context different from the
default.
In your web.config you have to add the following nodes to your system.web node to tell your application to pass your credentials to the server:
<identity impersonate="true"/>
<authentication mode="Windows" />
Okay so what I'm trying to do is create a desktop application in Visual C# that allows the user to log in using the same credentials as the ones with which they used to sign up to my MVC website. ASP.Net MVC creates an account controller which handles all the security and password hashing, and I basically want to be able to have the application check the password they enter in the desktop app against the one they created online.
The problem is there is no SimpleMembership for windows desktop apps so I have no idea how to handle the login and password encryption/decryption from the desktop app.
Once again, user creates username and password online, they must then be able to sign in with those credentials in a desktop app, checked against the same database.
Can anyone show me a way of doing this?
You can use Client Application Services to utilize existing ASP.NET membership provider as long as it implements Forms Authentication. For the detailed walkthrough please see this article. You can also read through this article.
I am currently working on a project that has a requirement that is causing me some issues and I want to know the best way of handling it.
Essentially we would like internal users to be able to access the MVC application and be authenticated through AD, this we want to be pretty much like SSO, they sign on to their computer navigate to the site and they are in.
The second type of users are outside partners that do not exist in our AD and we want to manage through our SQL Server. For these users we want to display a login page and do forms authentication.
My thoughts at first were simple, let IIS try and authenticate with windows authentication and if it fails (401) redirect to a login page. I don't currently have an environment to test this in but from my understanding in IIS7 it is not that simple and requires a little bit of a "hack" to accomplish. I need to avoid anything like that I need a solution that works as the system was designed to work and not by tricking it.
I have looked into ADFS and WIF but ADFS only supports AD not SQL and from what I've seen there is no STS that supports SQL Server. I have contemplated hosting both an internal application that used windows authentication and external application that used forms authentication but I want to avoid this if possible.
Ideally the flow that we want is user navigates to the MVC application IIS tries to do windows authentication, if it fails (401) redirect them to the login page. From there the login page will authenticate the user credentials against the SQL Database. What is the best way of accomplishing this all within 1 MVC application?
Thank you!
I would just implement my own authentication on top of FormsAuthentication or OWIN if you are using ASP.NET MVC 5. It is really simple and you will have full control over where you go to authenticate users. Trust me it isn't as scary as it sounds. I've written a few posts about it that you might find interesting.
MVC 5
http://www.khalidabuhakmeh.com/asp-net-mvc-5-authentication-breakdown-part-deux
MVC 4
http://tech.pro/tutorial/1216/implementing-custom-authentication-for-aspnet
I currently use the MVC 4 method to authenticate against an Active Directory domain with great success. The only thing I would recommend is you Cache your calls to Active Directory as it can be unreliable at times.
There is the STS that supports sql server, it is the IdentityServer.
https://github.com/thinktecture/Thinktecture.IdentityServer.v2
It even supports custom membership providers which give you quite a lot of different possibilities. I am not sure however if it supports automatic fallback to forms when integrated authentication fails. If not, there are two options: a custom sts or two explicit stses and an explicit choice for users. We have implemented the latter scenario once with ADFS - there were two adfses, one with Forms, the other one with integrated auth, first one federated with the other. This gives an explicit choice on the home realm discovery page - ".would you like to log in with username/password or try the integrated authentication"
You could create a project that uses "On-Premises Authentication" which uses ADFS to authenticate users. The on-premises authority URI will be:
https://yourADFSservername/federationmetadata/2007-06/federationmetadata.xml
After your project is loaded, you can to goto your ADFS settings and create a new "Relying Party Trust" and pass on HTTPS URL that your MVC app will be using. Setup to used LDAP attributes as claims and that will sort out AD authentication easily as it will navigate users to organisational sign-in page just like Office 365. Then if authentication fails for certain users, take the user to send the user to normal sign-in/signup page that exists independently of AD and connected to SQL server. You could skip windows authentication altogether by using on-premises authentication.