I have scoured the web looking for bits and pieces of a more comprehensive solution. I have been unsuccessful in my efforts, so I send up a call for help.
The problem:
I have a .Net/C# WebApp that uses windows integrated authentication. The application is a custom form application that allows users to submit requests. These requests are then routed to supervisors and other parties that will review and approve the requests.
For audit purposes, I must have each supervisor "Sign" the form. The easy solution - use the active browser session information. A user clicks the "approve" button and that information is logged into the database (ID and date/time). But the auditors don't like this solution. They view it as insecure. They want a separate challenge for credentials where users are forced to enter an ID and password (and very soon present a token/PIN combo in lieu of ID/password).
To satisfy this in an infopath version of this form, I used CredUIPromptForCredentials. That code (although written in C#) does not directly port to the new custom WebApplication. I did some digging and uncovered a number of resources on the newer CredUIPromptForWindowsCredentials:
How to show Windows Login Dialog?
Show Authentication dialog in C# for windows Vista/7
How to show authentication dialog in C# .Net 3.5 SP1
Windows Security Custom login validation
This is really in the spirit of what I'm trying to accomplish. With very few modifications to the code in the articles above (and borrowing from some code in my old InfoPath form), I was able to get a working system of prompting and testing.
I would be happy to share the existing code if anyone is interested, but it is VERY similar (nearly verbatim) to the existing code referenced above. The only difference is a separate isAuthenticated method that actually tests the credentials by instantiating a DirectoryEntry object and passing that object to a DirectorySearcher object to test if the credentials worked.
But no so fast. This code, as I said, works, but ONLY when I run in debug mode in Visual Studios 2012. If I visit the site by entering the address and click the button to "sign" the form, the site spins and never shows the security dialog. It's almost as if (and this is just my guess) the IIS settings that allow windows authentication are preventing the applications request to prompt for credentials. This is not the case when I run the site through the debugger.
Once I get past that barrier, I have to actually do some further testing to see if this code will support authentication with a PKI card. I am guessing it will since CredUI passes the prompting to windows to handle.
So here are the questions:
1) What could possibly be preventing the windows security window from popping up when the method is called through the IIS server VS running in Debug (localhost)?
2) Does anyone have any experience with implementing CredUIPromptForWindowsCredentials to work with PKI?
2a) If so, does CredUIPromptForWindowsCredentials actually support PKI without any additional code (assuming that the windows workstations are configured with all of the hardware, drivers, and middleware)?
Thanks in advance for any insight you can lend.
Phil S.
Looking your problem and as an old Auditor, may I recommend an detour to satisfy your auditing team? PKI is not the most safe thing around...
1) Provide a normal LOGIN/PASSWORD form, without any special instruction or Credentials (that could be frauded or stolen "on the fly"). Preferable, utilize HTTPS in this page.
2) Once the guy inform the data, pass a 2-Factor Authentication using SMS (INstant Message). The cost is really irrelevant (see Twilio to get some idea). Obviously, each guy, beyond his login/password, must have his phone within database.
3) This way you can ensure that the Supervisor is really the guy who had approved/sign the page.
It´s the safer mode and, because of it, Facebook, Google Mail and others are utilizing this method.
Sorry, I know I not answered you as you need, but it´s safer than your proposal.
Good luck!
Related
We have 3-4 ASP.Net MVC 5 applications for which we want to implement the solution of single sign on.
Our requirements are
Any user trying to access anyone of the application (any page)
and if he has not signed in into the same or another application in
the same browser should be re-directed to the login page.
If the login is successful till that application is running, the user
should not be asked the login credentials again.
If the user logs out from one application, he should log out from all other
applications
Things which may be useful while suggesting a solution.
Currently 2 applications are hosted on different domains. Other 2 applications are on subdomains
Though they are on the same server, one application can have access to database of other application but we would like to have a solution where in this direct access of db should not be required.
We would like to have a 5th application which will do the account management and also login and logout will be handled by this application
We are not just looking at a solution where authentication will be done by the identity server but we are also looking at the authorization wherein the identity server will authorize the level of access of requesting application.
Going ahead if this solution can help us take care of mobile devices as well as webservice based client access, it would be an added bonus.
We are using forms authentication in our application right now.
We have seen some examples on internet which but we seem to be lost on some or the other feature. Either we are going wrong somewhere or we are not looking in the right direction.
Hence we are looking for an answer. Appreciate your time to read this big question.
Thanks
Hi I am working on a project and need to get the type of logon for each user on the domain. By type I mean if the user connected to our domain via their phone to check e-mail, or if they are on a laptop and connected through a VPN, or just the plain desktop authentication.
I need this because we have a policy here that a person who has not logged on in over 10 days must be disabled. I am not seeing anything obvious on the MSDN site, nor anything relevant in any posts.
any help would be greatly appreciated. I am looking to do this in C#, as I already have a few other class libraries in C# doing some other AD functions and want to just add this into that solution.
thanks.
I have found this CodeProject article that describes almost everything you can do with windows user, including getting domain information.
Howto: (Almost) Everything In Active Directory via C#
Assuming you've already got the logon, browser could give you device information.
I would think that a browser check might be the way to go. Any interaction on the part of your users could then be used to directly confirm which machine they are using, be it iPhone, Android, WindowPhone, or standard computer. You'd have to code that with a little JS but it would allow you to very simply add that to any logs.
Simple way can be found here http://www.w3schools.com/js/js_window_navigator.asp but a perhaps better way would be with object detection, which would find browser by directly testing for certain features.
I'm currently writing an application in C# (Windows 8 Windows Store App, .Net 4.5), what would highly rely on one thing I never worked before: user management.
The application to be done has to access a Windows-based server, and parse the login information with that server, then display functions, profile information, etc., based on that user data. Right now I'm stuck at the really beginning, I have no clue how to solve a global user for the whole application (pretty much like the XBox application, it would be nice to have a small user representation on the top right corner in every screen).
About the platform: we use Windows solution for user management in the whole network (there's a Microsoft ActiveDirectory server running), supplying the information for the Exchange and SharePoint servers. What I want to do is to authenticate the user with the AD server, pull the information (full name, role, access, other user data), then using these information, first display the user profile on the top right corner (the XBox Win8 app style), and load the accessible functions (this will be based on role and other domains of the user, e.g. groups).
If anyone knew a tutorial or solution what can get me closer solving this very part of the problem, it would be great!
There are specific libraries included in the .NET Framework for handling active directory requests. Take a look here:
Generic Authentication Call to Active Directory in C#
http://support.microsoft.com/kb/316748
I'm trying to write a central reporting tool that will allow time tracking based on Windows users logging into a domain. Initially I was going to create a small executable that would run on 'all users' start-up on each computer, track the logged in username and update a central database.
The main problems with this would be having to manage the versions on a machine by machine basis and deal with rare but possible instances of the tool failing on specific machines and not being immediately obvious.
Instead I would prefer to create a centralised version but I'm finding the MSDN and Windows SBS 2003 docs very hard to dig through for the answer.
Basically I would like to hook into the 'login' and 'logout' functions on the server and track all information from there. Are there natural extension points here?
Obviously an alternative may be to parse the event logs for the information (but to this point I can't find any windows logs that say 'who' is logging in or out).
Any guidance on the direction or documentation to look at would be really appreciated.
Are there natural extension points here?
No. Or rather, you don't plug into login/logout unless you want to replace the login module (e.g. for a different authentication mechanism): not something trivial to do—too easy to open up security holes (and I expect not a good idea, if not impossible, in .NET).
But as Windows (all NT derived versions) includes the ability to log all logins and logouts, the information you need can be recorded in the Security event log. There are then a number of options for getting at the information.
First: enable audit of login/logout.
This is best done with group policy. For the local machine enable the options in SecPol.msc (local security policy MMC snapin): Local Policies | Audit Policy
Second: read the event log
In the Security Event Log look for logon events (id 4624), there is some documentation of these events here.
Automation of this (e.g. via a scheduled read of the event log) or forwarding events should be easy enough.
Not all logins will go to the dc. For example a laptop may use cached credentials to allow access when not on the domain.
You may also see multiple logins for the same user if they are accessing network resources. I think the most reliable approach would be to have the code running on each machine getting called from one of the login hooks.
You should look into the namespace called Microsoft.Win32.SystemEvents. There are many handlers there, but i believe what you want is the SessionSwitch event, which will tell you if the current user is logging on/off of the box or locks the screen. This is possible because windows switches to a different desktop when the screen is locked/unlocked, so you will be able to catch these.
Then, to get the user information, you could use the UserPrincipal from System.DirectoryServices.AccountManagement namespace using the machine's principal context.
I’ve been asked to integrate a windows form application with SagePay to take payments directly from the application. The SagePay documentation talks about ASP.NET so I’m not sure whether this is possible. Has anyone integrated a WinForm application with SagePay before? Is it possible?
I know some payment processors have a connection option where the payment part is hosted on a form on their server. You could try embedding a web browser control into your app to display the payment page.
Usually there is another type of connection option where you can send your information via HttpWebRequest, but I'm not sure that this would work as it requires SSL. Since you are running your app as a desktop client, I'm not sure what you would have available.
I am not sure this is possible given that sagepay needs to redirect users to Mastercard securecode or Verified by Visa, I think they would need to redirect to the bank which then redirects back to a supplied URL. I would think this needs to be within a browser environment.
You can post to urls and get back a response via .net objects and parse the results to display on a form.
You can also ask SagePay to create a Vendor account with 3d secure switched off. This allows you to take payments in house in your winforms app without the customers password however most card vendors if you bypass 3d secure will not protect you if someone calls and uses a card fraudulently.
However it can definitely be done.
You can normally post to secure servers from non secure pages so again this isn't usually an issue.