I'm currently working on a project which has an authentication requirement which is causing me some problems and I'd like some guidance on the best way to achieve it.
I have an internet C# MVC 5 project which currently has OWIN cookie authentication in place for external users. We now need to allow internal users to be able to access the application through Active Directory. Basically, an internal user would log in to their Windows computer, navigate to the website and they'll be signed in.
I don't have any experience of doing AD authentication, so it's a bit of a black hole at the moment.
I'm assuming, using OWIN, I need to create a new authentication middleware that can run before my cookie authentication.
However, I'm not sure where to start with setting this AD middleware up, or whether there is an existing one I can use.
I've tried searching around but can't seem to find much information on doing AD authentication through OWIN, there's just a lot about Azure AD.
I did come across this one https://github.com/MohammadYounes/OWIN-MixedAuth, but running locally, it's using Windows basic authentication, perhaps this can be adjusted for my purposes?
Could someone offer some advice on how to achieve this?
Thank you!
I was facing the same problem not-so-long ago, and went the route to use NTLM authentication (which boils down to what you want, intranet users will be "signed-in" automatically) while keeping full application accounts (ASP:NET Identity 2.0), you may want to check my OWIN NTML authentication middleware:
https://github.com/pysco68/Pysco68.Owin.Authentication.Ntlm
You will need to add a route to you "accounts controller" to handle the sign-in with NTLM and the creation of a local application account (if required). As a comfort-feature you could add an automatic redirect to that sign-in route for users from your intranet.
I hope this helps.
The link you came across is using Integrated Windows authentication NOT basic authentication.
I think your situation is similar to this one. The same can be achieved using OWIN-MixedAuth as per this comment.
Related
Does anyone have experience setting up Azure AD on an ASP.NET 4.X website? I've registered my app in Azure and have been trying to follow the instructions here:
https://learn.microsoft.com/en-us/azure/active-directory/develop/quickstart-register-app
However, the following docs regarding SSO, etc. are written for ASP.NET MVC/Core applications.
I've tried using OWIN, and it kinda looks like it's working. I get a login prompt, enter my credentials, and pass through, but I had configured IIS 7 to use Windows Auth, so it might be picking up on that. (I've read that Azure authentication is done at the application level, not IIS, so my previous IIS settings might not be affecting anything.)
Does anyone have advice? I don't have experience adding authentication to a website and appreciate any help. Ideally, I was told I'd hit my organizations 365 login page, authenticate through it, and pass on to my website, but this isn't happening. I just get a standard popup login box. (It works, but I don't know if I'm authenticating through Azure.)
You can use Visual Studio 2019 Create a new ASP.NET (not Core) Web Application wizard. Choose any option that supports Authentication and set it to Cloud - Single or Multiple Organizations:
I've been tasked with enabling authentication and authorization for our project's api. The main goal is to protect the methods from misuse, however we also need to enable a developer from another company to call the methods in their code.
Being new to authentication and authorization I'm overwhelmed with the many different options available for .NET etc. Some techniques look promising until you read that they pass credentials in plain text (basic auth?) or have other issues etc... I'm just looking for a reliable and safe approach.
I'm using IIS to host the web api, and I have seen that one such option is to authenticate at the 'host level'. My supervisor has mentioned this is the preferred approach.
I have looked at many threads and videos regarding authenticating in IIS. From what I can work out, such a solution alerts the user that a certain action requires authentication and to enter their credentials.
My issues are as follows:
Given the other developer is not a member of our domain, how can they authenticate using their (windows?) credentials. Is there an alternative to windows authentication?
How will requiring authorization on certain api actions impact the function of the site normally? I.e. will I have to pass valid credentials to the api in my code, for each request?
Overall I'm just a bit uncertain on how this all works and I appreciate any advice given.
I'm using the Novell.Directory.Ldap library to get communication between my intranet application and an Active Directory server.
However I need to implement an authentication where I verify if the user is authenticated in my local network and is part of a certain group.
All the user verification logic with the AD and if it is part of this particular group is already ready using the library mentioned above. However, I need this to work alongside ASP.NET authentication.
Has anyone implemented anything like this and can you help me with this?
Here's a bit of a back story, feel free to skip to the problem below.
We have a handful of web applications exposed to the outside world (as opposed to ONLY on our internal business network) and these applications are using HTML5 for the offline capabilities. We also had IIS configured for Windows Authentication ONLY (no outside parties use our applications), thus we were issuing the challenge directly against our AD. With a recent update to Chrome for iOS, it broke the NTLM authentication (instead of prompting for use credentials, it just displayed a 401 unauthorized exception page) so we started looking at alternative solutions.
We figured we could leverage our current external ADFS/O365 access thus the user experience would be the same across all external facing applications (not just web apps).
We ended up adding OWIN to our WebForms app to use ADFS authentication and it works from a perspective of you can see the redirect to our external login page and then back to the web app. However, there is an additional problem. To get this to work, we had to DISABLE Windows Authentication in IIS and ENABLE Anonymous Authentication. Also, in the Web.Config in <system.web> we added <authorization><deny users="?" /></authorization>
PROBLEM
Since our applications are using HTML5 and are available offline, we are also using Web API to handle the push of data from the client device to the central system. When we moved to our "SSO type" solution, the POST methods in Web API started crashing. Turns out the line HttpContext.Current.User.Identity.Name stopped working.
How can I get the current authenticated [signed in] user when the user returns to the network and sync's their data? I'm not even sure what the best approach is here, I've tried a few different suggestions from SO and Google, but none seem to work. How does one get the current user in Web API with Owin using Federated Services?
I have spent quite some time now looking at the Windows Identity Foundation. I even read a few chapters of a book on it on MSDN.
But I'm still confused about one thing. Is WIF appropriate for a public facing web site authentication or is this mainly targeted towards intranets/sharepoint sites, something that deals with internal domain where users are identified by integrated windows auth/active directory or something like that. Currently, we have many web sites for our company where people log in and are authenticated against a data store using forms authentication/custom asp.net membership provider. Is it possible to replace this mechanism with WIF? if so, does anyone have a link to such a tutorial.
I have tried looking for any information along these lines but it has been hard to find.
In principle, there's nothing about Windows Identity Foundation that makes it inappropriate for use on a "public-facing" website and WIF isn't in-itself tied to a particular authentication mechanism either. However, if you were considering using Active Directory Federated Services as your Identity Provider the problem would be that authenticating users against AD would be your only option since that's all it supports (although you can plug in a custom attribute store that retrieves claim values from some other datastore). Your WIF relying-party (i.e. your website) doesn't necessarily care how the user was authenticated, though, only that they were authenticated by an IDP that it trusts.
So your problem might not be that of "WIF-enabling" the websites as such, it may be more a question of finding a compatible IDP that supports authenticating against something other than Active Directory so that you can use the data store you currently use to authenticate users. It is possible to use ADFS as a "bridge" (a Relying-Party Security Token Server) between your WIF relying party and a SAML2 IDP like Shibboleth which can use a database to authenticate users, but configuring such a system is a significant challenge so you'd have to weigh up the benefits that your users might gain from single sign-on to your applications against the considerable effort it would take to set up and maintain such a system.
Yes - WIF appropriate for public facing web site authentication. ADFS v2.0 only authenticates against AD. However, you can write a custom STS that authenticates against anything you like. In your case, with a data store, have a look at Identity Server which authenticates against a SQL DB.
Have a look at:
http://claimsid.codeplex.com/
Identity Training Kit
How to: Build an ASP.NET STS