I am working on one project where we have to deploy two different application on server, one is Cognos website and other is .NET website.
Now, when request come to web server (IIS) it should asked for Client Certificate Selection, once you choose the client certificate it should go back and check where it is attached with any Active Directory Users or not.
basically i wanted to implement authentication using Active Directory and Client certificate using .NET.
Appreciate for any suggestion/direction.
This should work out of the box with no code.
First, turn off anonymous access and basic authentication for the website and turn on integrated windows authentication and certificate integration.
Then, in your asp.net application, set the auth mode to windows.
Then, turn on SSL for the website and check the option "require client certificate".
http://technet.microsoft.com/pl-pl/library/cc753983%28v=ws.10%29.aspx
From now on, when the browser supports certificate integrated authentication and the client machine has the certificate either in the user store (IE) or in the browser store (other browsers), the browser will automatically ask the user to pick up the certificate.
My advice is to start with integrated windows authentication over SSL but without certificates (do not check "Require client certificates"). Test with IE and configure the IIS until your users are automatically authenticated without any prompt for credentials.
This is the most troublesome part. If you have it working, you just turn on the requirement of client certificates.
Related
I am building a Blazor Server app using .NET 6.0.11 and deploying using Http.Sys . The server and clients are all on the same Windows domain. I'd like to authorize users based on their domain login, instead of building a username/password database and infrastructure specific to this app.
The code in Program.cs to enable Windows Authentication, based on code from the official documentation:
if (RuntimeInformation.IsOSPlatform(OSPlatform.Windows))
{
builder.Services.AddAuthentication(HttpSysDefaults.AuthenticationScheme);
builder.WebHost.UseHttpSys(options =>
{
options.Authentication.Schemes =
AuthenticationSchemes.NTLM | AuthenticationSchemes.Negotiate;
options.Authentication.AllowAnonymous = false;
});
}
// ...
app.UseAuthentication();
app.UseAuthorization();
I view the authentication state using the first code sample from ASP.NET Core Blazor authentication and authorization.
If I launch the application on http://localhost:55555 then the page loads instantly and it shows my domain and username successfully.
However, if I launch the application as http://mycomputername.our.domain:55555, and access it via Chrome or Edge on the same machine, then a popup appears asking for username and password:
Note: I had to run a netsh http add urlacl url=.... one time only; the command was suggested by an exception message generated on first run after changing the launch URL.
Entering my domain login username and password is accepted, and the previous code sample does show my username successfully. I also noticed the following behaviour:
setting AllowAnonymous = true; means it will not prompt at all for the username/password; the page just proceeds with the user not authenticated.
If the username/password is not entered correctly (for a user on the domain) then HTTP error 401 is generated instantly, it never tries to execute the Blazor default error page for example.
I hope the authentication is being done between the client and the domain controller, not sending the user's password over the HTTP connection!
I am presuming the above behaviour will be the same for other domain uses on different machines accessing this server, although have not tested that yet.
My questions:
is it possible to skip the username/password popup , and just get the domain user that is already logged in on the client machine and doing the access?
(If not) would deploying to IIS instead of Http.Sys change anything?
There seem to be Blazor-based solutions discussed on this SO thread , but I can't see how to use them because the popup always appears as soon as any page is attempted , before any page is rendered; and if login fails, HTTP 401 error is generated with none of the Blazor pages being executed.
Footnote: I was using HTTP.sys instead of Kestrel due to documentation indicating that Kestrel did not support Windows Authentication; however it is working using Kestrel for me now, along with the information from the Accepted answer -- not sure what the story is there.
This is a client-side issue.
If I launch the application on http://localhost:55555 then the page loads instantly and it shows my domain and username successfully.
However, if I launch the application as http://mycomputername.our.domain:55555, and access it via Chrome or Edge on the same machine, then a popup appears asking for username and password:
That's because the browser recognizes localhost as a (somewhat trustworthy) server within your intranet, but considers mycomputername.our.domain to be a (potentially hostile) Internet service. For security reasons, Chrome and Edge only use your Windows credentials with servers within your own intranet by default.
To determine which group an URL belongs to, Chrome, Internet Explorer and Edge use Windows's own "Intranet zone" settings. To add your URL,
search for "Internet options" in the Windows Start Menu, then
navigate to Security/Local intranet/Sites/Advanced.
If you want to test with a non-Chromium based browser, here's how to configure Firefox. Firefox manages its own list of URLs where Windows authentication is allowed:
How to configure Firefox for NTLM SSO (Single-Sign-On)?
I hope the authentication is being done between the client and the domain controller, not sending the user's password over the HTTP connection!
If the client and the server agree to use Kerberos, sure: The client communicates with the domain controller to authenticate and to get a service ticket and then uses that ticket to access your service.
If they don't agree, they will use NTLM. In this case, authentication happens between the client and your server. However, NTLM won't send your password in plain text either, but rather uses it as part of a challenge-response mechanism.
is it possible to skip the username/password popup , and just get the
domain user that is already logged in on the client machine and doing
the access?
IMHO, this is not possible with "windows authentication", because the popup dialog that you see is a special browser feature to enable the windows authentication.This one created in order to support internal application with domain authentication. I don't know of any way to access that browser behavior.
(If not) would deploying to IIS instead of Http.Sys change anything?
Haven't done a deployment with Http.Sys, but according to the documentation it says that Http.Sys supports windows authentication. The deployment would be different since for Http.Sys you need to write the configuration in code, unlike the IIS.
I am working in an Asp.net application with forms authentication. On my web.config I had set the requiressl property=true.
I have been working on development without any problem but when I deploy it on my test environment I got the next error:
The application is configured to issue secure cookies. These cookies require the browser to issue the request over SSL (https protocol). However, the current request is not over SSL."
The error is raised on
at System.Web.Security.FormsAuthentication.SetAuthCookie(String userName, Boolean createPersistentCookie, String strCookiePath)
at System.Web.Security.FormsAuthentication.RedirectFromLoginPage
So my questions are why is FormsAuthentication.SetAuthCookie setting the cookie over http? and how can I set it to be over https??
I think you should configure your IIS in order to accept SSL connections for your site.
https://learn.microsoft.com/en-us/iis/manage/configuring-security/how-to-set-up-ssl-on-iis
You should pay attention if you activate SSL for your site and if you don't have a Valid SSL Certificate, users will see a warning when they open your site: Continue with this website (Not recommended). And most of the time people don't choose this option.
And it can be more complicated. For me, you should buy an SSL certificate from a provider. You should install it on your server. In order to ensure that your clients will browse your site under https://, you should redirect any connection to your site to https://.
Here is a link which is very useful :
https://www.namecheap.com/support/knowledgebase/article.aspx/9953/38/iis-redirect-http-to-https
I have a client that wants to implement CAC with our website. Usually the user already has access based on the certificates assigned to them.
They want to be validated by entering their CAC pin code when they click a button to log in.
I'm using ActivClient to manage the CAC but I don't know how to have the website communicate with the card reader to have the user input the pin code and validate it.
Is this done through IIS settings or do I have to update my code to somehow communicate with the middleware?
Thanks in advance
The solution we used involved a few configuration changes to IIS as well as some code changes to use the information provided by the CAC.
In IIS (8.0), we just set the Authentication to Anonymous Authentication. In SSL Settings, we checked Require SSL and under Client Certificates, select the Require option.
After you've authenticated, depending on what information you need access to from the certificate, you can access it using this method:
X509Certificate2 certificate = new X509Certificate2(Request.ClientCertificate.Certificate);
This will give you the certificate object that contains the information that the CAC carries. You can access some of these properties by using
certificate.GetNameInfo(X509NameType.SimpleName); //X509NameType.EmailName, etc
I recently dealt with this with the DoD. There is no code involved, all you have to do is set the the IIS site to use Integrated Security (or possibly certificate authentication based on your AD configuration) and turn off the other authentication mechanisms. The browser will then prompt the user for credentials using the method configured in Active Directory, which should show the CAC certificate selection and PIN window if they are using AD correctly. Note that you must also be using HTTPS or the browser will not pass the CAC credentials to the server for security reasons.
Our client requested from us to make our web application accessible from Intranet and Internet.
When user tried to access the website from Intranet, The user should be logged in immediately (Windows Auth) ... The user should have public access also (e.g. Home, Coffee shop), But in this case he should use his credentials and the server will check if its valid.
Any advises?
This is the standard way Integrated Windows Authentication works. If you're inside the intranet (logged onto the domain), IE will automatically send your credentials when the website returns 401.2 (no auth method specified). When you're not inside the domain, the credentials will have to be prompted for, since the domain server cannot be contacted from the client machine.
This is not the same as the "tricky" solution you referred to. That solution is tricky because it also uses forms authentication, which you don't need here (AFAIK).
We decided not to use Windows Auth at all.
The customer want to stay logged in if he is in the Intranet.
so we did the following (and the customer is ok with that)
Forms Auth + 'Keeps me logged in' checkbox
Validate Credentials with AD.
Check if User in trusted IP Addresses Range (Something like allowed IP addresses in SQL Azure)
If trusted IP Range, user becomes authenticated.
If its not, Two factor auth by sending SMS.
One more reason for not using Windows Auth.
The user want to log-out at anytime to use different credentials to do some special tasks.
Usually customers do not know what exactly they want, so we will start dreaming and make things complicated. 'Simply keeps me logged in' for trusted IP addresses and he will stay logged in for N days.
We have an intranet site on our network which uses NTLM to perform single sign on that works without issues. I wrote a C# application which spawn's an IE window with the site URL. Because the application also installs other applications from a protected folder and the users on the domain have restricted rights it is ran with a local administrative account.
I have tried:
System.Diagnostics.Process.Start("IExplore.exe", "http://MyIntranetSite/");
// and
System.Diagnostics.Process.Start("http://MyIntranetSite/");
This works without any sort of issue on Windows 7, however on Windows XP it is prompting for user credentials for NTLM authentication.
Could someone point me in the right direction of how to get around this issue?
The most likely reason would be IE settings. NTLM SSO only works, on the client side, when IE chooses to use SSPI and handshakes with the server. IE parses the URL and uses its security settings to decide whether to do SSO or prompt for creds. http://support.microsoft.com/kb/258063