I use windows authentication with IIS and C#. In my global.asax i get the user name to define rights (profile and rights are in a mysql Database). It s working well but i need now to use it fron wan. We use a Firewall Netasq wich provide a VPN SSL whith LDAP authentication. Behind the firewal call an url whith in parameter the name of the authentified user (something like SSO).
What's the best way to authorize wan user to access site : custom authentication provider, using role.
thank by advance.
At this point the solution i have found is :
Allow access to unauthenticated user in my web.config,
Use tow domain name with same directory : 1 that work with windows authentication, 1 with anonymous access,
My netasq call the unauthenticated site with in the url an HTTP_NETASQ_USER witch is the login.
In my global.asax (session start) i use this url param to identify user if the request came from the Netasq IP. Otherwise i use the windows login.
I think there is better ways but it work.
Related
I have viewed and tried dozens of "answers" on StackOverflow, but none work.
I have a pretty simple aspx page with C# code behind.
The web site is on a Windows 2008R2 server.
The web site looks like (actual names changed):
MyServer - set for Anonymous Authentication
Application Pools
ASP.NET v4.0 Classic - .Net 4.0, Classic pipeline, App Pool Identity
MySiteAppPool - .Net 2.0, Integrated, runs under a Domain-wide Service identity (call it "mycompany\domservice")
Sites
MyMainSite - Windows Authentication, uses "MySiteAppPool"
"AutoPrint" - my web app, Windows Authentication, uses "ASP.Net v4.0 Classic" app pool, ASP.NET Impersonation enabled
My "AutoPrint" web app has a start page "AutoPrint.aspx" and code behind ("AutoPrint.aspx.cs", plus several classes).
The server and main site are not alterable, as there are several other applications under this site.
The user currently invokes this app with :
http://MyServer/AutoPrint
Everything I have tried is returning the "mycompany\domservice" result:
Request.LogonUserIdentity.Name.ToString() - returns "mycompany\domservice"
System.Environment.UserName.ToString() - returns "domservice"
System.Security.Principal.WindowsIdentity.GetCurrent().Name.ToString() - returns "mycompany\domservice"
What am I missing here? Why is this so hard?
Further clarifications:
"mycompany\domservice" - the "domservice" account is just an ActiveDirectory account in the "mycompany" domain that has permissions to read/write directories needed by the site and other applications. When installing the Site and additional web apps, we use that account as the "connect as" user.
What I am trying to do is to get the ActiveDirectory name of the Windows user account of the person who opened their browser and accessed this app. If user "JJONES" logs into Windows and launches the app with "http://myserver/autoprint", I want to get either "JJONES" or "mycompany\JJONES" as the user name.
If you use anonymous authentication, then the browser does not send any credentials (user id/password) to the server. Therefore if you want the client user id on the server, you have to use non-anonymous authentication, e.g,. Windows or Forms. You can use non-anonymous authentication and then allow or deny access to your web site to specific users or groups of users, or all users.
Thank you for all the helpful comments/suggestions.
The problem turned out to be a combination of factors. The App Pool I was using was using App Pool Identity (which has limited rights), so I had to use a specific account (the domain service account) in the "Connect as..." for the physical path credentials in order to access certain files.
Changing to use an App Pool that used an account with sufficient privileges (the domain service account) allowed me to leave the "Connect as..." using Pass-through authentication when converting to application.
Voila - I now get the user credentials using pretty much any of the proposed methods. After way too many hours of beating my head against the keyboard...
Have you looked at using HttpContext.User property ? This will give the current logged on user. After which point you may need to perform some nifty LDAP queries to get the username from AD.
See https://msdn.microsoft.com/en-us/library/system.web.httpcontext.user(v=vs.110).aspx
You may want to see the below link on how to search AD on the link "How can I search Active Directory by username using C#?"
Hope this helps you.
Our client requested from us to make our web application accessible from Intranet and Internet.
When user tried to access the website from Intranet, The user should be logged in immediately (Windows Auth) ... The user should have public access also (e.g. Home, Coffee shop), But in this case he should use his credentials and the server will check if its valid.
Any advises?
This is the standard way Integrated Windows Authentication works. If you're inside the intranet (logged onto the domain), IE will automatically send your credentials when the website returns 401.2 (no auth method specified). When you're not inside the domain, the credentials will have to be prompted for, since the domain server cannot be contacted from the client machine.
This is not the same as the "tricky" solution you referred to. That solution is tricky because it also uses forms authentication, which you don't need here (AFAIK).
We decided not to use Windows Auth at all.
The customer want to stay logged in if he is in the Intranet.
so we did the following (and the customer is ok with that)
Forms Auth + 'Keeps me logged in' checkbox
Validate Credentials with AD.
Check if User in trusted IP Addresses Range (Something like allowed IP addresses in SQL Azure)
If trusted IP Range, user becomes authenticated.
If its not, Two factor auth by sending SMS.
One more reason for not using Windows Auth.
The user want to log-out at anytime to use different credentials to do some special tasks.
Usually customers do not know what exactly they want, so we will start dreaming and make things complicated. 'Simply keeps me logged in' for trusted IP addresses and he will stay logged in for N days.
I have an application that authenticates user using a remote system. Users in remote system don't have any role because its multiporpuse nature. I want to assign some roles to each user that authenticated and is valid. Can I use custom membership and rolemanagement? Can I use a dynamic access level to inject authorization to pages?
Yes, you can. I am doing something similar in some apps. Just use the remote system to authenticate, but if authenticated create (or reuse on multiple visits) a local user using membership. Then you can assign roles to that "local user".
So the remote system is only used to authenticate/validate a users credentials, but anything else is managed localy using memberhip and its role management built into ASP.NET MVC.
Is it possible to grab a users windows credentials (i.e. username) without having windows authentication enabled in IIS? With windows auth disabled the code below returns either NT AUTHORITY or IIS APPPOOL\ASP.NET v4.0 depending on if impersonation and anonymous authentication are enabled or not.
System.Security.Principal.WindowsIdentity.GetCurrent().Name.ToString();
I am converting an asp.net web application that is using forms authentication to custom authentication. Basically if a user is connecting from outside the network I force a credential check whereas if they are connecting from within the network I would like to be able to just grab their windows username. The internal portion works when I turn on windows authentication but I get the popup login box when testing outside of the network. I either need to disable windows authentication for non local connections or figure out how to get the windows username with windows authentication disabled. Any suggestions? (The other alternative i thought of was splitting the application in two and having separate authentication modes for each but I'd like to avoid this).
-I have also tried:
System.Web.HttpContext.Current.User.Identity.ToString();
System.Threading.Thread.CurrentPrincipal.ToString();
something like this is actually (kind of) possible using Active Directory Federated Services. In the event of a windows user from inside the network they can be configured to use their account details. For external users, they can be redirected to a page that will require them to log in.
However. This is very heavy-duty and an extreme pain in the..neck to implement and is really only applicable to enterprise solutions that have the resourses to use this kind of solution. Otherwise, I'd say go with the 2 site approach.
Simple answer is no.
Best solution is to create 2 sites. One for internal users that user windows authentication, one for external user that user forms authentication but authenticate against AD. You can make users always go to external site by default and then redirect based on their IP. That is redirect intranet users to internal user.
I am using VSTS 2008 + C# + .Net 3.5 + IIS 7.0 + ASP.Net. I have two IIS web site, site A and site B. When user request url http://sitea/abc.aspx, my ASP.Net code handler will authenticate user (using Forms authentication), and if authenticaiton passed, I will redirect user to http://siteb/bcd.aspx.
My current issue is, some users will access http://siteb/bcd.aspx directly to skip the authentication process of sitea. This is not what I want since I want to ensure all users who access http://siteb/bcd.aspx authenticated.
My question is, what is the easy solution to solve the issue when user will access siteb directly to skip authentication?
My thoughts on this...
Disallow anonymous access to both the site
Since you are using forms authentication set the loginurl appropriately.
If a user access http://sitseb/bcd.aspx directly, since anonymous access is disallowed it will be redirected to the respective login URL.
Do let me know if you need any further clarification.
A similar solution is presented here..
Multiple site authentication with asp.net
NOTE: IF need be, the forms authentication cookie domain should be set to "*.yourdomain.com" so that the same cookie can be used for both the site.
On siteb you can restrict access to the ip address of sitea.
In IIS Manager
Click the Directory Security or File Security tab, and then do one of the following:
in the IP address and domain name restrictions section, click Edit.
Click Granted access or Denied access. When you select Denied access, you deny access to all computers and domains, except to those that you specifically grant access. When you select Granted access, you grant access to all computers and domains, except to those that you specifically deny access.
Click Add, and then click Single computer.
Click DNS Lookup to search for computers or domains by name, rather than by IP address.
Type the DNS name for the computer. IIS searches on the current domain for the computer, and if found, enters its IP address in the IP address box.