I have two questions concerning authentication of a intranet website and how to go about doing it.
I want the first page the user comes to, to be the login page. I could have sworn there was a tag, something like [Authorize] that you put in your C# code that did this for you but I can't find it anymore. Right now the first page is my dafault.aspx. I turned on windows authentication in the web.config file and it automatically logged me in. So that is working, but I want the user to have to login as stated above. What do I have to do?
I only want to allow people that are in a certain group to have access. How do I add this additional check?
In your web.config file you need to add the following
<authentication mode="Forms">
<forms loginUrl="YOUR LOGIN PAGE!!" timeout="2880" />
</authentication>
in the <system.web /> tag.
That will force the user to authenticate for that site.
The [Authorize] attribute is used to require a user be authenticated (like you had put in your question), BUT!! only for MVC applications http://msdn.microsoft.com/en-us/library/system.web.mvc.authorizeattribute.aspx
With MVC you can also do the [RequiresAuthentication(Roles = "admin")] attribute which will give you control over which rolls have access to which endpoints.
I would seriously consider MVC
Use forms authentication instead of windows authentication. Have a look on these link they provide walk throughs for using forms authentication :
http://www.asp.net/web-forms/tutorials/security/introduction/an-overview-of-forms-authentication-vb
http://www.dotnetfunda.com/articles/article141.aspx
For using active directory go through these links :
http://msdn.microsoft.com/en-us/library/ms180890(v=vs.80).aspx
http://msdn.microsoft.com/en-us/library/ff650308.aspx
Here's a guide to setting up Forms Authentication on your site: https://web.archive.org/web/20211020150650/http://www.4guysfromrolla.com/webtech/110701-1.shtml
Part 2 has the meat of the stuff.
Thanks for all the great input. They got me going in the right direction and then the customer decided to change direction. They want to have it auto login if they are in the right group, otherwise display and error message. The Form authentication would have worked as described.
Related
I have an inherited application (let's call it app.mydomain.com) that I'm trying to update the domain in the cookie that gets set via the web.config. Currently, its something like this:
<authetication mode="Forms">
<forms loginUrl="~/" timeout="2880" cookieless="UseCookies" domain=".mydomain.com"/>
</authentication>
There is separate application at app2.mydomain.com also using forms authentication, and the cookie from the app.mydomain.com conflicts with it. The app2.mydomain.com correctly references the full domain in its forms authentication block so it works fine as long as the app.mydomain.com cookie isn't around. My plan was to simply change the .mydomain.com reference in the web.config to app.mydomain.com to resolve this conflict.
My question is how does that existing cookie on app.mydomain.com behave once that web.config is updated in production? Does it overwrite the existing cookie as it sees this update? Does the existing cookie stick around and have to be flushed out before the new one will take effect? Thanks in advance.
So I ended up approaching this a bit differently. It hadn't occurred to me, but it was setup this way to accommodate the app and api being on different subdomains. By setting it to .mydomain, both could access the authentication cookie. When I removed the domain attribute, I was able to login but threw me back to login right away. So I ended up keeping this application using this format (.mydomain), then changed the second application to use it as well. This allows for one login sets credentials that are accessible to both applications. I was just trying to resolve the cookie conflict, but this is even better.
I have started looking into Forms Authentication with Windows Authentication (I believe its called Mixed Forms Authentication, but I could and probably am wrong)
So far I have discovered in my web.config file I need to add the following lines:
<authentication mode="Forms">
<forms loginUrl="~/Login"></forms>
</authentication>
<authorization>
<deny users="?" />
</authorization>
which I have done. But the next part confuses me. I have been reading about WinLog and WebLog pages and one has to be Windows Authentication and the other a forms Authentication.
I am under the impression this is how the flow should go
Add the lines above to your web.config
Brings user to login page
User gets redirected from another project that has Windows Authenication with the creds they filled and the other project sends a response saying yes or no.
The part after the web.config is super confusing, can someone tell me if I am on the right track or far from it?
What I am trying to do is not have an ugly dialog box, but instead have a custom login page.
If someone can point me in the right direction, that would be great.
ASP.NET has 3 different ways of authentication:
- Windows
- Forms
- Passport
Mixed mode authentication has been known as a somehow problematic way of authenticating users, in order to achieve it, you'll need one application to authenticate the users from a form, and another one to authenticate the users from IIS.
You will find some more info here:
ASP.NET MVC and mixed mode authentication
http://aspalliance.com/553_Mixed_Mode_Authentication.all
https://msdn.microsoft.com/en-us/library/aa291347(v=vs.71).aspx
I am working on ASP.Net MVC-4 application. I have to implement windows authentication.
I have set authentication mode as 'Windows' in web.config file as shown below.
<system.web>
<authentication mode="Windows" />
</system.web>
In controller I try to get username as below.
string userName = User.Identity.Name;
but every time I am getting empty value.
Please let me know for any suggestions.
Thanks in advance.
Windows authentication is performed by IIS to establish our managed code User.Identity. Therefore, you need to enable Windows Authentication in your IIS, and in order to force the user to authenticate before being able to access our application, you need to disable Anonymous Authentication
With the given information, it looks like you've configured your project correctly but haven't actually authenticated the user yet.
First some background. There is a simplified tutorial on asp.net where, in between the lines, the following statement is mentioned:
By default, the ASP.NET Development Web Server executes all pages in the context of the current Windows account (whatever account you used to log into Windows).
This means that when you run your project with F5, it executes everything under your currently logged in user account. However, it isn't yet authenticated for the application and therefor your User.Identity.* is not set yet.
In order to verify if this is the case, you should add the [Authorize] attribute on the first controller (or Action) that is called in you ASP.NET MVC project. Most likely you'll be confronted with a "HTTP Error 401.0 - Unauthorized" exception. In this case, you should enable your webserver to authenticate first. The above mentioned tutorial will help you with this.
I have created 2 webapplication in Visual Studio 2013 using C#.
I have registered 2 new users in both the applications.
Now if I run both the application in Google Chrome. I am getting the following;-
1) If I login in one website and if I refresh the other website page. It is also logged in.
How can i make it seperate, so that both can have there seperate users?
Has it someting to do with Context.User.Identity, are both site using same cookies??
Please help me in understanding it.
Thanks
Assuming you haven't explicitly changed the authentication configuration in the web.config across both websites, then the behaviour you are seeing is by design.
To configure forms authentication across applications, you set attributes of the forms and machineKey sections of the Web.config file to the same values for all applications that are participating in shared forms authentication.
...Unless otherwise noted, the name, protection, path, validationKey, validation, decryptionKey, and decryption attributes must be identical across all applications.
So, if you want an independent ticket for each site, the easiest solution would be to give each site it's own distinct ticket name
<forms name=".ASPXFORMSAUTH_SITEA" ... />
<forms name=".ASPXFORMSAUTH_SITEB" ... />
For security purposes, you might also want to consider using different encryption/decryption keys as well.
You can make the logins seperate by doing the following (my guess is that you want the sessions seperate as well), which Microsoft advise to do if running multiple websites from a web server, most likely to avoid this cross cookie issue...
In your web.config give the session and the authentication cookies unique names, e.g.
<sessionState cookieName="UNIQUESESSION1" timeout="20"/>
and
<forms timeout="2880" name="UNIQUEAUTH1" />
Imagine when you create a new MVC4 Project and you start registering an account using SimpleMembership and you logged using Remember Me checkbox.
Now, when you create another MVC 4 Project, the application tries to loggin using the previous account, although throws an error because it does not exist. I mean, if a do a login in a web page, the another one uses the same account.
How can avoid this, I guess has to be with ForgeryTokens or something like that
Customize the name of the cookie so that it's unique per application.
<authentication mode="Forms">
<!-- **Defaults** timeout="30" slidingExpiration="true" -->
<forms name=".MyApplication" defaultUrl="~/" loginUrl="~/LogIn" />
</authentication>
if you are using a single sign on mechanism then it is a exceptionable scenario but if you do not wish to allow the same authentication with same account to another website then make sure the web.config file for both projects must have a different machine keys.
Also, this is happened because of cookies on your machine is set to true, to create cookies file and allow access to other project using this cookies details.
< Authentication />
It happens because when the web page is served the browser sees localhost as the domain name. It saves the cookie for localhost.
When you host another website on the same server with localhost, then the browser sends the same cookie again.
If you are using the same cookie name in both the applications, then the system will try to think that the user is already authenticated and you will get the error.
You can change the cookie name in web.config file.
Read this:
Can I change the FormsAuthentication cookie name?