I have the following scenario where I’m planning in using windows authentication.
1.1) I have a web server which will run within a domain.
1.2) The web site will run under the credentials of a domain user with a set of configured permissions (One which will be allowed access to the file system, SQL server database etc).
1.3) Users visiting the web site will belong to the same domain, so I’m planning in using windows authentication.
So at this point, an authenticated user, would access the site, but I guess that from code, “CurrentUser” would be the one under which the site is running.
I’d like the following.
2.1) To authenticate the user accessing the site with windows authentication. (Domain controller would be responsible for this).
2.2) For the site to run under the configured user from step 1.2. So it would have all of its permissions.
2.3) But I’d like to know the initial user used to authenticate from (step 2.1).
This way I could do the following:
3.1) User “A” decides to access the site, as he belongs to the same domain as the web server, he authenticates successfully.
3.2) From code I detect that “A” authenticated, so I’ll go and fetch his roles. “Role1, Role2, Role3”.
3.3) I then want the code to run under the user configured in step 1.2, but I’ll assign the Principal all of the roles retrieved from 3.2.
I’ve thought that maybe I could use Impersonation for this.
4.1) So user “A” decides to access the site and authenticates.
4.2) The site would initially run with “A” credentials, so the “CurrentUser” would be “A”.
4.3) Switch the user (somehow) back to the one from 1.2
4.4) I could retrieve all of 4.1 configured Roles.
4.5) Assign the Current Principal the roles retrieved from 4.4.
So in the end the web site will use Windows Authentication with Impersonation, but from code I’d switch back to user 1.2.
If you’ve reached this point thanks for reading! I’d like to know if this is possible and if it seems achievable or if I’m overcomplicating things.
Also suggestions in how can I plug into and where to do all the role retrieving and user switching.
Many thanks!
UPDATE 1
# Code Jammr , you're right, no need to do any crazy stuff. But I think I still need to look into HttpModules,..
After doing a few tests, searching etc...
I've started to understand the difference between these IIdentity objects:
HttpContext.Current.User.Identity
Thread.CurrentPrincipal.Identity
WindowsIdentity i2 = WindowsIdentity.GetCurrent();
I posted another question to help me understand them:
Help understanding impersonation
I think this answers my question.
There are several code samples out there for doing Impersonation. Most involve dealing with tokens and Win API calls. But if you really must do it this way, I say this not knowing what your webserver type is. IIS 6 or IIS7, then there are many code samples out there to guide you along.
Here is one link for ya that pretty much gives you a starting point.
http://msdn.microsoft.com/en-us/library/aa331755(v=vs.71).aspx
Here is a link on AD authentication and you may not have to do anything crazy.
http://support.microsoft.com/kb/326340
You may want to look into asp.net impersonation, app pool settings, etc... to see if there is a better way.
Related
I have viewed and tried dozens of "answers" on StackOverflow, but none work.
I have a pretty simple aspx page with C# code behind.
The web site is on a Windows 2008R2 server.
The web site looks like (actual names changed):
MyServer - set for Anonymous Authentication
Application Pools
ASP.NET v4.0 Classic - .Net 4.0, Classic pipeline, App Pool Identity
MySiteAppPool - .Net 2.0, Integrated, runs under a Domain-wide Service identity (call it "mycompany\domservice")
Sites
MyMainSite - Windows Authentication, uses "MySiteAppPool"
"AutoPrint" - my web app, Windows Authentication, uses "ASP.Net v4.0 Classic" app pool, ASP.NET Impersonation enabled
My "AutoPrint" web app has a start page "AutoPrint.aspx" and code behind ("AutoPrint.aspx.cs", plus several classes).
The server and main site are not alterable, as there are several other applications under this site.
The user currently invokes this app with :
http://MyServer/AutoPrint
Everything I have tried is returning the "mycompany\domservice" result:
Request.LogonUserIdentity.Name.ToString() - returns "mycompany\domservice"
System.Environment.UserName.ToString() - returns "domservice"
System.Security.Principal.WindowsIdentity.GetCurrent().Name.ToString() - returns "mycompany\domservice"
What am I missing here? Why is this so hard?
Further clarifications:
"mycompany\domservice" - the "domservice" account is just an ActiveDirectory account in the "mycompany" domain that has permissions to read/write directories needed by the site and other applications. When installing the Site and additional web apps, we use that account as the "connect as" user.
What I am trying to do is to get the ActiveDirectory name of the Windows user account of the person who opened their browser and accessed this app. If user "JJONES" logs into Windows and launches the app with "http://myserver/autoprint", I want to get either "JJONES" or "mycompany\JJONES" as the user name.
If you use anonymous authentication, then the browser does not send any credentials (user id/password) to the server. Therefore if you want the client user id on the server, you have to use non-anonymous authentication, e.g,. Windows or Forms. You can use non-anonymous authentication and then allow or deny access to your web site to specific users or groups of users, or all users.
Thank you for all the helpful comments/suggestions.
The problem turned out to be a combination of factors. The App Pool I was using was using App Pool Identity (which has limited rights), so I had to use a specific account (the domain service account) in the "Connect as..." for the physical path credentials in order to access certain files.
Changing to use an App Pool that used an account with sufficient privileges (the domain service account) allowed me to leave the "Connect as..." using Pass-through authentication when converting to application.
Voila - I now get the user credentials using pretty much any of the proposed methods. After way too many hours of beating my head against the keyboard...
Have you looked at using HttpContext.User property ? This will give the current logged on user. After which point you may need to perform some nifty LDAP queries to get the username from AD.
See https://msdn.microsoft.com/en-us/library/system.web.httpcontext.user(v=vs.110).aspx
You may want to see the below link on how to search AD on the link "How can I search Active Directory by username using C#?"
Hope this helps you.
We have 3-4 ASP.Net MVC 5 applications for which we want to implement the solution of single sign on.
Our requirements are
Any user trying to access anyone of the application (any page)
and if he has not signed in into the same or another application in
the same browser should be re-directed to the login page.
If the login is successful till that application is running, the user
should not be asked the login credentials again.
If the user logs out from one application, he should log out from all other
applications
Things which may be useful while suggesting a solution.
Currently 2 applications are hosted on different domains. Other 2 applications are on subdomains
Though they are on the same server, one application can have access to database of other application but we would like to have a solution where in this direct access of db should not be required.
We would like to have a 5th application which will do the account management and also login and logout will be handled by this application
We are not just looking at a solution where authentication will be done by the identity server but we are also looking at the authorization wherein the identity server will authorize the level of access of requesting application.
Going ahead if this solution can help us take care of mobile devices as well as webservice based client access, it would be an added bonus.
We are using forms authentication in our application right now.
We have seen some examples on internet which but we seem to be lost on some or the other feature. Either we are going wrong somewhere or we are not looking in the right direction.
Hence we are looking for an answer. Appreciate your time to read this big question.
Thanks
I am working for the DOD. The application they have requested is web based, and will be on their internal network. The request is for CAC authentication, which is easy enough... The remaining problem is authenticating a user. The CAC authentication is happening at the IIS level, so by the time the user gets to the application, all I am doing (or had planned on doing) is checking the ID on the CAC, and comparing it to a user table in the database. If the user exists (and has been approved), then they are off and running in the system. If they do not exist, then they are pushed to the registration screen.
Given my lack of experience with web development, I am unsure if I need to actually authenticate the user in some way beyond the CAC authentication, or if I can just manually assign roles to the user and let the roles dictate what can or cannot be done in the application. Windows authentication is not an option; while this application is internal for the military, it is accessible from different mil networks.
If I do indeed need to authenticate a user... this is where I run into trouble. I have not found anything that says there is a way to manually authenticate a user. I could use the standard ASP tables in the database, but it seems... messy... to include things that won't be used (meaning the password field would always be an empty string - why include it in the db if it isn't being used?).
Thanks in advance for any help... If there's links to where I can read more about the authentication process, those would be very much appreciated as will.
I'm working on several DOE projects that use the same idea. What we normally do for web applications is to enable Windows authentication on the app. This will allow pass-through of user credentials and keep out anyone without credentials.
I also like to add role based authorization into the mix and then use AD groups to allow/deny users on specific apps.
I have four systems running on the same server. I want to let the users to log in once for all the systems. I made one user-management system to create users and edit them.
I tried to save in the session but it didn't help.
Any suggestions? I am working on asp.net.
There are two approaches.
Most resolve around the login happening at a central site, which then returns with an identity information field (login token) that the target site uses to retreive the user.
When you go to another site, the site redirects you shortly to the central site and if you are logged in (persistent cookie) you get back the identity of you.
Alternatively you can do a lot with referrers and playing around.
YOu want to do some research on the internet - what you loo kfo is "Single Sign On".
http://www.codeproject.com/Articles/27576/Single-Sign-on-in-ASP-NET-and-Other-Platforms
has some technical discussions.
Across complete separate websites (domains) you can read up on
http://aspalliance.com/1513_Cross_Site_Authentication_and_Data_Transfer
howw to do it - obviously shared cookies will not work there.
The best way to do this is with Federated Security. If you were using Windows Authentication then you could use Active Directory Federation Services (ADFS). In this model, users reference a Web application and the principal on the current thread is checked. If the value is null then information stored in the web.config will redirect the request to a login page automatically. This is assuming there is no a Windows security context, otherwise the user can be automatically logged in.
After the user is successfully logged into the environment, the principal on the thread is populated and a set of claims are issued that are specific for that user. Since the claims are associated with the principal and not with a specific application, they can be used across the board by any claims aware application.
If you aren't using Windows Authentication, you can still accomplish the same thing, the only problem is that you cannot use ADFS. Instead, you'll have to implement your own Identity Provider to replace ADFS. The .NET Framework does provide base classes and interfaces to help you accomplish that.
I would suggest looking into ActiveDirectory or any LDAP server for single signon to access all applications. If you cannot (or do not wish to) use LDAP, you could implement similar functionality (but with more development work/time spent) with any memory/disk store. If this is not possible, please share why as it might be useful to others.
Hope this helps.
My company develops an asp.net 4.0 website as part of our product. It is meant to be run within an organization (intranet).
I've been given some requirements, but I'm new to this stuff and am not exactly sure what I should be looking into. In general this is what I need to do (assuming the website is running within a Windows domain network)
Allow automatic login to our application for any user currently logged into a domain computer. (Don't show a login screen).
Somehow map our predefined ASP.NET Roles to user groups defined in the domain (I guess manually mapping this in some sort of XML file is fine).
Get the authenticated user's groups so I can figure out the proper role from the above mapping
Get the authenticated user's contact information if available in active directory
I've done some hunting on google, and so far I've seen info on using forms authentication with active directory, windows authentication, something called AD authentication, impersonation, etc.
I'm not really looking for info on how to do this (although any help would be appreciated) I'm more looking for someone to point me in the right direction based on these requirements.
Thanks.
To skip a login, you'll have to use integrated authentication. (Turn off annonymous access in IIS, and enable Windows authentication in your application: http://msdn.microsoft.com/en-us/library/532aee0e.aspx) Of course, this will only work in Internet Explorer, and there are security concerns even if you keep it all inside your intranet.
You can probably use an Active Directory membership provider to get the username into Page.User.Identity.
And you can use the System.DirectoryServices namespace to query AD. This is a good way to get the groups out and into a form you can use for a Role Provider, as well as your route to look up their information.