I am using VSTS 2008 + C# + .Net 3.5 + IIS 7.0 + ASP.Net. I have two IIS web site, site A and site B. When user request url http://sitea/abc.aspx, my ASP.Net code handler will authenticate user (using Forms authentication), and if authenticaiton passed, I will redirect user to http://siteb/bcd.aspx.
My current issue is, some users will access http://siteb/bcd.aspx directly to skip the authentication process of sitea. This is not what I want since I want to ensure all users who access http://siteb/bcd.aspx authenticated.
My question is, what is the easy solution to solve the issue when user will access siteb directly to skip authentication?
My thoughts on this...
Disallow anonymous access to both the site
Since you are using forms authentication set the loginurl appropriately.
If a user access http://sitseb/bcd.aspx directly, since anonymous access is disallowed it will be redirected to the respective login URL.
Do let me know if you need any further clarification.
A similar solution is presented here..
Multiple site authentication with asp.net
NOTE: IF need be, the forms authentication cookie domain should be set to "*.yourdomain.com" so that the same cookie can be used for both the site.
On siteb you can restrict access to the ip address of sitea.
In IIS Manager
Click the Directory Security or File Security tab, and then do one of the following:
in the IP address and domain name restrictions section, click Edit.
Click Granted access or Denied access. When you select Denied access, you deny access to all computers and domains, except to those that you specifically grant access. When you select Granted access, you grant access to all computers and domains, except to those that you specifically deny access.
Click Add, and then click Single computer.
Click DNS Lookup to search for computers or domains by name, rather than by IP address.
Type the DNS name for the computer. IIS searches on the current domain for the computer, and if found, enters its IP address in the IP address box.
Related
Our client requested from us to make our web application accessible from Intranet and Internet.
When user tried to access the website from Intranet, The user should be logged in immediately (Windows Auth) ... The user should have public access also (e.g. Home, Coffee shop), But in this case he should use his credentials and the server will check if its valid.
Any advises?
This is the standard way Integrated Windows Authentication works. If you're inside the intranet (logged onto the domain), IE will automatically send your credentials when the website returns 401.2 (no auth method specified). When you're not inside the domain, the credentials will have to be prompted for, since the domain server cannot be contacted from the client machine.
This is not the same as the "tricky" solution you referred to. That solution is tricky because it also uses forms authentication, which you don't need here (AFAIK).
We decided not to use Windows Auth at all.
The customer want to stay logged in if he is in the Intranet.
so we did the following (and the customer is ok with that)
Forms Auth + 'Keeps me logged in' checkbox
Validate Credentials with AD.
Check if User in trusted IP Addresses Range (Something like allowed IP addresses in SQL Azure)
If trusted IP Range, user becomes authenticated.
If its not, Two factor auth by sending SMS.
One more reason for not using Windows Auth.
The user want to log-out at anytime to use different credentials to do some special tasks.
Usually customers do not know what exactly they want, so we will start dreaming and make things complicated. 'Simply keeps me logged in' for trusted IP addresses and he will stay logged in for N days.
I have a C#.NET 4.0 application running under IIS 7 on Windows Server 2008 with IIS7 server. The application will run in the company intranet that automatically grabs the logged-in Windows username of the person viewing the page without being prompted to enter credentials when the page loads. Now i'm facing 2 problems:
1) Currently, the apps returns the production server name (eg: XYZ\sam) that the application located at. I want to get the current logged on username (eg: ABC\sam). It works fine at localhost but not at production server.
I've enabled <authentication mode="Windows" /> at web.config , enabled windows authentication and disabled anonymous authentication at IIS.
I've tried Page.User.Identity.Name, System.Web.HttpContext.Current.User.Identity.Name, System.Security.Principal.WindowsIdentity.GetCurrent().Name, and others but still failed to get the right name. How to get the current windows logged on user?
2) When I want to access the application, it keeps prompting out a windows for username and password. If I ignore it, it will prompt out
401 - Unauthorized: Access is denied due to invalid credentials. You
do not have permission to view this directory or page using the
credentials that you supplied.
How i gona fix it?
For question 1, it cannot retrieve the logged in username because the server is domain server. It works after transfer from workgroup to domain.
For question 2, it works fine(no pop out credential) if I access with the server name (eg:servername/appsname). But it will ask for credential if I use ip (eg:xxx.xx.xx.x/appsname) and didn't setup the tools internet options. Factor still not known.
For your 2 problem, to log automatically, you have to set it on the browser, for my experience, i have done this in IE: https://superuser.com/questions/537416/how-to-make-internet-explorer-automatically-login-in-a-certain-domain
Is it possible to grab a users windows credentials (i.e. username) without having windows authentication enabled in IIS? With windows auth disabled the code below returns either NT AUTHORITY or IIS APPPOOL\ASP.NET v4.0 depending on if impersonation and anonymous authentication are enabled or not.
System.Security.Principal.WindowsIdentity.GetCurrent().Name.ToString();
I am converting an asp.net web application that is using forms authentication to custom authentication. Basically if a user is connecting from outside the network I force a credential check whereas if they are connecting from within the network I would like to be able to just grab their windows username. The internal portion works when I turn on windows authentication but I get the popup login box when testing outside of the network. I either need to disable windows authentication for non local connections or figure out how to get the windows username with windows authentication disabled. Any suggestions? (The other alternative i thought of was splitting the application in two and having separate authentication modes for each but I'd like to avoid this).
-I have also tried:
System.Web.HttpContext.Current.User.Identity.ToString();
System.Threading.Thread.CurrentPrincipal.ToString();
something like this is actually (kind of) possible using Active Directory Federated Services. In the event of a windows user from inside the network they can be configured to use their account details. For external users, they can be redirected to a page that will require them to log in.
However. This is very heavy-duty and an extreme pain in the..neck to implement and is really only applicable to enterprise solutions that have the resourses to use this kind of solution. Otherwise, I'd say go with the 2 site approach.
Simple answer is no.
Best solution is to create 2 sites. One for internal users that user windows authentication, one for external user that user forms authentication but authenticate against AD. You can make users always go to external site by default and then redirect based on their IP. That is redirect intranet users to internal user.
I use windows authentication with IIS and C#. In my global.asax i get the user name to define rights (profile and rights are in a mysql Database). It s working well but i need now to use it fron wan. We use a Firewall Netasq wich provide a VPN SSL whith LDAP authentication. Behind the firewal call an url whith in parameter the name of the authentified user (something like SSO).
What's the best way to authorize wan user to access site : custom authentication provider, using role.
thank by advance.
At this point the solution i have found is :
Allow access to unauthenticated user in my web.config,
Use tow domain name with same directory : 1 that work with windows authentication, 1 with anonymous access,
My netasq call the unauthenticated site with in the url an HTTP_NETASQ_USER witch is the login.
In my global.asax (session start) i use this url param to identify user if the request came from the Netasq IP. Otherwise i use the windows login.
I think there is better ways but it work.
I'm trying to develop an intranet app/website that uses Windows authentication.
I'd like to test it with multiple users, for roles etc.
At the moment I'm only using my own domain account. Is there a way I could simulate different users for the site?
As a picture is worth a thousand words here it goes how to do it in IE based on 2GDev's comment copied here for clarity:
Go to Internet Options => Security => Local Intranet => Custom Level
and change the User Authentication to "Prompt for username and
password"
Click OK then Apply. Close the browser. Reopen it and point it to the website's URL you want to debug. You should happily see the login prompt where you can login with a different User account to simulate concurrency for example (this is what I'm doing right now here):
When you use Windows Authentication you can change your identity by running the browser as another user.
In windows, go to the browser exe (or a shortcut), right-click on the icon and select "Run as.." from the menu. This will prompt you to specify the username and password to run the account under.
Provided the identity you specify has access to the machine you are running on, the browser will then be running "as" identity specified. If you browse to a site using Windows Authentication, it will authenticate using the identity specified, instead of your own.
Use Impersonation...
From MSDN
Impersonation
An ASP.NET application can use impersonation to perform operations and
access resources with the security context of the authenticated client
or of a specific Windows account.
And in your web.config
<identity impersonate="true" username="TestUser" password="P#ssw0rd" />
How about to install and run the Virtual PC with some ready for download installed systems from MS ?
By running a virtual pc on your computer you can emulate connections to your pc and at the same time, its looks like a diferent computer, with diferent Ip.
In my case, there are db tables with users and their properties. In users table got login field (Domain/UserName). Also got custom Identity and Principal, which using this table to authenticate user in global.asax autherticate_request method.
To simulate different users in debug mode, there is special control rendered in master page (or layout page for mvc). It contain select box with all users, and apply button.
On server side after apply button click in session pushed emulated user login and sending refresh to response.
So in next authenticate event occured checking for emulated user login in session and if it exists then authenticate continues based on emulateded login.
Bad side: need sync service to always have actual user table based on current AD.