Security :: Require Https To Safeguard Windows Authentication Credentials?

Nov 9, 2010

I have a zealous network administrator who insists that we must use https on an intranet web application in order to safeguard user's credentials. The app is an asp.net web app that uses Windows Authentication to automatically identify users and log them in. There is no login dialog and user's never enter their login or password. The application does not process any confidential data, and the only rationale for requiring https is to "safeguard" users credentials. Additionally he stated that ntlm can be easily hacked.I responded with some information from an MS white paper on Windows Authentication that said it was the recommended way of authenticating users, and that user's credentials were safe because their passwords are not transmitted across the network when the application authenticates them since it sends a hash of the password.

View 1 Replies


Similar Messages:

Security :: Windows Authentication And Still Asking For Login Credentials?

Jul 20, 2010

I have an intranet web application, where i have windows authentication = true in web.config. I hear from end users that the website is aksing for their login credentials and they don't like it. By the way i am getting theusername from HttpContext.Current.User.Identity.Name and Domain Name from Mid(UserNameID, 1, InStr(UserNameID, "") - 1).In IIS, anonymous access is unchecked and Integrated wnidows authentication is selected.

View 9 Replies

Security :: A Mvc2-website With Windows Authentication Keeps Asking For Credentials?

May 25, 2010

I have a mvc2-website with windows authentication.

<authentication mode="Windows" />
<authorization>
<allow users="*"/>
</authorization>

In IE the website keeps asking several times for my credentials per webpage. In Firefox it works correctly.

View 4 Replies

Security :: Force Https Before Windows Authentication?

May 10, 2010

Okay, so I have a site which I'd like to use my SSL certificate for always. So I want all users to be forced to the https version of any url they are directed to.I used this code in my global.asax file:

[Code]....

I've also tried it in the 'Application_BeginRequest' function also. Basically, I have two directories that are secured via Windows Authentication against my domain. if you browsed to the directory (ex. http://www.domain.com/secure) it tries first to authenticate
then redirect to https://www.domain.com/secure. In this case it will ask for credentials twice one right after the other. Is their a way I can have the user redirected before Windows Authentication kicks in?

View 5 Replies

Security :: Haw To Provide On Credentials Page A User Name And Password If Use Windows Authentication

Dec 20, 2010

[Code]....

View 4 Replies

Security :: Windows Authentication Bypassing NT Challenge Login; Pass Credentials Manually?

Mar 17, 2011

Is it possible to bypass the NT challenge login, and just have a standard webform login, then authenticating programtically as that user and passing those credentials manually to my connection string so that the database sees me as that user?

View 1 Replies

Getting User Credentials Windows Authentication?

Mar 22, 2010

If a user has signed into their computer and are connected to an intranet, is there a way to grab the users crendtials and authentication them in asp.net? What specific code would do this?

View 2 Replies

WCF / ASMX :: Windows Basic Authentication-Credentials Retained For Further Calls?

Aug 25, 2010

I have an XML web service where the authentication used is BASIC WINDOWS. Following is my client code to connect to the service.

[Code]....

Now, the issue is that the client is really authenticated only in the first attempt(First time I execute the code in VS). Further attempts succeed even if the code to assign credentials is commented or even after providing wrong user id/ password. I ensured that the server is hit each time(Just to make it clear that it not just because of client side caching).Is this the behavior of Basic authentication/credential cache. I would prefer the client be authenticated each time he hits the server.

View 2 Replies

Security :: Use Https On Authentication Time?

Jul 17, 2010

first i want to know most of the e-mail like gmail,yahoo,hotmail etc.. they are all uing https when we comes to login area.. why there are using on that time only https...i also need to implement same in my web application...

View 4 Replies

Security :: Using Different Windows Login Credentials Whithin A Webpage?

Jan 22, 2010

Is the above possible? Basically i need it as I am creating a site where users can upload files to a shared network drive which is secure and has a system account

When a user clicks on upload file, If possible I would like the page to automatically kind of log in with the system account, copy the files and then log off. I know I could achieve something similar mapping a drive but would prefer not to do that for these reasons;

- Security risk if the mapped drive for some reason isnt removed by the code

- User may not have the drive letter free.

View 1 Replies

Security :: Web App Is Running NT AuthorityNetwork Service Credentials And Not The Windows One?

Feb 16, 2010

I have a web form and code snippet for it is below:

<body>
<form
id="form1" runat="server">
<div>
<h5>Welcome
<%= System.Security.Principal.WindowsIdentity.GetCurrent().Name
%>.........

But when run my web application, i m getting message "Welcome NT AUTHORITYNETWORK SERVICE " and not the current windows user name.

View 1 Replies

Security :: How To Restrict Windows Credentials Prompt Window For The Application

Oct 24, 2010

We have created an Intranet Web Application with Windows Authentication.

That asking a prompt to get Username and Password each time when we access the application.

How can we restrict that prompt other than IE --> Security --> Custom Level --> User Authentication.

(Because, with this option we need to set these settings in each and every user's system)

View 3 Replies

Web Forms :: Passing Credentials To IIS "Integrated Windows Authentication" Protected Directory

Sep 8, 2010

I have set up a directory on my IIS web server that is protected by "Integrated Windows authentication". I want visitors to be required to enter a name and password to view files in the protected directory except if they are following a link to files in the protected directory from a certain page on my website.

I am doing this to try to get better protection from search engine spidering than is provided by using a robots.text file.

I am using ASP.NET 3.5 with VB. I am wondering if there is a way to pass the log on credentials to the IIS server via a link, or if there is a way to fill in the name and password for the login screen automatically, or something else that would work. It is OK if the login name and password are visible to the visitors.

View 3 Replies

Security :: Authentication Login That Access MySql To Validate The Credentials Entered?

Mar 29, 2011

have a form based authentication login that access MySql to validate the credentials entered.I was wondering how you would encrypt the password??

View 3 Replies

Security :: Keep Authentication Cookie Between Http And Https On Two Different Domain?

Dec 6, 2010

is it possible to preserve authentication for ASP.NET Forms authentication cookie,btween Http and Https (different domains) and back?I mean haveing single signon for two domains say http://www.mydomain.com and https://members.mydomain.comI've seen on quite asp.net sites that have a 'MyAccount' section they transfer the site to https and then when you have logged into your account successfully and gone back to the majority of the site you move back to http whilst still being logged in.

View 1 Replies

MVC :: How To Redirect Actions, That Require Https To A Certain Subdomain

Mar 16, 2011

I am new to asp.net and mvc 3. Currently I am experimenting with https. I use mvc 3, iis 7 and visual studio 2010 under windows 7.

The problem that I want to solve is the following.

The SignUp action should only be accessible via https.

My SSL certificate is issued only for a certain subdomain: secure.mydomain.com

The goal is that all requests to SignUp are redirected to secure.mydomain.com/SignUp such that the certificate fits to the domain.

Requests not using https simply should use mydomain.com.

I successfully installed the certificate to my local iis 7, and when I use the [RequireHttps] attribute, the connection is protected with this certificate.

My questions are:

How can I do the redirects right?

Is there a possibility to test this on my local machine where all request go to localhost?

View 6 Replies

Security :: What's The Difference Between Basic Authentication And Integrated Windows Authentication In IIS

Jan 4, 2011

What's the difference between Basic Authentication and Integrated Windows Authentication in IIS?

View 3 Replies

Security :: Enable Windows Authentication And Disable The Anonymous Authentication In IIS?

Mar 10, 2010

I set authentication mode to Windows in the web.config and I enable Windows Authentication and disable the Anonymous Authentication in IIS 7 on win 7, but HttpContext.Current.User is always null.It works fine when I host the web app in IIS 6.0.

View 1 Replies

Security :: Avoid Windows Login Userid And Password Window When Use Windows Authentication Mode For Website

Dec 30, 2010

I have been trying to avoid the windows login userid and password window when I use the Windows Authentication mode for a web site. I need to capture the the windows logon user name without prompting for the user id and password and display that on the web site. I had tried almost everything... changed authentication,security setups on IE and IIS etc... still not being able to avoid the window...

View 1 Replies

Security :: Changing From Forms Authentication To Windows Authentication?

Sep 3, 2010

What do I need to do in order to change an application from Forms Authentication to windows authentication?

View 2 Replies

Security :: Setting Up Windows Authentication In Windows 2008 RC2?

Sep 8, 2010

We have a working version of application (Intranet) with uses Windows Authentication deployed in Windows 2003. The application uses HttpContext.Current.User.Identity.Name to get the logged-in user. Here impersonate is turned off.Right now, we are move to Windows 2008 RC2 where this Windows Authentication problem arised. I have Digest Authentication and Windows Authentication enabled. And also I have enabled Anonymous Authentication enabled to avoid the Login dialog of IIS in the end-user IE. Now I am getting HttpContext.Current.User.Identity.Name as Empty. When I impersonate using username and password, I am used to login using that user but all the users uses the same user to login.Does any has solution for this?Deployment Server - Windows 2008 RC2 (IIS 7.5)Development - Windows 7 (IIS 7.5)I am new to IIS 7.5. Please give me a solution

View 3 Replies

Security :: Getting Windows Username Using Windows Authentication?

Sep 3, 2010

I am developing one intranet website. Being an intranet application, one of the requirement is to have a single sign on feature.

It means that the windows PC username (i.e the "ctrl + alt + delete" username) is going to be the username for the system.

How do i fetch that username?

I tried the following two ways which are working in debug mode but not on live site.

System.Security.Principal.IPrincipal user = System.Web.HttpContext.Current.User;
Response.Write(user.Identity.Name);
&
Response.Write(Request.ServerVariables["AUTH_USER"].ToString());

Both the above method works when i run the page from visual studio.

However when i run the page from IIS or any other server, it gives me a blank value

View 12 Replies

Security :: Webservice Security And Windows Authentication - Invoke SSIS Packages From Web Service

Dec 15, 2010

I have to invoke SSIS packages from web service in the most secure way. I think that windows authentication will be secure but i am not sure. I do not have much knowledge about how to achieve this and the information on the internet is very distributed.

View 1 Replies

Security :: Windows Authentication - Get Role Security In Web Config File To Coincide With Controls

Apr 6, 2010

We use Sharepoint to control our websites. We build the sites, then load them into the sharepoint server. My question is if I use windows authentication, how can I get my role security in my web config file to coencide with the asp.net controls that use the Forms authentication. Is there a differenence? Our security uses a session variable for security but there is no where to set up their permissions except in active directory. I hope this makes sense because I would like to implement the LoginView with Role groups but how can I give them the role="administrator"? Do I have to go into active directory and give them these permissions(would take awhile due to the size of the company)? Or do I have to set up priveladges in the web.config file for each user(difficult I think)?

View 5 Replies

Security :: 4 Security Via Windows Authentication - Restrict Access To Safe / UCantSeeMe.aspx

Aug 18, 2010

I'm writing a simple Intranet application using windows authentication. I want to restrict access to Safe/UCantSeeMe.aspx. I am aware of the AuthorizeAttribute, but this only works on methods. I also found a good post on doing this with the MVC pattern, but I'm not using MVC. This can be done with roles in forms based security. I read on MSDN that using windows based security means roles are based on groups, but it doesn't go into any detail. how can I restrict access to Safe/UCantSeeMe.aspx?

View 1 Replies







Copyrights 2005-15 www.BigResource.com, All rights reserved