Security :: Two Applications Using Same Domain / Common Authentication Possible
Feb 19, 2010
I have a case where i have two asp.net applications, one is hosted on example.com/App1 and the other on /App2.
both applications are password protected using Windows authentication.
App1/default.aspx has a <img src="/App2/somefile.aspx">
Now what happens when i open App1 is that i get the credentials prompt, but because App2 is also protected, the HTTP GET for the img requires me to authenticate, in other words i get two prompts.
Is it possible to do something so that the authentication is for example.com so that both App1 and App2 consider the user authenticated?
I have a bunch of applications that currently share the authentication cookie in v3.5.
We're in the process of upgrading to 4.0 and also upgrading the applications as a whole. I have 1 done, and would love to deploy it. However, as soon as I do, I lose my sharing of authentication cookie in that application.
In each web.config, my machine key is declared. I removed the actual keys to protect the innocent. :)
<machineKey validationKey="..." decryptionKey="..." validation="SHA1"/> <authentication mode="Forms"> <!-- DEV Server --> <forms enableCrossAppRedirects="true" loginUrl="Logon.aspx" name=".COOKIENAMEHERE" protection="All" path="/" slidingExpiration="true" timeout="1440"/> </authentication>
,Second and Third applications are accessed throught the first,So Authentication (form authentication) is happening from the first application only , all are deployed on same IIS with seperate virtual directory
Like
1.Localhost/EmpMananger
1. Localhost/Hr
2.Localhost/Payroll
, I used the same Entires in both <machineKey> and <forms> Elements in webconfig file of all applications,
Applications are working fine and Page.User.Identity are available in all applications but once loginUrl and defaultUrl entry is changed to actual name other than localhost
Eg: localhost/EmpManager/default.aspx To myserver/EmpManger/default.aspx
the authentication ticket is not available in second and third applicaiton
I have a .net 1.1 ASP application (domain.com) which has a .net 2 virtual directory (domain.com/v2) beneath it, both applications run within their own app pool on the same Windows Server 2003 machine running IIS 6. The web.config files for both apps are setup for Forms Authentication as described here - [URL]
Users would be directed to the domain.com/v2/login.aspx page which would authenticate for both applications, this configuration has been working fine for the last few years until installing one of the recent Windows 2003 security updates today. Now after authenticating under /v2 users keep getting redirected back to domain.com/v2/Login.aspx as domain.com doesnt see them as authenticated anymore.
which security update would have caused this and if its possible to fix or rollback?
We are upgrading the asp.net 2.0 web application to asp.net 4.0.
The application contain three main modules (sub application) like End User, Franchise and Admin with separate web.config, asp.net form Authentication, login page and running with single domain.
In asp.net 2.0, working fine with 3 sub applications with separate form authentication under a single domain name and also we can working with all threes in same time.
After the up gradation process (ASP.NET 2.0 to 4.0),
We didn't run all three applications in same times and also form authentication crossed.
I have two different web sites in Intranet zone. They are placed in one domain (like http://site1 and http://site2.site1). They use Windows Authentication for common domain (like mycorpUser1, mycorpUser2, mycorpUser3).First web site(http://site1) have iframe element with hyperlink to second web site(http://site2.site1). When user loads first web site he needs write login and password twice. How to make that http://site1 and http://site2.site1 ask authentication only once?
I have an asp.net c# site that I have setup in IIS 7 and am loading into a sharepoint frame. Sharepoint doesn't prompt for domain credentials but my site does?In IIS I have enabled basic and windows authentication so I can get the domain users username, so if there is a way to get this without prompting that'd be a perfect solution for me.I am using the follwing statement to get username:
is it possible to preserve authentication for ASP.NET Forms authentication cookie,btween Http and Https (different domains) and back?I mean haveing single signon for two domains say http://www.mydomain.com and https://members.mydomain.comI've seen on quite asp.net sites that have a 'MyAccount' section they transfer the site to https and then when you have logged into your account successfully and gone back to the majority of the site you move back to http whilst still being logged in.
We are upgrading the asp.net 2.0 web application to asp.net 4.0. The application contain three main modules (sub application) like End User, Franchise and Admin with separate web.config, asp.net form Authentication, login page and running with single domain. the URL like,mydomain.com/login.aspxmydomain.com/franchise/login.aspxmydomain.com/admin/login.aspx In asp.net 2.0, working fine with 3 sub applications with separate form authentication under a single domain name and also we can working with all threes in same time. After the up gradation process (ASP.NET 2.0 to 4.0),We didn't run all three applications in same times and also form authentication crossed.
I'm bangin' my head against the wall here. I'm not even sure what I want to do is possible. I have developed an ASP.NET app that will only be run on my local network (which incorporates a Windows Domain). It's running on IIS 7.5.I want to do this:
[Code]....
My problem is this: If I don't turn off Anonymous Authentication and ASP.NET Impersonation, I don't get the results I'm looking for. (if Anonymous is allowed, I get an empty string returned for username, and if ASP.NET impersonation is allowed, then "username" is always whatever account is associated with impersonation, like "Network Service"). If I turn those off and then turn Windows Authentication on, it works, but only after a dialog box presents itself asking for the Windows Credentials.
What I'm trying to do is NOT require the users to log in. Since they've already logged into the domain when they signed on their computer, I'd like to just allow them access to the ASP.NET application I've written, and identify who they are (based on their previous Windows login) using the line of code above. I don't need them to re-authenticate, because they're already authenticated from their domain login.I can't figure out what I'm doing wrong, or how to accomplish this. It seems the closest I've gotten to what I want so far, is to turn off all authentication EXCEPT for Windows Authentication. It works then, but only if the user first types in his/her username and password again in a dialog box. Is there any way to avoid having them type in their username and password again, but still be able to identify their domain username?
I have an interweb web application that uses Active Directory to authenticate the user. Im now getting some complaints that users on other domains are unable to access the application.
How can i make it work so that their domain name is also accepted by the application?
We have two applications. One application in .asp and second application in java.we want to build interface for universal authentication, so that one can access the other application once signed into one application.Both applications are using SQL database, but one is written in .ASP hosted on Windows server while the other is in JAVA hosted on a Linux server. The applications are currently resided on two different servers.
requirements:
1)The end user are most likely to access the applications through .ASP first, then reach the 2nd application more like "back office" management system.
2)he JAVA application currently works well with IE web browser, but not very smooth with other browsers such as Firefox. Would like to make the application to be more compatible with other browsers.
My feeling says it's not posible but anyway I am curious if there is at least a workaround for accomplish this.Basically I am working at my client site and my machine is not connected to the domain.What I want to do is running a web application locally under a domain account, and using the webdev server.The webapp uses the default authentication, windows authentication that is.I tried using impersonation with domainuser & password but I got the following error Could not create Windows user token from the credentials specified in the config file. Error from the operating system 'Logon failure: unknown user name or bad password.I have to mention that the username and the password are correct.
We are having a project which is for various online application systems for an educational institute. (Asp.Net 2.0 Web Site)
initially we developed all applications in single project with proper folder structure. but now we want to make each application as separate product.
all applications share single authentication(Obviusly this is single project) want to keep that way only.
I want to split project in smaller projects but want to keep shared authentication so how should i orgnise this project in IDE.
Also i need guidence on hosting such project
i should make small projects within single solution file. and at the time of publish amke single virtual directory to host the root project(login.aspx etc) and in subdirectories i should host other projects. so this way SSO(single sign on) across applications is possible ..
I have 2 applications App1 and App2 on same domain, both with Forms authentication, each using a different database instance for authentication.
First, I open a browser with application www.mydomain.com/App1 and log on.
After that, when I open another instance of the same browser with application www.mydomain.com/App2 and log on, first browser loses session and goes back to login page.
I need each application on same domain to have its own session so that both can stay logged on.
My feeling says it's not posible but anyway I am curious if there is at least a workaround for accomplish this.Basically I am working at my client site and my machine is not connected to the domain.What I want to do is running a web application locally under a domain account, and using the webdev server.The webapp uses the default authentication, windows authentication that is.I tried using impersonation with domainuser & password but I got the following error Could not create Windows user token from the credentials specified in the config file. Error from the operating system 'Logon failure: unknown user name or bad password.I have to mention that the username and the password are correct.
I was wondering what the following error means: Login Failed. The Login Is From An Untrusted Domain And Cannot Be Used With Windows Authentication. Initially, when my application was much simpler, I had no permissions and roles and my authentication mode was set to "windows". Afterwards, however, I added authorization, changed the authentication mode to "Forms" and ever since, when I try to login, I get the error above.
I have a domain: http://www.mydomain.com. This domain is redirected to http://mydomain.anotherDomain.com.
I user forms authorization, so when the user navigates to Default.aspx he is redirected to Login.aspx. Pretty standard stuff.
On FireFox the user can log in on both on http://www.mydomain.com and http://mydomain.anotherDomain.com.
But with Explorer http://www.mydomain.com doesn't work. I only get the Login.aspx page.
Can it have anything to do with that on http://www.mydomain.com I can't see the filename ('Default.aspx', 'Login.aspx')? How can I enable so the filename is included in the redirected domain?
I have an intranet web application. There are 2 user groups, group A belongs to the domain and group B does not. If I set the IIS to enable anonymous access, Request.ServerVariables("LOGON_USER") always return nothing. If I disable anonymous access and set Integrated Windows authenication, a Windows login prompt will come up if group B's users want to access the website.
How can I setup IIS so that when domain user access the website, it will direct to the main page with Session("user_name") = Request.ServerVariables("LOGON_USER"). If a user is not a domain user, the website will direct him/her to a login.aspx instead of having the Windows authenication prompt, then set Session("user_name") = txtUserName.Text, and finally redirect to the website main page ?
We have a website for our company on one domain and we have a login form to a webmail solution on another domain.Now i would like to build a form on our website the transfers the request to the login form on the webmail domain and automatically validate the user if user and pass are correct.Need help to find the correct way of doing this. The domains is hosted by our company, the website and webmail is on different servers. I don't want to use the querystring,
I'm using a common <machineKey> to allow two ASP.Net applications to share a single forms authentication ticket (ie. only need to login to one application to access both). My problem is that I only want users in a particular role to have access to the second application. What's the best way to implement this?
I've tried checking the role in Application_AuthenticateRequest() and doing FormsAuthentication.SignOut() if the role doesn't match, but that doesn't get picked up until the second request to the application. I can't redirect from Application_AuthenticateRequest() because that would just create a redirect loop.
I have 2 almost identical asp.net (vb) applications. 1 Development and 1 Production.
They use forms authentication that is configured to run in SQL server. Both apps use the same aspnetdb database but have different application names.
The problem I have is:I have an Identical login for each app (same username, same password), but If I change profile information for that user in the development app, the changes are reflected in production app. This isn't what I want.
Is it possible to share the claims based authentication of a logged in Sharepoint 2010 user with a separate Asp.net application?
The following article describes how it was done using Sharepoint 2007 and forms authentication through forms auth and sharing machine keys etc however I cannot find any information regarding the external application consuming the claims authentication that is now used in Sharepoint 2010?
we have 3 different domains and their active directory.i have to made a web serivce that when user gets logged in any of the domain and call that web service it takes the user credential.and then process the task and logged in the current user and domain of user. my iis configuration is 1) anonymous user disabled2)integrated authentication is enabled.and sending the user credentials as and then process the task and logged in the current user and domain of user.my iis configuration is1) anonymous user disabled 2)integrated authentication is enabled.
System.Net.CredentialCache.DefaultCredentials from calling application
our different servers are configured for any one of the 3 domains .when i use to call the web service (deployed on a server)from the same domain it
