Authenticate And Authorize Internal And External Users To Log And Then Re-route To Web Applications For The Organization
Mar 26, 2010
Need to develop a Web application that will be used to authenticate and authorize internal and external users to log and then re-route to web applications for the organization. The login application should be able to provider smooth integration with any future applications that needs a secured authentication. Should I be using WIF - Claims based Identity/ADFS or asp.net Role membership provider to develop this app.?
How can I authorize and authenticate users by roles? I have roles table and user's table, role Id is the primary key in the roles table and foreign key in the user's table.
I'm trying to add a directory for anon access in IIS 7.5. It works under Web Dev but not IIS 7.5
I'm currently using this web.config in the directory. This is a directory with style sheets:
<?xml version="1.0"?>
Note: As an alternative to hand editing this file you can use theweb admin tool to configure settings for your application. Use the Website->Asp.Net Configuration option in Visual Studio. A full list of settings and comments can be found in machine.config.comments usually located in WindowsMicrosoft.NetFrameworkv2.xConfig
I've went to the folder and under Authentication, I've changed anonymous authentication from IIS_USR to pool. This seems to have correct it.
I will reward anyone who provides a very good explanation and resources for understanding this setting. Also, how to apply it globally would be good to know -- for all folders.
So I can get the user logon to some recording data or some thing else.
I was thinking if that was possible to put some value in web config that gets the user logon and if that logon is authorizated for that page it let him open else it close the page...
I have a WCF service that runs in my web application that provides data to a Silverlight application and is defined as follows (with an appropriate .svc file)....
[ServiceContract(Namespace = "")] [AspNetCompatibilityRequirements(RequirementsMode = AspNetCompatibilityRequirementsMode.Allowed)] public class DispatchService [code]...
The idea is that the user logs into the website and is then authorised for all services. I do not want to have a login aspect to my Silverlight application to authenticate users.Therefore I dont want anyone to be able to call my service who is not authenticated.
Could I...Somehow determine this for each Operation Contract. I had a look inside the OperationContext object but couldnt find anthing that stood out as a way to determine who the user was.Somehow attribute the ServiceContract so that the method can only be used by authorised users?Put something in my web.config to stop unathorised users from being able to access the folder containing the services?
How to Protect Web services from Un authenticated users.. right now Im Using Protected Access specifiers.. Is it Correct method To Protect Web services?
I currently have a website up and running and working correctly with godaddy.com using the out-of-the box authentication with an aspnetdb sqlserver database. I have users on this site and am very hesitant to change anything with this database or the web.config file from the working site for fear of wrecking it
So, my challenge is that I need to authenticate a separate application using the same aspnetdb.mdf file without any crossover to my 1st application. I've noticed that the ApplicationName that is currently in my aspnetdb database for the working application is just "/". I know that I'll need to have 2 separate entries in the aspnet_Applications table to define these two applications and then somehow register those names within their respective web.config files - but wanted to have step by step instructions on how to this so as to not "break" the 1st working application that is already live.
Can anyone point me to a document on what changes I will need to make?
Also, with the default create user wizards I'm using, how will it know to create the new user information with the correct application ID so that the user information from one application is not visible to managers of the second application and vice/versa?
i have to show organization chart for an organization. i have no idea how to do that,,how can i use system.graphics name space to show this chart can anybody help me with this..??data is basically coming from data base, the whole hierarchy is there in the database i have to show it graphically on organisation.aspx page.
I'm NTLM (authenication="windows" in the web.config) with an asp.net mvc 2.0 site. Right now once a user logs in it keeps them logged in for weeks at a time. The use of the application is being opened up to users who share computers that use logged in service accounts. I need the site to reprompt each user for their AD credentials each time in order to handle these users. (Activity on the site must be linked to a uniquely identified user.)
My company has several web applications written in ASP.NET. We need to make these applications available to Intranet users as well as authenticated external users. Most of the features are the same for the two groups, though there are some extra features available to the Internal users. The two different sets of users would use a slightly different security setup... our internal people will be authenticated using LDAP against Exchange, whereas the external users will have accounts in SQL Server.
What is the best approach for deploying our web apps? Should we deploy 2 copies to different servers, one configured for an Intranet and one for outside users? Or is there a better way to share the code between the 2 servers, yet have the flexibility to use different web.config settings for security??
I have the IIS webserver on Domain A. I have many users on Domain B, C, D, E.
I've set the NTFS security permission for each user and his/her domain to the webserver's security ntfs permission folder. But it is still not authenticating. So what do I need to do to enable this feature? I am using windows 2003 webserver.
I'm new to asp.net and SQL Server and I'm trying to research and implement a good way to authenticate a user using those technologies. Would you have any advice as to best approach this? I've read some of hashing but I couldn't find a good tutorial or website describing the best way to approach that
I have an extranet site (asp.net), we want that if an employee click on the link, it will automatically get them in. But if an external user does it, they will be redirected to a login page.
is it possible? how to know if a request come from internal user (employee) or external user (vendor).
I am working on an app where users are only allowed access if they click through from certain URLs. I.e. I need to authenticate by using the referral url and I am using Request.UrlReferrer to achieve this.
I am guessing that the Request.UrlReferrer can be tampered with by malicious users to gain access...
I have a asp.net (3.5) web-app that will be used in an intranet. I need to enforce that users type in their network credentials (windows credentials) before they can log into this application. I intentionally need to disallow Integrated Windows Authentication. I need to authenticate these users against my company's Active Directory, that is obviously on the same network as my .net web app.
I have been reading a bit about Forms Authentication using ActiveDirectoryMembershipProvider - [URL]. I also stumbled upon this - [URL]. Based on what I can tell, both seem to do what I need to get done. Could somebody tell me what are the major differences, pros/cons and when you would use which method? Or are these exactly identical, and both achieve the exact same results?
From the security perspective...what do I need to watch for? I am assuming if I use SSL that will cover me for when I pass the username/pwd to AD for verification?
I have been asked to use the login control to authenticate users to use the website. I have a master page which has header pictures and a menu down the left. I have created a login form and configured my web.config file to use form authentication but when I run it, it does not show my master page just the content page. Should my login page not be a content page?
The behaviour I would like is for a user to be able to visit a custom built website and if they are already authenticated against sharepoint for the custom website to know who they are and give them various rights. If they are not recognised by sharepoint then I would like them to login to sharepoint and be directed back to the custom website. Sharepoint picks its users and groups up from Active Directory. I don't know much about the internals of the server, but the custom one will be in a separate domain (I think) though I have full control over the custom and moderate control over the SP infrastructure.
I'm looking at starting a new web app which needs to be secure (if for no other reason than that we'll need PCI (Payment Card Industry) accreditation at some point). From previous experience working with PCI (on a domain), the preferred method is to use integrated windows authentication which is then passed all the way through the app to the database using kerberos (so the NT user has permissions in the DB). This allows for better auditing as well as object-level permissions (ie an end user can't read the credit card table). There are advantages in that even if someone compromises the webserver, they won't be able to glean any/much additional information from the database. Also, the webserver isn't storing any database credentials (beyond perhaps a simple anonymous user with very few permissions for simple website config)
So, now I'm looking at the new web app which will be on the public internet. One suggestion is to have a Active Directory server and create windows accounts on the AD for each user of the site. These users will then be placed into the appropriate NT groups to decide which DB permissions they should have (and which pages they can access). ASP.Net already provides the AD membership provider and role provider so this should be fairly simple to implement. There are a number of questions around this - Scalability, reliability, etc... and I was wondering if there is anyone out there with experience of this approach or, even better, some good reasons why to do it / not to do it.
I need to authenticate users based on three parameters such as username, password and officename instead of just username and password. User name is unique only across the single office and not across the application.
Can I achieve this using Membership class and if yes do I need to write any custom code for that?
I am trying to integrate authentication for a cloud-based application with an Active Directory forest behind my cilent's firewall.
I am a Python developer from the open-source world... needless to say, .NET is not my forte and I'm not familiar with authentication technologies provided by IIS/WIF/etc.
I have installed DotNetOpenAuth and gotten the sample MVC OpenID provider working with the included ReadOnlyXmlMembershipProvider.
I have scoured Google for a sample config/implementation or any documentation at all that describes the appropriate membership provider to use. The only thing I have found are hints - "It's included out of the box," or "create a .NET app that authenticates off of AD and expose OpenID."
How can I query off my client's AD? Is there a provider included with DNoA?
I'd like to use the ASP.NET membership provider in the following (low-security) scenario...
My company will create and administer user accounts on behalf of our clients. These accounts will likely be shared amongst several people in the client company (is that a problem?).
There will be 2 types of users (2 roles): client and administrator. Administrators are the people within my company that will have special privileges to create client user accounts, etc.
Clients will not be able to self-register. They also won't get to choose their own password, and they should not be able to change their password either, since that will just create confusion where several people are sharing the same account.
My internal users (admins) will set the password for each client. Here's the bit I'm struggling with: if a client phones up and asks to be reminded of their password, how can my admin users find out what the password is? Can I configure the provider to store the password in clear text (or other recoverable form), and if so can I get at the password through the .NET API?
As I said at the outset, this is a low-security application, and so I plan simply to show the password in the (internal) web page where I have a list of all users.
I found a great answer on SO describing how to set up custom user roles, and I've done the same in my project. So in my Login service I have:
public ActionResult Login() { // password authentication stuff omitted here var roles = GetRoles(user.Type); // returns a string e.g. "admin,user" var authTicket = new FormsAuthenticationTicket( 1, userName, DateTime.Now, DateTime.Now.AddMinutes(20), // expiry false, roles, "/"); var cookie = new HttpCookie(FormsAuthentication.FormsCookieName, FormsAuthentication.Encrypt(authTicket)); Response.Cookies.Add(cookie); return new XmlResult(xmlDoc); // don't worry so much about this - returns XML as ActionResult } And in Global.asax.cs, I have (copied verbatim from the other answer): protected void Application_AuthenticateRequest(Object sender, EventArgs e) { var authCookie = Context.Request.Cookies[FormsAuthentication.FormsCookieName]; if (authCookie != null) { var authTicket = FormsAuthentication.Decrypt(authCookie.Value); var roles = authTicket.UserData.Split(new Char[] { ',' }); var userPrincipal = new GenericPrincipal(new GenericIdentity(authTicket.Name), roles); Context.User = userPrincipal; } } Then, in my ServicesController class, I have: [Authorize(Roles = "admin")] //[Authorize] public ActionResult DoAdminStuff() { ... }
I login as a user with the "admin" role, and that works. Then I call /services/doadminstuff - and I get access denied, even though when I put a breakpoint in Global.asax.cs, I can see that my roles do include "admin". If I comment out the first Authorize attribute (with roles) and just use a plain vanilla Authorize, then I can access the service.
we have a web site (Web Site 1) which is presently working and authenticates the users using ASP.Net login control.
We have a new site (Web Site 2) which will have a web page with user name and password fields and these values will be posted to Web Site 1. I am trying to authenticate those user credentials on Web Site1 using
Membership.ValidateUser(UserName, Password); method. but i am keep getting "User AuthenticatedObject reference not set to an instance of an object. " exception.