Security :: Use Membership Store For User Settings With Windows Authentication
Sep 1, 2010
I am evaluating ASP.NET Membership for an intranet Silverlight app. I want users to be automatically authenticated for my application with their windows logon. Thus I configured Windows Authentication. I would like to store user settings like email-address in using the SqlMembershipProvider and not AD. It seems that storing user settings using the SqlMembershipProvider is not supported with Windows Authentication. Is this really so (using .NET 4)?
If so: What is the rationale behind this? IMHO authentication, user settings and authorization are distinct aspects. User settings could easily be stored (identified by user name) using the SqlMembershipProvider with authentication and password management being supplied by Windows. What is the recommended solution for my scenario?
I have a custom membership user class and custom MembershipProvider working against database. Due to security reasons the user passwords are stored in the database as hashed values. So my procedure
public override bool ValidateUser(string username, string password) is { //select hashed password from db return (EncodePassword(password) == dbpassword) } [code]....
We have an ASP.NET Web App, where we want to provide a link 'Sign in as a different user' on a page. Authentication mode is Windows. Went through a couple of articles (like setting the statuscode =401). We want to authenticate the user, and then redirect him to a specific page (say 'ReviewTask.aspx');
Just got a new dev machine and am having trouble with this piece of code in our project. I have set folder permissions to give Network Service read/write accessFor dev, this is being ran locally on IIS 7.5. IIS Authentication settings are Forms Authentication and Windows Authentication enabled.I am getting a permssions error when the xml is written to the local hard drive.
I am having an issue, with the membership and form authentication. I am having a problem where when an logged in user types a url they can see the content of pages they're not suppose to. When the user tries to click on the screen or any ajax fires they are redirected to the main page. What is going on? I have all the items setup in the webconfig properly just wondering what is happening. Also I don't want to use a redirect solution for each page since that is what I thought webconfig was setup for.
I have an Intranet web site that uses Windows Authentication and when a users password expires the do not get a prompt letting them reset it. We also have OWA and if they go there to check mail, it sends them to a page which allows them to reset it there. How can I trap for expired passwords and allow them to change it like they can with OWA?
i have a problem with the users authentication on my site. I made <authentication mode="Windows"> in my web.config. The LoginView shows "mycomputermyusername" if i request the page. So far as well. Now i want to login with a different username. Users are stored in an Active Directory. My questions: wich setting i have to do, that user's account and password checked by Active Directory? how can i force the system to make a new login? Logout doesn't work, i always see my on account.
I set authentication mode to Windows in the web.config and I enable Windows Authentication and disable the Anonymous Authentication in IIS 7 on win 7, but HttpContext.Current.User is always null.It works fine when I host the web app in IIS 6.0.
I have been trying to avoid the windows login userid and password window when I use the Windows Authentication mode for a web site. I need to capture the the windows logon user name without prompting for the user id and password and display that on the web site. I had tried almost everything... changed authentication,security setups on IE and IIS etc... still not being able to avoid the window...
I've been asked to upgrade a few applications and I'm planning on merging all of them into one asp.net application. I'm fine with this decision and have spoken with fellow workers and they also think it's the best option to go with.
The application will be accessed from a small group of users which belong to a larger domain. I'm currently planning on using Windows authentication and only allow this small set of users to access the asp.net application. Also there must be some role management, so that only certain users can view certain functionality.
I really don't want to have many different windows groups; so I want to avoid having to assign different windows groups to different folders and control permissions in the web.config.
What I'd like to do is:
- Assign one windows group to the small group of users who will access the page.
- Create a custom membership provider and control the user who accesses the application. Depending on the user I will then assign his current set of roles.
- Add an application setting to the web.config, with the name of the current administrator, so if he logs in, he will be assigned all roles, and will be able to create and assign roles to other users.
We have a working version of application (Intranet) with uses Windows Authentication deployed in Windows 2003. The application uses HttpContext.Current.User.Identity.Name to get the logged-in user. Here impersonate is turned off.Right now, we are move to Windows 2008 RC2 where this Windows Authentication problem arised. I have Digest Authentication and Windows Authentication enabled. And also I have enabled Anonymous Authentication enabled to avoid the Login dialog of IIS in the end-user IE. Now I am getting HttpContext.Current.User.Identity.Name as Empty. When I impersonate using username and password, I am used to login using that user but all the users uses the same user to login.Does any has solution for this?Deployment Server - Windows 2008 RC2 (IIS 7.5)Development - Windows 7 (IIS 7.5)I am new to IIS 7.5. Please give me a solution
I have been diligently learning all about the asp.net membership framework and have a test site running it all. However, during my testing, it became apparent that deleting users would be useful. I can delete users from the "aspnet_users" & "aspnet_Membership" tables simply by right-clicking on the table in server explorer, selecting "show table data", highlight the rows and press delete!!
However, this is a pain and I would much rather do this properly from code behind.
I have found out that the membership schema supplies a large number of "stored procedures" including "Delete_Users" however, when I execute this one manually, I have no idea what the last two parameters are (number of tables and something else from memory - the first two "application name" and "username" are easy to copy in to the dialog.
show me a sample set of VB code that I can use behind a "Delete User" button on my webform including how I supply the parameters. I have set up a drop down list box from teh "aspnet_users" table which displays the "UserName" and has as the SelectedValue "UserId".
we use forms authentication for a community website with about 200k users with a simple login like this:
Private Sub btnLogIn_Click(ByVal sender As System.Object, ByVal e As System.EventArgs) Handles btnLogIn.Click If CheckPassword(txtEmail.Text, txtPassword.Text) FormsAuthentication.RedirectFromLoginPage(txtEmail.Text, chkRememberMe.Checked) End If End Sub
which checkPassword reads from a MS SQL users table. it has worked without major problems for 3 years but we need to store the login date of users in a table, both when they login explicitly and when they had selected "remember me" and come back (we store login once per session)
since we have a complicated profile system and database it will be practically impossible to switch to membership API. last time I was told we could user an auditing system to do that but I have no idea how to do that.
I'm using the ASP.NET SQL Membership Provider. So, there's an aspnet_Users table that has details of each of my users. (Actually, the aspnet_Membership table seems to contain most of the actual data). I now want to store some per-user information in my database, so I thought I'd just create a new table with a UserId (GUID) column and an FK relationship to aspnet_Users. However, I then discovered that I can't easily get access to the UserId since it's not exposed via the membership API. (I know I can access it via the ProviderUserKey, but it seems like the API is abstracting away the internal UserID in favor of the UserName, and I don't want to go too far against the grain).
So, I thought I should instead put a LoweredUserName column in my table, and create an FK relationship to aspnet_Users using that. Bzzzt. Wrong again, because while there is a unique index in aspnet_Users that includes the LoweredUserName, it also includes the ApplicationId - so in order to create my FK relationship, I'd need to have an ApplicationId column in my table too. At first I thought: fine, I'm only dealing with a single application, so I'll just add such a column and give it a default value. Then I realised that the ApplicationId is a GUID, so it'd be a pain to do this. Not hard exactly, but until I roll out my DB I can't predict what the GUID is going to be. I feel like I'm missing something, or going about things the wrong way. What am I supposed to do?
while creating users/groups using web site administration tool, is there a way to configure it to store to a specific database rather than store to a Microsoft SQL 2005 Server Express Edition by default in the App_Data folder?
I have to invoke SSIS packages from web service in the most secure way. I think that windows authentication will be secure but i am not sure. I do not have much knowledge about how to achieve this and the information on the internet is very distributed.
We use Sharepoint to control our websites. We build the sites, then load them into the sharepoint server. My question is if I use windows authentication, how can I get my role security in my web config file to coencide with the asp.net controls that use the Forms authentication. Is there a differenence? Our security uses a session variable for security but there is no where to set up their permissions except in active directory. I hope this makes sense because I would like to implement the LoginView with Role groups but how can I give them the role="administrator"? Do I have to go into active directory and give them these permissions(would take awhile due to the size of the company)? Or do I have to set up priveladges in the web.config file for each user(difficult I think)?
I'm writing a simple Intranet application using windows authentication. I want to restrict access to Safe/UCantSeeMe.aspx. I am aware of the AuthorizeAttribute, but this only works on methods. I also found a good post on doing this with the MVC pattern, but I'm not using MVC. This can be done with roles in forms based security. I read on MSDN that using windows based security means roles are based on groups, but it doesn't go into any detail. how can I restrict access to Safe/UCantSeeMe.aspx?
I have a web application that uses a SQL database which contains all the standard asp membership tables.Within my Web application I use the standard asp.net membersip logic for adding new users, roles, etc...The point here is I dont use any custom providers for anything.Now on that same machine that is hosting my web application I am writing a Windows service in c# .net.As part of one of the method calls to the windows service application I was curious if I would be able to use any type of membership classes that would connect to my existing database and perform the same functionality as does the ASP.NET membership classes.
I need to convert a web site using traditional ASP.Net login,membership/role with SQL to a custom system. I need to use a third party (CAS) authentication system while still using membership and roles to control access to content and User.Identity functions.What would be the best way to accomplish this? I use the <deny> and <allow> user throughout the site to control page access.
