I am building a web application for a client, where I will have to set it up on their Windows Server via IIS. I will have to integrate their base of users into my application via Active Directory (not Azure Active Directory). I have already included Windows authentication into my application and it seems to work on my local computer.
What I want to know is:
How to change the login prompt into my custom login page?
How to change the username of the authenticated user (right now when I sign in, I have to write down the name of the device and the name of the user. for example: _device/_user). What I want is for the user to simply be able to only write their username, not device name.
How to manage the access of the users, and how to add roles to them inside the application. Since the user is signed In. I now want to know how do I assign this user a certain role, so I can restrict access to certain pages based on that.
I have been looking through some documentation but not much is mentioned about Active Directory integration or the questions that I have listed above.
Steps;
You need to have System.DirectoryServices and System.DirectoryServices.AccountManagement references in your project, if you want to access AD.
Configure AD name and AD Organizational Units in appsettings.js ActiveDirectory": { "ActiveDirectoryDomainName": "Your Domain", "ActiveDirectoryOrganizationalUnits": "Your AD units" }
In your class method:
Fill your user object with AD values like userPrincipal.EmailAddress,userPrincipal.GivenName,userPrincipal.Guid.Value and etc.
If you want to manage users with roles, then take the GUID from AD (userPrincipal.Guid.Value) and store it another table and map that GIUD with required roles.
Note: If you can share some images and codes
Related
I have an ASP.NET Core 3.0 application that works with local Intranet Windows Authentication to identify logged in users. Using the standard Windows Authentication behaviors I'm able to capture the user's WindowsIdentity without an issue.
However, depending on how the user is logged into the browser using either automatic Intranet Browser login (ie. no password dialog) or explicitly logging in using the browser Password dialog box, I get different results for the user's groups.
The following is an API request that echos back user information including a filtered group membership list (that excludes built-in accounts). The one on the left is a manual login, the one on the right an auto-login.
For the explicit login I correctly see all the custom groups the user is part of. However, for the auto-login, those same groups do not show up:
I also took a close look at the User and Identity instances on the server, and it's referencing the exact same SIDs for the user, so it seems strange that different results are being returned for the Group Membership.
Any ideas why the group list is different when I am getting the same account returned? Note the groups are local so it shouldn't be an issue due to domain access.
Note: I'm testing locally on localhost even, and to test this I set the Windows Proxy Settings here:
With the checkboxes off I'm forced to login. With them on (in Chromium browsers anyway) I have to explicitly enter my credentials into the browser's login dialog.
Has the user logged out of their computer since being added to those groups?
The groups listed are held in the user's login token. I think what might be happening is that auto-login sends the user's existing login token (created when they logged into Windows), so it would not contain any groups that they've been added to since they last logged in.
Manually entering the username and password performs a new login, and thus gets a brand new token with all the groups at the time of the login. So new groups will show up there.
Last year I started using asp.net core MVC.
I used to make a security system using role and permissions based like:
When the application is first deployed into production, the application creates a default admin
role and admin user. This user has full application access.
This user can create a new roles and give access permission to a new role (including creating new role and user permissions) and assign it to the new user.
reference for this type of security system:
I read Microsoft documentation
And there everything is in hardcoded string .
How can I implement this in asp.net core2.x with EF Core for DB access?
(If possible provide some detail explanation links)
For an Example: Admin user Create Role 'PurchaseManager' and give access to this URL example.com/Product [Get/POST/PUT/DELETE] etc. all. after Admin user Create another Role 'StoreManager' and give access to this URL example.com/Product [Get Only]
this process will be done in production.
I want to get started with the Office365 Unified API , so I decided to register a new web app to our azure directory.
In the section: "permissions to other applications" , I select Office365 unified API(preview)
I only get set delegated permission (I don't have all admin powers in our tenant), so I choose the ones I need (user profiles, sign-in , the exact number does not matter).
When I save the configuration I get the message
Could not update the configuration for app ""
Information tells me:
Unauthorized. You do not have sufficient permissions to access this resource.
The strange is , that when I log out and return to the application in the Azure Portal, I do see those modification in the configuration ?!
Finally when I try to call the REST endpoint (with valid Accesstoken etc..) I get this message:
{"error":"invalid_grant","error_description":"AADSTS65001: No permission to access user information is configured for 'f1299649-ea20-4cf6-9cd6-afb69d9b5760' application, or it is expired or revoked.\r\nTrace ID: 69ab1a6c-eeda-4351-8e1e-2b774c19a5a0\r\nCorrelation ID: 968a962e-d851-48bb-ad6f-3f05ea7b8efe\r\nTimestamp: 2015-06-18 20:12:15Z","error_codes":[65001],"timestamp":"2015-06-18 20:12:15Z","trace_id":"69ab1a6c-eeda-4351-8e1e-2b774c19a5a0","correlation_id":"968a962e-d851-48bb-ad6f-3f05ea7b8efe","submit_url":null,"context":null}
So maybe the Azure Portal UI is right the first time and those permissions where never stored with the app ?
the application details in https://portal.office.com/myapps tell me this:
Permissions
This app works with data in your documents. It will be able to:
Read directory data
Sign you in and read your profile
Read all users'basic profiles
Access the directory as you
Read directory data
Sign-in as you and read your profile
What would be the next step to take to get this to work ?
What is your app trying to do (in terms of access to users, groups etc)?
Access the directory as you is a permission that requires admin consent. The portal unfortunately has a bug that it appears as though you have the permission, but that's not true. That's because there are 2 elements here - configuring the permissions your app needs which drives the consent experience AND the consent grant. The portal (under the covers) tries to consent the app for the permissions it requires within the developer tenant. A non-admin in this case has permissions to update the app configuration, but not to consent for those permissions in their tenant.
Hope this helps,
It is impossible to set permissions to Office 365 Unified API for your application even if you are tenant administrator due to error. I have tried it. Remember that whole Unified API is in Preview mode so there will definitely be other errors.
I need to build an app with Office 365 API and tried several examples provided here: https://msdn.microsoft.com/en-us/office/office365/howto/starter-projects-and-code-samples.
I manage to login to tha app with a user from within my own Azure Active Directory, e.g. user.name#tenant.onmicrosoft.com.
But, whenever I use another Office 365 account from another domain e.g. user#pivabo.be I get this error:
AADSTS50020: User account 'user#pivabo.be' from external identity provider 'https://sts.windows.net/908b6c6d-f582-461d-9e73-88a4e48f5d88/' is not supported for application 'df1a02fd-f096-46df-9b5a-5cf1b0f9ef6d'. The account needs to be added as an external user in the tenant. Please sign out and sign in again with an Azure Active Directory user account.
The defined application in Azure is set to Multi-tenant!!
I also tried to add the foreign users to my AAD but everytime I get the message "This Microsoft account does not exist"
EXCEPT: I also made a hotmail account which I was able to add to my AAD and with this account logging in to the app was succesfull. But, without adding it to my AAD I get the above error message.
Any help would be welcome.
Make sure you are using "https://login.microsoftonline.com/common/..." and not "https://login.microsoftonline.com/[your tenant name]" when forming authorization link.
I am late to the party, but what it fixed for me was that I had to use "common" as tenantId.
I'm developing an intranet web app and I'm learning how to hook VB into the Active Directory. We're going to be doing some location specific permissions, and my boss wants (if possible) me to hook into the Active Directory to get the users location.
I think that all I need to do is get the user name, but I'm not sure what is the best way to do that. We're a Microsoft only shop, so IE and IIS are the order of the day. To access the intranet you have to log on to the computer using our domain, so that's one level of security, but then I need to authenticate and make sure that user has permissions to make the changes. I'm thinking we'll either have a modifier (if there's not one already) in the AD info, or keep a permissions table in a database, but the former is probably preferred.
I know that IIS has a feature that allows/requires authentication but I'm not exactly sure how that's supposed to work.
So what's the best/easiest/somewhat(most?) secure way to get the users credentials? I could always do a login page but it would be much nicer if I could just get their AD credentials in the background.
Thanks!
you need to disable anonymous auth for your IIS site and enable windows-auth instead.
now go to your web.config and change the following
<authentication mode="Windows">
...
</authentication>
see http://msdn.microsoft.com/en-au/library/532aee0e(v=VS.80).aspx
&
if neccesary
<identity impersonate="true" />
see http://msdn.microsoft.com/en-us/library/aa292118(VS.71).aspx
now you should be able to get the current user with
HttpContext.Current.User.Identity.Name
to check if the user is in a specific group you can use
HttpContext.Current.User.IsInRole("YourActiveDirectoryGroup")
IIS can be configured to use Integrated Authentication which will give you access to the samaccountname (pre-Windows 2000 logon) of the user. With that you can do an LDAP query against AD and check group membership. If the user is a member of the CanModifyStuffGroup (that you have created within AD and added users to) then let them make changes, otherwise give them the read-only version - or whatever.