I'm implementing "Block user" feature on my ServiceStack 3.9 project, when a site administrator is able to block/remove registered users. But unfortunately I couldn't find a way to close opened session for a blocked (removed) user.
Updated:
I'm just a novice and I use the most common default configuration (MS SQL Server) with nothing special (e.g. Redis etc.). I had seen SocialBootstrapApi project as example.
Question:
So the question is how to logout a user by its id on the server side?
Related
I want to build a small application similar to Run As (Windows native) and DropMyRights.
A simple form with a text box which will hold the path to the program that i want to run, and a dropdown to select the account to impersonate (<system>, <interactive>, or "user NameLastname") when starting the child process.
Just in case this is not enough reason to point me to the right direction, here goes the answer to "why would you want to do that?"
I noticed that some of my applications, like Google Calendar Sync, Google Drive Sync and Chrome autoupdater (not chrome.exe), when run as <system> can't pass through the proxy (ISA/TMG).
I do not have access to the server config settings, so i have to do this client-side.
The goal is to have the child process running as <interactive>, and use the NTLM token.
How can i pass CredentialCache.DefaultCredentials or CredentialCache.DefaultNetworkCredentials to the process?
I can't pass username/password/domain because we authenticate on the domain using smartcard logon.
That means i don't even know my Active Directory password.
Answering questions:
It isn't clear what you mean by <system> and <interactive>. Please be
more specific. Do you mean you want to launch processes in your logon
session but have them run as SYSTEM? – Harry Johnston
By interactive i mean the logged on user credentials. Could be local, but in my case i need the domain credentials.
To be even more specific, i want to use the token already generated by the proxy.
I do not want to launch processes as system.
I want system processes to connect to the internet using my (already provided and approved by ISA/TMG) credentials.
More info about this here: What is Interactive Logon?
Hmmm. The Chrome updater isn't a normal application, it's a system
service. Are you trying to run system services in the logged on user's
context? – Harry Johnston
That's right. Exactly what i want to do.
But, Google Updater does not appear on the services list.
It's a scheduled task.
And changing the task to be executed with my credentials doesn't work. Still can not bypass the proxy.
I've been creating API and consumer by following Simple API Development with Laravel from Aaron Kuzemchak. I got the problem after I success to auth via API from my consumer; I do not know how to check it, if the consummer already success logged in or not at the other pages...
For example, at the first; I show the login page, click the submit button to check the credentials via API. The login attempt is working, success to logged in and redirect to dashboard. But, if I haven't logged in and accessed the dashboard from URL, i got the dashboard :O
The API server and the consumer have separated machine and the database only exists at the API server.
Am I doing this right (with the flow for the API and Consumer) ?
At the consumer, how can I get to know if the user already logged in or not (after success attempt the credential)? (somehow? someidea?)
Thank you before... :)
This question is very confusing, probably because I haven't watched that screencast yet, but shouldn't Auth::check() be what you are looking for? It will return true or false depending on if the user is logged in.
Just to make sure:
You have a back end API built from the tutorial posted here: http://kuzemchak.net/blog/entry/laracon-slides-and-video
You're using HTTP Basic authentication as described in the above tutorial
You're building a (consumer) front end web interface for users on a separate server
Your consumer interface uses forms based authentication (a login form)
The backend API uses HTTP basic authentication (and the consumer sends an API key for the user with each request). As such, the backend won't keep track of a user being logged in. That means your consumer interface will need to do this.
You could use the Laravel Auth class for this normally, but your front end would normally have access to the database and the bundled authentication drivers could just check a username/password.
I'd say your options are:
Store details of the user in a session using the Session class (feels a bit nasty but simple)
Write an authentication driver and then use the Auth class (advanced but cleaner: http://www.karlvalentin.de/1903/write-your-own-auth-driver-for-laravel-4.html)
Just talk straight to the database using the existing Auth class and Eloquent
I can auth my website with either ldap or by looking in db using different spring security authentication providers.
When i use the database auth, i use UserDetailsService, which correctly checks if my user is notActive and throws DisabledException correctly.
but using LdapAuthenticationProvider this does not occur. why?
spring security 2.0.1
Which LdapAuthenticator are you using? If you use BindAuthenticator it will bind as the given user, eventually the directory server should reject if the user account disabled/expired.
I haven't used LdapAuthenticationProvider myself, but if its not done automatically you can retrieve the userdetails, The UserDetails class has bunch of methods to check weather the account is enabled/locked/expired.
I have an asp.net web application in an internal windows domain which calls a wcf-service. In the wcf-service I use the SecurityContext.Identity.Name, so it needs impersonation.
Our task is that the web application can be accessed from anywhere.
The first step was that the administrators published the web application throught ISA server 2006. The main problem with this solutions is that the browser doesn't save the user's loginname and password in the ISA authentication form. In addition the users want to access the webapp from Nokia Mobile with Opera Mini.
What can I do in a simple way that the browser saves the loginname/password in order to the user can use the application without reentering the login data in every 30/60 minutes?????
Any best practise?
The standard is to store the username/password in a cookie and have the login page pull the login info from the cookie to auto-login. You can have this cookie expire in a month if you want to.
Here are some examples using different languages to add a "remember me" type functionality to save username and password in a cookie.
Cookies
php example
asp.net example
asp example
Response to creator's comments:
In order to modify the ISA login page, look at this article. You should be able to add the code top handle cookies by editing the login page file located in the directory C:\Program Files\Microsoft ISA Server\CookieAuthTemplates\ISA\HTML (assuming you installed ISA to that location).
I do not think there is an out of the box configuration that allows you to set this up, but I did see some configuration for setting trust level (#18 from the article) that you might want to play with.
We have our own web server hosting our website that is open to the public outside of our network.
I have a request to make our "Internal Postings" link on our Careers page to authenticate the user against our network's Active Directory list.
I currently have it setup so the link hits a page inside the directory structure of the website, and this page's folder is set to "Integrated Windows Authentication". Anonymous access is turned off for this page. If the user is authenticated (ie: logged into our network or supplies proper credentials) it passes them on to an external careers website which hosts our job postings. If they fail to authenticate, it displays a custom 401 error page.
This works fine, but there is a problem with it. Using IE, people cannot just enter their username. They (of course) are required to enter the domain name as well. Unfortunately the default 'domain' is set to the URL of our website (www.xyz.com/username). I would like it to automatically choose the name of our internal domain (aaa/username) but am unsure of how to do this.
Another option would be to use LDAP and a little ASP scripting to authenticate the user. I have this code already, but am unsure of the security consequences of doing so. Basically, the page will be setup for anonymous authentication, and if the user isn't logged into our network, they will be prompted for a username/password using standard textboxes. This is then passed to an ASP script that does an LDAP lookup against our Active Directory. Is there any security issues with this method?
Which method would you choose to do?
Thanks.
EDIT: It seems I cannot authenticate to ActiveD via LDAP using a username/password combo. So forget about that option.
My question now is, how can I change the default 'domain' that IWA uses? Is that at all possible? IE seems to default to 'www.xyz.com\username' (my website) rather than 'aaa\username' (my domain name). Of course, www.xyz.com\username fails because that is not where our ActiveD resides... Is this possible? I want to make it as simple as possible for our employees.
You cannot authenticate an user with a script that looks up the user in LDAP. You need to know that the user is who it claims it is, and the only way to do that is to let NTLM/Kerberos authenticate the user (ie. establish proof that the user knows a secret stored in the AD, the password).
The URL of the web site to the set of sites considered be in the local intranet zone for IE browsers running on the internal network. By default sites consider to local intranet will be sent the current logged on users credentials when challanged with NTLM/Kerberos. Hence your internal users shouldn't even see a network logon box.
I hate to dredge up an old thread, but the answers are a bit misleading, if I understand the question. The thread Remus refers to is about authenticating via LDAP with a username only. As he points out, that isn't possible. But it looks like what Kolten has in mind is authenticating via LDAP with a username and password both. That's a standard practice called binding.