How to validate user with SimpleMembership - simplemembership

I am using SimpleMembership for user login stuff in my web application. I wrote a console that actually access my web application classes to avoid duplicate code. However, since my console application doesn't have anything related to user sessions the Login method doesn't work.
But is there a way to validate a user only using the SimpleMembership? In case i have to do it manually.. how can i do it ?

Validating user in SimpleMembership
http://msdn.microsoft.com/en-us/library/webmatrix.webdata.simplemembershipprovider.validateuser(v=vs.111).aspx

Related

Login as Anonymous User in Keycloak

I am using Keycloak 11.0.0 to secure my Asp.Net Core 3.1 Application.
I am looking for a way to allow users to access certain resources without the need of an own account.
Which resources can be accessed without an account should be configured in Keycloak. Currently we are using a simple role based system.
My idea was to add an Login with Anonymous User Button next to the Login Form in Keycloak. This anonymous user is a normal Keycloak user to which i can assign roles.
How can this be done in Keycloak? I think I might need to write an extension, but I do not know which interface i need to implement for this functionality.
Or is there even a better way to accomplish my goal?

How to manage users in ASP.NET core with AD / LDAP? Do I store the users in a database?

I am writing an internal app where all the users are part of AD. I have the following steps to implement this. Is this correct?
Create Action filter to get all HTTP request to website and check in they are in the specific AD role needed (var isUserInRole = User.IsInRole("M2-ITU-PWApplicationDevelopers"))
If user is not in any of the application roles send user to error page
If user is in application role then Add users to SQL DB and link to Role table in DB so now I have the user/role data ready to use in DB along with other data
When user revisits check the database first before LDAP?
How do I set a cookie or something so that every request does not need through process once authenticated ?
Trying to understand the basics.. Maybe I am going about this all wrong ?
Use Windows Authentication. Your application need to be behind IIS to do it in ASP.NET Core 2.2 and lower, but starting ASP.NET Core 3.0 you can do it with Kestrel alone.
If you do that, you can skip steps 3 and 4. When a person is authenticated via Windows Authentication, the application gets a login token that contains all the security groups that the account is a member of. So User.IsInRole is pretty quick. There is no need to store that information in your own database.
You also don't need to worry about cookies.
The added benefit of Windows Authentication is that it can support seamless login: if your site is in the Trusted Sites in Internet Options, then IE and Chrome will automatically send the credentials of the user currently logged into Windows. The user doesn't have to type in their credentials.
Firefox uses its own network.negotiate-auth.delegation-uris setting for the same purpose.

MVC authorize not authenticate using AD

I have scoured this and many other sites to find an answer but have come up short every single time. If this is a duplicate, I am very happy to accept direction to the original question with an answer:
I have built an MVC 4 site and I am using the Authorize tag where needed and this is working as expected.
My issue is that I require a mechanism by which to prompt the user (already logged in or some other valid user in the domain) to enter their windows credentials on one page in order to confirm/authorize that user. This is not what the authorize filter is doing. The authorize filter is actually authenticating the user. Thus changing the User.Identity information accordingly.
Is it possible to just authorize a user (not authenticate) without actually changing the User object?
Just returning the 401 response forces the windows prompt but that, in turn, does an authentication, not an authorize.
While a solution could be achieved with a custom action that accepts username/password input, my requirement specifically calls for the native browser windows prompt to be displayed.
The site is using IIS Express and is set up for windows authentication and every aspect of this does what I need. Except for the issue of "true" authorization mentioned above. The browser has to be IE9. Currently running on Windows 10.
No. You're currently using Windows Authentication, and this is how it works. There is no need to login because the user is already logged into Windows, that's the point.
To do what you want, you would need to use an individual auth library like Identity. Which will give you the login capability. However, that doesn't work with AD out of the box, but you can add that in yourself. In otherwords, instead of using the Identity functionality to look a user up by username and password to authenticate, you'd connect to AD over LDAP, and verify the credentials there. You'd also need to use the LDAP connection to add the user's groups in AD to the their roles in Identity. Then, you can utilize the Authorize attribute as normal.
Long and short, if you want to actually allow the user to login as any AD user, then you're pretty much on your own. There's no builtin functionality for that. It's relatively straight-forward, if not entirely easy, to set something up yourself for that that, but again, that's on you.

ASP.NET CORE window and form authentication together

I am working on ASP.NET CORE MVC Application and I need to authenticate user on Active Directory/Window Authentication, but also using Form Authentication.
In Form Authentication, I need to provide mechanism for Super Admin User Credential which has specific user name and password. This is for purpose super admin account can everything on app but also not bound to any specific user.
How I can achieve this?

Authenticating the user

I am developing an asp.net application in 3.5 where authentication is done using cookies. On the default page I am authenticating the user and setting some value in cookie.
Whenever I need to authenticate the user I just verify it from the cookie. If the user is not authorized then I redirect him to the default page for authentication.
Is this the correct way to do?
If you want to authenticate users using Usernames & Passwords with roles and the like, I suggest using .NET's Forms Authentication: http://www.asp.net/Learn/Security/.
This is a great question on practice. I have done authentication using session variables before without any major issues. I do recommend using Forms Authentication and using the Membership class.
MSDN Forms Authentication