how to authenticate against windows local users and groups - authentication

I have a user set up in windows users and groups as username/pwd in group1. How do it validate against it? The article how to list windows users and groups tells how to list them.
How do I validate against a local user inside a group w/ password?
Thanks

I am assuming that you are not looking at using the Windows impersonation but rather a login box for your users and authenticate against both a local source and fallback to AD. If so then these answers should point you in the right direction: MVC3 authorization using AD
If you prefer VB.NET then the CodeProject appears to have a good article on AD authentication.

Related

Active Directory Authorization in ASP.Net Core without password

I want to authenticate a user via Active Directory. Right now I use Novell.Directory.Ldap.NETStandard library for that.
Scenario: The user will type in his e-mail and password. What I have to do now is to connect to AD via LDAP using some service login (username, password) so i can search in AD. I will search for the e-mail, find the user and then validate his credentials.
What I am asking for: I do not want to use a username & password to log a service user into AD. I would like to use the authorization of the user that is running the application to connect and search in AD. I am thinking of something similar to a SQL connection where I can say Integrated Security=True;.
Is there a way to do this in ASP.Net Core?
Solved it! I was using the wrong library.
I'm now using Microsoft's implementation from here: System.DirectoryServices.AccountManagement;
Works great.

How to manage users in ASP.NET core with AD / LDAP? Do I store the users in a database?

I am writing an internal app where all the users are part of AD. I have the following steps to implement this. Is this correct?
Create Action filter to get all HTTP request to website and check in they are in the specific AD role needed (var isUserInRole = User.IsInRole("M2-ITU-PWApplicationDevelopers"))
If user is not in any of the application roles send user to error page
If user is in application role then Add users to SQL DB and link to Role table in DB so now I have the user/role data ready to use in DB along with other data
When user revisits check the database first before LDAP?
How do I set a cookie or something so that every request does not need through process once authenticated ?
Trying to understand the basics.. Maybe I am going about this all wrong ?
Use Windows Authentication. Your application need to be behind IIS to do it in ASP.NET Core 2.2 and lower, but starting ASP.NET Core 3.0 you can do it with Kestrel alone.
If you do that, you can skip steps 3 and 4. When a person is authenticated via Windows Authentication, the application gets a login token that contains all the security groups that the account is a member of. So User.IsInRole is pretty quick. There is no need to store that information in your own database.
You also don't need to worry about cookies.
The added benefit of Windows Authentication is that it can support seamless login: if your site is in the Trusted Sites in Internet Options, then IE and Chrome will automatically send the credentials of the user currently logged into Windows. The user doesn't have to type in their credentials.
Firefox uses its own network.negotiate-auth.delegation-uris setting for the same purpose.

Single Sign-on with Sharepoint 2010 from 3rd party application without password

Overview
Our SharePoint 2010 application will be launched from a 3rd party application, let's call it HealthApp, via an embedded URL. Much of the time the user will be logged into HealthApp from a shared workstation. As a result, SharePoint will not sign in automatically using the Active Directory credentials.
Requirements
We need single sign-on.
We need to continue to use Active Directory as the STS for various reasons.
Authentication from a stand-alone browser on the user's workstation will need to work as it does now.
Authentication Info
HealthApp can pass a username and any other custom identifier information we want as URL parameters.
The username will match the users Active Directory username.
We will not have a password.
We need some way to authenticate the user based only on the username/identifier.
Possible Solutions
Is there any way to bypass the password check in Active Directory?
This would appear to be the simplest solution if possible.
Can we
extend the Active Directory provider to authenticate using a generic
user and then log into SharePoint with the username passed on the
URL?
Any other suggestions?
I would think there would have to be some way to do this but have not had much experience with claims based authentication with SharePoint.
Thanks for any insight.
Me also facing same issue for authenticating users over share point site that uses claims authentication.As per requirements my app needs to access share point data. So to authenticate
over share point server from an app we need to provide some authenticated claims with the request so that share point STS can issue an authorization ticket to access the share point site resources. after spending more than 2 days in googling i found some interested article that may help to authenticate users from client app against identity provider systems.
OAuth library
this resides between app and identity provider system. using this you get an authenticated claims that will further use to authorize over share point server with the help of Share point STS.

Sharepoint 2010 Authentication Change from Windows Based to Claims Based User Profile Sync

I have a Sharepoint 2010 application with mysites, therefore I use User profile sync service.
I changed the authentication method from windows to claims based ( choosing forms), and made necessary updates on web.config and run the commands on powershall, so I am using LDAP.
My application works with forms based authentication now, no issues, but I can not authanticate to mysites as my user name format has changed from domain/username to
One option is to somehow map new ldap formatted user and windows ad users (do not know how??), or I need to create a new connection on the user profile sync service to connect to ad with forms authantication and import users with new format too (failed to do so, any idea what needs to be configured on domain controllers to do that? ). Although, this will cause that users would get 2 different mysites if they login with windows or forms based auth.
Any idea is appreciated.
Thanks.
You need to use Move-SPUser command to make that work. For more info check the MSDN Documentation.

Is it possible to 'directly' connect to LDAP using a smartcard for an alternate user to that logged in?

We have a requirement to get information from specific users on an LDAP directory based on a Smartcard being presented. The application is already running under an AD user account, but using that users access to LDAP will not have sufficient access to the specific users data.
We have stumbled through a few parts of LDAP APIs and not had much luck finding info on how to make an LDAP bind call without username/password and more specifically with auth from a smartcard. Some of the MS LDAP appears to allow the option of using the current user token.
The best we have come up with is to use the SC to login then while impersonating the user create the ldap connecton using the current user token. Similar in idea to this MDSN blog .
Is there a better way?
The problem we are having with the impersonation is that the logged in user has to have certain rights for logging on other users to do the impersonation. Also while impersonating we need to limit other interactions, accessing the file system or registry as the alternate user is not desirable.