In a SharePoint application page I have to get listitems from a list on remote server in the same Active Directory domain.
I use the Client Object Model to get at the list. If I do not supply Network credentials (with userid, password and domain) I get a 401 access denied.
Is there a way to pass the credentials of the user that is logged in in Sharepoint (not in the windows client; can be different) to the ClientContext to allow it to get at the remote list?
Check if your Sharepoint2010 Web Application is configured with Claims based authentication. It needs to be configured with Classic Authentication so that you will not have to pass the username and password explicitly.
Related
I am wondering if there is anyway to check if the entered username and password is correct despite of enforcing multi factor authentication in Azure Active Directory?
I have set up an app with application permission(with admin consent) as well as delegated permission and is able to test both approach using ConfidentialClient and PublicClient using MSAL library.
I am not able to run my web form app in IIS with the PublicClient approach which is interactive and displays you a popup for the Microsoft login. So, the only approach I see here is to use app-only authentication.(https://learn.microsoft.com/en-us/exchange/client-developer/exchange-web-services/how-to-authenticate-an-ews-application-by-using-oauth )
I can use the confidential client(app only) since I have all the required admin consents granted to get the OAuth token and then impersonate the user to access to EWS managed api.
But the requirement is the user should enter their outlook password in the webform app before loading their emails(from EWS Managed API which needs OAuth token).
At this point I am not sure what to do next. Please help. Also let me know if you need more information.
For more reference why I am no able to use delegated authentication: Why app is throwing error in test environment but working fine in local machine using ASP.NET Web Forms and MSAL?
Per my understanding, you want to check the username and password by Azure AD first and using the confidential client to call APIs on behalf of the user.
This way is something hacking, but I think it works for this scenario. Just try the request below:
POST https://login.microsoftonline.com/<tenant id>/oauth2/v2.0/token
Request Body:
client_id=<confidential client app id>
&Client_secret=<confidential client app sec>
&grant_type=password
&scope=https://graph.microsoft.com/user.read
&username=<username>
&password=<password>
If the user typed the wrong user name and password, the response would be:
If username and password are all right, the response report the MFA related info:
I implemented OpenIddict with ASP.NET Identity as a separate auth server and I use the client credentials and password flows. I also have a web api project as the resource server.
The resource server is deployed in IIS and needs to authenticate domain users as well as end users. All controllers have the [Authorize] attribute and the actions have a custom authentication filter inheriting from ActionFilterAttribute with which I check for permissions against the db. The resource server has integrated windows authentication.
Currently at this stage of the development I cannot use ADFS or AAD.
Domain users access the resource server using a Winforms app in which they pass their network credentials. End users have websites and native apps and will/should use password flow to get an access token.
So, my question is:
Should I have an endpoint with [Authorize] in the auth server with which the domain users can authenticate with? In this case I would also need to use integrated windows authentication (which I'd rather like to avoid).
And once the domain user is authenticated, should I use the client credentials flow to acquire an access token? Domain users do not need to be saved in ASP.NET Identity. End users will use password flow.
Is this the correct way to handle both Windows Authenication and OpenId?
I have an ASP.NET Core 3 web app hosted on an Ubuntu server using Apache.
The app has a login, where the user provides a username and password, and we authenticate against an Identity Server.
In the login flow (in the Identity Server), we check if the user exists in Active Directory (by using the Novell.Directory.Ldap nuget package), if it does, then we retrieve the user data and create the corresponding token, otherwise, we go to our database and check if the user exists there.
This login flow works properly, but there is a new requirement that says that we need to implement a Single Sign-On. So if the user is logged with an account that is asscoiated to the Active Directory domain, then, the user is allowed to access our web app without providing username / password.
At first, I thought that maybe we could automatically retrieve the username in the client app and provide that username to the identity server without a password to finally query Active Directory to check if the user exists. The problem is that I'm not sure how am I supposed to retrieve that username....
Is there any way i can retrieve the Window's username from the client app?
Thanks
My web application uses SSO authentication through Azure AD. From within my application, the user can access a network folder by providing required credentials. I would like to use the same SSO authentication that was done at login instead of manually entering the credentials to access the network folder. Is there a way to achieve this?
You cannot use the same token because Azure AD will Authorize only for initial login.
If you want to use the SSO solution for your network folder access which is accessed inside your web application, you need to create a new instance for your network folder access.
Ultimately you need to create two instances in Azure AD for your application to get the token to access both application sign in and network folder access with single set of credential.
You can create a new application with different name.
Now you no need to enter the credential twice in your application (SSO happen).
I have:
Added the ftp-publishing service
Allowed IIS-Authentication in the management service
Created a user under IIS Manager-User
Allowed the user in IIS-Manager-Permissions
Added the user to FTP-Authentication rules for my site
Added the IISAuthentication to the FTP Authentication rules
IIS_IUSERS has full access to the directory
Yet, I get the login prompt but it won't take my login credentials.
Any ideas ?