If I was running a server that allowed certain user's on my LAN to access the WAN.
How can I reliably authenticate these users?
I could allow by checking MAC/IP adresses, but those details can be spoofed, right..
Ideally, I would like the user to:
1. connect to the LAN via DHCP
2. be re-directed to the server's login page when the user tries to browse
3. have to user enter username - password
4. if authenticated, user must be allowed to browse freely.
What you describe is proxy server,
e.g. Kerio control:
User-specific access management Each user in the network can be required to log in to Kerio Control before connecting to the Internet. That allows for restrictive security and access policies to be applied based on the specific user, rather than the IP address.
You could look for IEEE 802.1x authentication and RADIUS server solutions, e.g. freeRadius.
(There is also a Win32 binary based on Cygwin on freeradius.net.)
Related
I have a program in a server and the user access to it by the ip address https://123.45.54.63
Then the server ask for credentials and users can mark on remember my credentials to autofill de user and password fields the next time.
But i do not know how to make the automatize the login so the user does not have to click on login and just use the application by accessing to the server ip.
I mark in Tools -> Internet options -> security -> local intranet -> customize -> and mark the login automatically option for intranet but it still ask for the credentials autofilled.
It is possible to make internet explorer 11 to log automatically?
Whether the user's computer and the server is in the same Intranet Zone?
If they are in the same zone, you could try to select the "Automatic logon with current user name and password" option (Internet options -> security -> local intranet -> customize ).
If still not working, you could try to add the IP address to the "Local Intranet Sites" in security in IE.
If the user's computer and the server are not in the same zone, you should enable the "Automatic logon with current user name and password" in the Internet Zone.
Edit:
Please check this article,
When using the Windows Integrated authentication, the Internet Explorer might automatically authenticate a user's logon and password and maintain security. You could check the conditions for Internet Explorer to automatically authenticate a user's logon and password and maintain security:
Windows Integrated authentication, also known as Windows NT
Challenge/Response, must be enabled in the Web site properties in
IIS. Anonymous authentication is attempted first, followed by Windows
Integrated authentication, Digest authentication (if applicable), and
finally Basic (clear text) authentication.
Both the client and the Web server must be either in the same Microsoft Windows NT-based or Microsoft Windows 2000-based domain or in trusted Windows NT-based or
Windows 2000-based domains in which the user's account can be granted
permissions to resources on the IIS-based computer.
The user's browser must be Internet Explorer. Internet Explorer is the only
browser that supports Windows Integrated authentication (NTCR).
Internet Explorer must consider the requested URL to be on the
intranet (local). If the computer name portion of the requested URL
contains periods (such as http://www.microsoft.com and
http://10.0.0.1), Internet Explorer assumes that the requested
address exists on the Internet and does not pass any credentials
automatically. Addresses without periods (such as http://webserver)
are considered to be on the intranet (local); Internet Explorer
passes credentials automatically. The only exception is addresses
included in the Intranet zone in Internet Explorer. Internet
Explorer's Intranet zone security setting must be set to Automatic
logon only in Intranet zone. This is the default setting for Internet
Explorer. For additional information about Internet Explorer security
zones, click the article number below to view the article in the
Microsoft Knowledge Base:
The user requesting the Web page must have appropriate file system (NTFS)
permissions to the Web page as well as all of the objects referenced
in the Web page. For example, a user may have Full Control rights to
a Web page, but is prompted for a password if the Web page refers to
graphics that are in a secure folder.
When using the Basic (clear text) authentication or Digest authentication. Internet Explorer does not pass your user name and password automatically when you are using Basic (clear text) authentication or Digest authentication. Therefore, you are always prompted for credentials when you are using these authentication methods.
I have installed an Azure MFA on our network to provide two form Id for our VPN. We are using the Azure MFA pay as you go option where users are added and charged as we add them to the server.
I have import the users from AD. Ninety percent of the users imported work file. I have both enabled an not enabled users listed on the server.
When I run a test from within the MFA server the authentication process works. The server will call the number I have listed and when I press the # key to accept the system returns that that use authenticated ok.
The ones I am have problems with will authenticate with I use the test button on MFA server, but when I try to use the same user to login to the VPN
I get this error
Pfauth failed for user 'CN=test#xxxx.com,CN=Users,DC=xxxx,DC=com' (distinguishedName format) from xxx.xxx.xxx.xxx. Call status: SKIPPED_NO_USER - "Couldn't match supplied username to a defined user".
Other users have no problem logging in.
I have tried to re-import the user, recreate the use manual in the MFA server nothing changes the results.
It looks to me that the error is that the MFA server does not recognize the server. Has anyone seen this problem or can direct me to thing to check.
It looks like you are either securing the VPN using LDAP, or are using RADIUS but doing the primary authentication using LDAP bind. After primary authentication is performed, the MFA Server needs to find the user in its data store to look up the phone number and auth method configured. It either uses Windows SIDs or LDAP unique identifiers to do that lookup. Take a look at Company Settings-->Username Resolution in the MFA Server. It is set to use Windows SIDs by default. Try changing that to use LDAP unique identifiers.
I've stumbled across an issue with IIS7; apparently it is not possible to limit "anonymous authentication" to a certain range of IP addresses, i.e. a subnet, at least not in the GUI for a certain folder within a website:
10.0.0.0/24: anonymous access to "/lan_ok_outside_basiconly"
Every other IP: Basic Auth to "/lan_ok_outside_basiconly"
The application within the folder does not need user credentials, it just needs to verify that the access is to be granted either by verifying that the client is in a specific internal LAN or by basic auth credentials from everyone else.
Is there any way to achieve this in IIS7.5?
Thanks.
We can provide the authentication in sitelevel and application context level based on our requirement.
For example assume a website
www.example.com exists in your IIS
you can specify the authentication by selecting this site -> authentication tab -> anonymus or windows or both
Same as like above if you have contexts(for example) like
www.example.com/ex1, www.example.com/ex2, www.example.com/ex3
then you can select any context and you can specify the Authentication as per your requirement.
For more details check the below link for some reference
http://www.iis.net/configreference/system.webserver/security/authentication
We are developing a self registration app.
Our app allows users to register for web apps and is deployed on a weblogic 10.3.5 app server. The weblogic is connected to a local ldap system.
Once the user registeres with our app we call corporate servces to generate a user id. password activation, authentication is all handled by the corporate servcies. which also has a corporate ldap that contains all users in the company.
The approach works fine for 'new users' ie users that are not present in the corporate ldap or the local ldap: users enter their details and are issued a user id which we then copy into the local ldap once the user activates their account.
The use case we're grappling with at the moment is how to handle 'existing' users that wish to register. These are users that are currently in the corporate ldap and wish to 'register' with our applications. They get rejected during the normal registration process as they already exist in the coroporate ldap.
What i'd like to do is force them to login (simply so they don't register on behalf of somone else) and once they're logged in simply copy their data into the local ldap.
The problem is even if they are successfully authenticated by the corporate service, they don't (yet exist) as far as the weblogic server is concerned. is there a way to obtain the user id that comes with the authentication token ?
The authentication method is SAML 1.1
The application is a standard Java EE servlet based webapp using the struts2 framework.
Any ideas would be much appreciated.
Within WebLogic, you can define multiple authentication providers and set them up in the order you would like the system to use. Since you are copying data over, you would have to programmatically check for the existence of the account before attempting to create it on the LDAP server.
It would be a lot simpler if you use the external LDAP server directly instead of copying the data to the internal LDAP server, letting you attempt logging the user in and creating the account only while catching the appropriate exception.
After some theoretical help on the best approach for allowing a SaaS product to authenticate users against a tenant's internal Active Directory (or other LDAP) server.
The application is hosted, but a requirement exists that tenants can delegate authentication to their existing user management provider such as AD or OpenLDAP etc. Tools such as Microsoft Online's hosted exchange support corporate AD sync.
Assuming the client doesn't want to forward port 389 to their domain controller, what is the best approach for this?
After doing some research and talking to a few system admins who would be managing this, we've settled on an two options, which should satisfy most people. I'll describe them here for those who were also interested in the outcome.
Authentication Service installed in the origanisation's DMZ
If users wish to utilise authentication with an on-premises active directory server they will be required to install an agent in their DMZ and open port 443 to it. Our service will be configured to hit this service to perform authentication.
This service will sit in the DMZ and receive authentication requests from the SaaS application. The service will attempt to bind to active directory with these credentials and return a status to indicate success or failure.
In this instance the application's forms based authentication will not change, and the user will not be aware of the authentication behind the scenes.
OpenId
Similar to the first approach, a service will be installed in the client's DMZ, and port 443 will be opened. This will be an OpenId provider.
The SaaS application will be an OpenId consumer (already is for Facebook, Twitter, Google etc login).
When a user wishes to log in, the OpenId provider will be presented, asking them to enter their user name and password. This login screen would be served from the client's DMZ. The user would never enter their username or password into the SaaS application.
In this instance, the existing forms based authentication is replaced with the OpenId authentication from the service in the client's DNZ.
A third option that we're investigating is Active Directory Federated Services, but this is proprietary to Active Directory. The other two solutions support any LDAP based authentication across the internet.
Perhaps this might help…
This vendor, Stormpath, offers a service providing: user authentication, user account management, with hookups to your customers’ on-premise directories.
What about an LDAPS connection to the customer's user directory? They can firewall this off so that only your servers have access if they're concerned about it being public. Since it's SSL it's secure end to end. All you need from them is the certificate from their issuing CA (if it's not a public one). I struggled to get this working for an internal web project in the DMZ and there's a real lack of any guides online. So I wrote one up when I'd got it working:
http://pcloadletter.co.uk/2011/06/27/active-directory-authentication-using-ldaps/
Your best bet is to implement a SAML authentication for your SaaS application, and then sign up with identity providers like Okta or OneLogin. Once that's done then you can also connect it with ADFS to provide Single Sign On for your web application through Active Directory.
I'm just doing this research myself and this is what I've came across of, will have more updates once implementation is done. Hope this gives you enough keywords to do another google search
My understanding is that there are three possible solutions:
Installing something on the domain controller to capture all user changes (additions, deletions, password changes) and send updates to the remote server. Unfortunately there's no way for the website to know the initial user passwords - only new ones once they are changed.
Provide access for the web server to connect to your domain controller via LDAP/WIF/ADFS. This would probably mean opening incoming ports in the company's firewall to allow a specific IP.
Otherwise, bypass usernames/passwords and use email-based authentication instead. Users would just have to authenticate via email once every 3-6 months for each device.
I have to begin implementing this for an upcoming project and I'm seriously leaning towards option #3 for simplicity.