I have an asp.net web application in an internal windows domain which calls a wcf-service. In the wcf-service I use the SecurityContext.Identity.Name, so it needs impersonation.
Our task is that the web application can be accessed from anywhere.
The first step was that the administrators published the web application throught ISA server 2006. The main problem with this solutions is that the browser doesn't save the user's loginname and password in the ISA authentication form. In addition the users want to access the webapp from Nokia Mobile with Opera Mini.
What can I do in a simple way that the browser saves the loginname/password in order to the user can use the application without reentering the login data in every 30/60 minutes?????
Any best practise?
The standard is to store the username/password in a cookie and have the login page pull the login info from the cookie to auto-login. You can have this cookie expire in a month if you want to.
Here are some examples using different languages to add a "remember me" type functionality to save username and password in a cookie.
Cookies
php example
asp.net example
asp example
Response to creator's comments:
In order to modify the ISA login page, look at this article. You should be able to add the code top handle cookies by editing the login page file located in the directory C:\Program Files\Microsoft ISA Server\CookieAuthTemplates\ISA\HTML (assuming you installed ISA to that location).
I do not think there is an out of the box configuration that allows you to set this up, but I did see some configuration for setting trust level (#18 from the article) that you might want to play with.
Related
I'd like to offer a WebService API to a set of intranet desktop applications.
Currently my web service configuration (launchSettings.json) is:
"windowsAuthentication": true,
"anonymousAuthentication": false
This approach needs this line of code at the Startup class:
services.AddAuthentication(IISDefaults.AuthenticationScheme);
When I test it the browser (Firefox in my case) calls the default controller. Then I get a prompt asking the user and password from the active directory user, which is already logged in. After a successful log-in I can see the user name and its status within my controller class:
var isAuthenticated = User.Identity.IsAuthenticated;
var userName = User.Identity.Name;
But as already noted: the current user it's already logged in into this Windows machine so, could I forward this information in order to avoid this log in prompt?
At test stages is not a big problem to enter this information, but I guess when other kind of clients (my custom desktop applications) try to use this WebServices they will need to also call the WebServices in such a way that the user gets authorized.
Please, consider I am getting started with the asp.net, core and webservices technologies, so if you need more information, let me know :D
Firefox doesn't support automatic login. Only Chrome and IE/Edge do.
We want to integrate "AFE (Ajax File Explorer) into our Drupal application. Our users are authenticated in Drupal and it is not possible for us to ask a second time there login/pwd while opening AFE.
We received a first answer from ITHIT:
Here is how to set login and password:
ajaxFileBrowser.GetSession().SetCredentials('User1', 'pwd');
Please note that this API sets password in XHR. Setting login and
password in XHR does not provide any feedback on weather the login was
successful. That is why in general I would suggest to rely on web
browser login dialog which is displayed automatically instead of
calling SetCredentials.
However it is not clear if it is a real and robust SSO solution. We discovered that Drupal has an webdav SSO module (https://github.com/Awnage/webdavsso), we will also investigate that part. But any comment/help welcomed.
To my understanding there is no way to totally get rid of login dialog when using Basic, Digest, NTLM or Kerberos authentication with Microsoft Office.
Microsoft Office applications always ask for the authentication when used with Basic or Digest authentication. This is a Microsoft Office and Microsoft Mini-redirector limitation and there are no workaround in case your server is using Basic or Digest.
However, if you check "Remember my password" check-box it will still display the login dialog, but the user name and password will be already filled-in, so you just click "OK".
Here are some options to consider if you need to totally suppress login dialog with Microsoft Office:
Use NTLM or Kerberos authentication. In case of NTLM or Kerberos MS
Office asks for credentials only 1 time during first document access.
Implement Office Forms Based Authentication Protocol (MS-OFBA).
Implement Url-authentiation. Your urls will look like:
http://webdavserver.com/[SessionID1234567890]/path/file.docx.
In case of Url-authentiation make sure you do not include the session ID in query string, Microsoft Office will truncate it. You will have to put session ID somewhere in the path, as in the above example, which is not very convenient, when you need to mount a WebDAV folder in you file system, but still works in most cases.
Possible duplicate here Stackoverflow
I solved that problem in the same manner.
I have IIS 7.5 site:
Authentication = Windows Aythentication enabled
Application Pool = DefaultAppPool
DefaultAppPool Identity = ApplicationPoolIdentity
Load User Profile = True
On the filesystem,
DefaultAppPool has Read and Execute privileges to the entire site.
Also added a security group with Read and Execute privileges to the entire site.
With these settings, only users in the security group are able to access the site. All others get a AD login window, which has no affect. I'm not understanding this behaviour.
From research, it looks like I don't need to add the DefaultAppPool to the filesystem, if users are only executing, but still doesn't explain why they get the login challenge.
I'm also unclear if i need to set the AuthenticatedUserOverride (in Config Editor) from UseAuthenticatedUser to UseWorkerProcessUser if i want to use the filesystem security of DefaultAppPool. When i set this, i get an access error, not even the login challenge.
Note: site is not in the Default Web Site, but on a specific port number.
I'm unclear why i seem to need users listed in an ACL rather than using the generic DefaultAppPool.
Windows authentication determines how you determine who is who. Impersonation means which user account the security context runs under. Because you are loading the user profile, the context is taking on the AD user's security. Your DefaultAppPool identity is now out of the picture which is why you need ACL's on your files / folder.
Users will continue to receive the login prompt who are not cleared at the ACL level because IIS doesn't know what to do until an account that can access the files is provided. Watch in fiddler and you'll continue to see challenge messages from the server.
I want to build a small application similar to Run As (Windows native) and DropMyRights.
A simple form with a text box which will hold the path to the program that i want to run, and a dropdown to select the account to impersonate (<system>, <interactive>, or "user NameLastname") when starting the child process.
Just in case this is not enough reason to point me to the right direction, here goes the answer to "why would you want to do that?"
I noticed that some of my applications, like Google Calendar Sync, Google Drive Sync and Chrome autoupdater (not chrome.exe), when run as <system> can't pass through the proxy (ISA/TMG).
I do not have access to the server config settings, so i have to do this client-side.
The goal is to have the child process running as <interactive>, and use the NTLM token.
How can i pass CredentialCache.DefaultCredentials or CredentialCache.DefaultNetworkCredentials to the process?
I can't pass username/password/domain because we authenticate on the domain using smartcard logon.
That means i don't even know my Active Directory password.
Answering questions:
It isn't clear what you mean by <system> and <interactive>. Please be
more specific. Do you mean you want to launch processes in your logon
session but have them run as SYSTEM? – Harry Johnston
By interactive i mean the logged on user credentials. Could be local, but in my case i need the domain credentials.
To be even more specific, i want to use the token already generated by the proxy.
I do not want to launch processes as system.
I want system processes to connect to the internet using my (already provided and approved by ISA/TMG) credentials.
More info about this here: What is Interactive Logon?
Hmmm. The Chrome updater isn't a normal application, it's a system
service. Are you trying to run system services in the logged on user's
context? – Harry Johnston
That's right. Exactly what i want to do.
But, Google Updater does not appear on the services list.
It's a scheduled task.
And changing the task to be executed with my credentials doesn't work. Still can not bypass the proxy.
We have our own web server hosting our website that is open to the public outside of our network.
I have a request to make our "Internal Postings" link on our Careers page to authenticate the user against our network's Active Directory list.
I currently have it setup so the link hits a page inside the directory structure of the website, and this page's folder is set to "Integrated Windows Authentication". Anonymous access is turned off for this page. If the user is authenticated (ie: logged into our network or supplies proper credentials) it passes them on to an external careers website which hosts our job postings. If they fail to authenticate, it displays a custom 401 error page.
This works fine, but there is a problem with it. Using IE, people cannot just enter their username. They (of course) are required to enter the domain name as well. Unfortunately the default 'domain' is set to the URL of our website (www.xyz.com/username). I would like it to automatically choose the name of our internal domain (aaa/username) but am unsure of how to do this.
Another option would be to use LDAP and a little ASP scripting to authenticate the user. I have this code already, but am unsure of the security consequences of doing so. Basically, the page will be setup for anonymous authentication, and if the user isn't logged into our network, they will be prompted for a username/password using standard textboxes. This is then passed to an ASP script that does an LDAP lookup against our Active Directory. Is there any security issues with this method?
Which method would you choose to do?
Thanks.
EDIT: It seems I cannot authenticate to ActiveD via LDAP using a username/password combo. So forget about that option.
My question now is, how can I change the default 'domain' that IWA uses? Is that at all possible? IE seems to default to 'www.xyz.com\username' (my website) rather than 'aaa\username' (my domain name). Of course, www.xyz.com\username fails because that is not where our ActiveD resides... Is this possible? I want to make it as simple as possible for our employees.
You cannot authenticate an user with a script that looks up the user in LDAP. You need to know that the user is who it claims it is, and the only way to do that is to let NTLM/Kerberos authenticate the user (ie. establish proof that the user knows a secret stored in the AD, the password).
The URL of the web site to the set of sites considered be in the local intranet zone for IE browsers running on the internal network. By default sites consider to local intranet will be sent the current logged on users credentials when challanged with NTLM/Kerberos. Hence your internal users shouldn't even see a network logon box.
I hate to dredge up an old thread, but the answers are a bit misleading, if I understand the question. The thread Remus refers to is about authenticating via LDAP with a username only. As he points out, that isn't possible. But it looks like what Kolten has in mind is authenticating via LDAP with a username and password both. That's a standard practice called binding.