I have configured a WebAPI web site to use HTTPS with IIS Client Certificate Mapping(ManyToOneMapping ) for client certificate authentication. I disabled all Authentication types on IIS. I did many to one configuration on IIS.
But it is working with any other certificate which added to server's trusted store. I found that it is because of the Owin. I'm using owin(bearer authentication) to manage the token etc. But I think owin overrides the iis many to one configuration. Do you know how to disable it? I need token based authentication so I can not remove it.
Using Owin to self-host WebAPI and hosting WebAPI in IIS are two different hosting models. This means that all of Owin's pipeline logic is no longer valid. Unless we're using Owin hosting in a self-hosting program, here's a simple example of using Owin self-hosting WebAPI.
https://learn.microsoft.com/en-us/aspnet/web-api/overview/hosting-aspnet-web-api/use-owin-to-self-host-web-api
If we want to verify the client certificate by OWIN middleware(a pipe in which a request must come by), we should add a custom validator of the client certificate and apply it by using appBuilder.Use<T> method.
appBuilder.Use<ClientCertificateAuthMiddleware>(new ClientCertificateAuthenticationOptions(), clientCertificateValidator);
Here is an example of how to add a validation client certificate to the OWIN self-hosted WebApi.
https://dotnetcodr.com/2016/02/08/using-client-certificates-in-net-part-9-working-with-client-certificates-in-owinkatana-iii/
Feel free to let me know if there is anything I can help with.
Related
I want to extend IdentityServer 3 with a 'admin' part where users can manage things like users, clients, etc. This part should be secured by the same ID server implementation (same app in IIS). Do I have to build a separate app or can I extend the same ID server solution? How do I configure the OWIN start up then? When I have
app.Map("/Identity"....)
how do I add:
app.UseOpenIdConnectAuthentication
This results in an 'external' login provider, but that is not what I want. I also tried to add:
app.Map("/admin", config => config.UseOpenIdConnectAuthentiaction())
But that does not work as well, so:
How to have ID server and a client combined in one Solution?
Please help.
Have a look at IdentityManager provided by developers of IdentityServer. This will get you up & running very quickly.
Security Model
The security model can be configured to only allow users running on the same machine or can be configured to use any Katana based authentication middleware to authenticate users.
Hosting Options
IdentityManager is hosted as OWIN middleware. It can be configured with the UseIdentityManager extension method for Katana
This is how you "Get started"
I have a .net WEB API publicly exposed and also a Xamarin Forms App which uses the API, the app needs to be extremely secure due to the data it manages.
I will create an HTTP Certificate for the WEB API.
The Xamarin Forms app will have a login/password to validate against a local Active Directory. via a /token endpoint, and using an Authorize attribute on all endpoints to assure that every HTTP call has the bearer token in it, I implemented that using this:
I based my implementation on this one:
http://bitoftech.net/2014/06/01/token-based-authentication-asp-net-web-api-2-owin-asp-net-identity/
Additionally the customer has asked us for Client Certificate Authentication, I dont understand how this totally works.
1. I need to add a certificate to the Xamarin Project, right? How do I Add it? How do I generate it?
2. In the Web API I need to validate each http call has the certificate attached.
I found this but not sure if it will work:
http://www.razibinrais.com/secure-web-api-with-client-certificate/
However when investigating this, I also found something about certificate pinning, which is basically security but the other way around, it means the Xamarin APP will validate if the server certificate is associated with the right server (or something like that), so there is no way of a MAN IN THE MIDDLE Attack.
I found how to implement it here:
https://thomasbandt.com/certificate-and-public-key-pinning-with-xamarin
Question is:
1. Do I need both ?
Something else that I should research for on this journey?
Certificate pinning and Client Certificate Authentication are 2 very different things. Certificate pinning makes sure your app is talking to the server it expects to talk to. It also prevents eavesdropping, which is known as a 'Man in the middle' attack. I just recently wrote an article about this on my blog.
Client Certificate Authentication works the other way around. It adds an extra layer of security so your server can be sure only clients that have the certificate can communicate successfully with it. However, since apps can be decompiled without a lot of effort, this client certificate can 'easily' be obtained by a malicious user. So this isn't a silver bullet.
From my experience, Client Certificate Authentication is often used in enterprise apps, when there is an Enterprise Mobility Management solution in place (eg. Mobile Iron or Microsoft Intune or others), where the EMM solution can push the certificates to the users device out of band.
Should you use both? That really depends on the requirements of your customer, since they mitigate 2 very different problems.
The Web API link you included looks like it should do the server job properly at first sight. This article also includes how to generate a client certificate with a Powershell command.
Generating a client side certificate:
Use the Powershell command in the article that you referenced in your question.
Otherwise, this gist might help you on your way.
Installation:
Add the certificate file to each platform specific project as a resource. This is usually done in the form of a .p12 file.
Usage:
That all depends on which HttpClient you are using.
If you use the provided Web API solution, you should add the certificate contents as a X-ARR-ClientCert header with each request.
I would like to secure my Azure WebApi with 3rd party providers (FB, G+... I basically just need a valid email). Was looking at Auth0 and seems like it will do the thing paired with Jwt middleware in web api project, but I was wondering if the same can be done using Azure only.
Azure Web App authentication confused me a bit - it does not seem to give anything to my Asp.Net web app. I still have to configure all the middleware in Startup.cs and the app still works fine if I completely turn authentication off.
I could do the same thing Auth0 does - issue my own Jwt tokens based on access tokens from FB or G+ - but would like to avoid that.
Could you please point me to the right direction?
You have a couple options:
App Service Authentication
Configure the authentication via middle ware
App Service Authentication
The App Service Authentication does not require any code inside your application because your App Service has a gateway that inspects request for authorization. Depending on the setting you can either secure the entire site or secure individual resources (by using the [Authorize] attribute on the endpoint in MVC/WebAPI).
With the latest release you can control authorization on a site by site basis including manually triggering the sign in by navigating the user to the <yoursiteurl>/.auth/login/<provider>. By defualt the token store is enabled so you can make a request to <yoursiteurl>/.auth/me and get back information from the provider.
Middleware Authentication
This is the default way authorization happens in the Single Page ASP.NET Template. The middleware authentication uses OAuth/OpenId to secure the resources. This option does it at the application layer instead of at the gateway. If you are using ASP.NET Identity (from the single page project template) the email from the persons log in will automatically be stored in the Users table. The tutorial in the link above gives lots of details on how to get it working.
Make sure you use the [Authorize] attribute to trigger the Authorization in either case.
Hope that helps you get started in the right direction.
We have several internal web applications/services in our company which can only be accessed from LAN. Now, we have a public web portal hosted in Internet, and this portal needs to be access some internal services.
To meet this requirement, I plan to use Apache Camel in a ServerMix to route the requests from web portal to local web services.
The exposed endpoints will use Jetty(HTTP) or CXF protocol. As you can see, we must secure those endpoints, since they will also be exposed on Internet.
I read through the Camel website, camel support Shiro security for authentication and authorization. However, I think Shiro is too heavy in our scenario. Because we only have one web portal to be authenticated. And Shiro will to encrypt payload, that means the username and password will be transported in plain text.
So I consider to use HTTPS, but I am new to HTTPS. How HTTPS authenticate request application? Should I use 2-way HTTPS?
Please clear me out here, an example will be very helpful. Thanks.
Read through this section, it would explain how you can have a secure cxf endpoint:
https://access.redhat.com/documentation/en-US/Red_Hat_JBoss_Fuse/6.0/html/Security_Guide/files/CamelCXF.html
If you didn't manage to create your secure endpoint, let me know and I'll create an example for you.
I'm trying to add Active Directory single-sign-on support to an existing SOAP server. Since it is written in C++ using third party transport components, adding AD SSO doesn't appear to be easy.
Therefore I am thinking to require IIS as a trusted reverse-proxy and let it do the Active Directory authentication for the SOAP server. That is, offload all authentication duties to IIS, and just rely on the X-Remote-User HTTP header at the SOAP server. Since the SOAP client is using the WinInet API, all of the authentication is done for us, and this give the SOAP server single-sign-on for free.
client
-> IIS (Active Directory authentication)
-> SOAP server (with X-Remote-User: USERID header)
This appears that it should be a fairly common problem space, however although I have found a few IIS proxy programs, I thought that this may be something built into IIS.
Is this sort of functionality built into IIS or do I need to build a proxy myself?
Is there a better option than requiring IIS?