I have build a MVC 5 application. Now is time to publish it to production.
The infrastructure consist of two servers: one that can be accessed on internet and the other that is accessed only in intranet.
Server is Windows Server 2012 R2 and uses IIS 8.5 to host the application.
The application consist of backend and frontend. Backend's functionality are accessible only with login.
The problem that I want to solve is: How can I prevent login to the application from Internet and allow it only in intranet?
I think that might be some configuration on web.config to prevent opening of login page.
I have read a lot articles, but all the results are to prevent pages of unauthorized users. In my case login controller has [AllowAnonymous] attribute and it can be accessed without authorization.
If it can be done with a simple configuration in web.config I am going to add a key in web.config to keep track where it is the server on internet or the server on intranet like:
//for server accessible on intranet
<add key="serverType" value="PUBLIC"/>
// or
//for server accessible on intranet
<add key="serverType" value="Private"/>
And in the corresponding controller for login I will check for the value and if it is ConfigurationManager.AppSettings["serverType"] == "PUBLIC" I will redirect it to site public home page.
Does this solution have any security issue?
In this case, I would change the config with transforms or Parameterization (I prefer this one) to use the appropriate authentication type. For example, Anonymous for public and Windows/Forms Auth for private. You would have a transform/parameterization for each server type.
The following posts provide more specifics around ASP.NET security.
https://msdn.microsoft.com/en-us/library/3yfs7yc7.aspx
https://msdn.microsoft.com/en-us/library/7t6b43z4.aspx
http://weblogs.asp.net/jgalloway/archive/2012/08/29/simplemembership-membership-providers-universal-providers-and-the-new-asp-net-4-5-web-forms-and-asp-net-mvc-4-templates.aspx
Related
I built out a few applications - published intranet environment - and all of them are prompting for a username and password in order to access the application (connection to this site is not private).
I am not sure if this is an IIS Setting that needs to be adjusted, I have tried adding everything on my end with the web config settings. Even explicitly turning authentication off and allowing anonymous users, does not do anything.
So my main question is could this security prompt feature be turned off through IIS since the application web.config is yielding no results?
I have the default settings that visual studio generates along with my database connection string.
There's two different things here. First, the prompt is because Anonymous Authentication is not enabled. If you don't want any sort of authentication or authorization, you can simply enable that. However, more likely, since this is an intranet, you do actually want people to be authenticated; you just don't want them to have to "login". For that, you should enable Windows Authentication.
The second piece, "Your connection to this site is not private", is either because you're running on HTTP, rather than HTTPS, or you are using HTTPS, but don't have a valid SSL cert. The latter is a very common issue in intranet scenarios, since there's usually not a public domain you can bind a cert to. In that scenario, you need to generate a self-signed cert and install it on all machines that need to access the site. Alternatively, you can set up your own internal CA, such that you can issue and validate your own internal certificates.
In either case, the message is there to let the user know that communication with this site will not be encrypted, so sensitive things, like say a username and password, will be transmitted in plain-text and can therefore be intercepted by monitoring the network traffic. That may or may not be a concern for your intranet environment, but the message is not internet/intranet-specific.
I want to extend IdentityServer 3 with a 'admin' part where users can manage things like users, clients, etc. This part should be secured by the same ID server implementation (same app in IIS). Do I have to build a separate app or can I extend the same ID server solution? How do I configure the OWIN start up then? When I have
app.Map("/Identity"....)
how do I add:
app.UseOpenIdConnectAuthentication
This results in an 'external' login provider, but that is not what I want. I also tried to add:
app.Map("/admin", config => config.UseOpenIdConnectAuthentiaction())
But that does not work as well, so:
How to have ID server and a client combined in one Solution?
Please help.
Have a look at IdentityManager provided by developers of IdentityServer. This will get you up & running very quickly.
Security Model
The security model can be configured to only allow users running on the same machine or can be configured to use any Katana based authentication middleware to authenticate users.
Hosting Options
IdentityManager is hosted as OWIN middleware. It can be configured with the UseIdentityManager extension method for Katana
This is how you "Get started"
I have a Windows 2003 web server that is serving up 3 public-facing websites via IIS6. The all run under the Default App Pool.
I have added a new, very simple, one page website to serve as a "Maintenance" website. It is setup with anonymous access enabled, and all 404 errors redirect to /index.html.
I basically stop the other 3 websites and start the Maintenance website when it is needed.
The other three websites function normally all day long.
However, the Maintenance website presents users with a login credentials dialog and/or responds with a 401.1 code. I tried adding the IIS_USR account to the directory security with Read and Read & Execute access, but I still have the same result.
I have a very similar setup on three other servers, which serve up additional public-facing websites.
What is going on and how can I fix this?
I am developing an intranet site hosting RESTful services via ASP.NET WebAPI.
I am having an issue where all browsers (Chrome, Firefox and IE) are displaying a login prompt requesting credentials. I am hosting the site in IIS 7.5 on Windows 7 Home Premium with Anonymous Access enabled.
The root URL http://localhost/RootAPI/ should be viewable to anonymous users, but the private routes, e.g. http://localhost/RootAPI/Invoice and http://localhost/RootAPI/Order should be accessed only to authenticated users via the [Authorize] attribute. I am intending to control the authentication process using WebAPI calls via AngularJS once I have fixed this issue.
My website uses the ASP.NET v4.0 app pool identity and I have assigned read permissions to the application's folder for this user.
I have also added http://localhost to the list of trusted sites in IE as well as checking the 'Allow Integrated Windows Authentication' in the Advanced options in IE. Furthermore, the 'Automatic login with current user name and password' is checked in the custom level for the Intranet sites and the issue still persists.
I have got this in my web.config file.
<authentication mode="None" />
<identity impersonate="true" />
When viewing the log files under C:\inetpub\logs\LogFiles\W3SVC1 it does not display the user name (I was expecting to see the anonymous user name) and shows HTTP status 401.
I've spend two days on this frustrating issue and I cannot stop the logon prompt from appearing. Can anyone point me in the right direction as to what I am doing wrong?
I managed to figure this out after discovering the custom authorization filter was being executed and was checking to see if the controller was decorated with [AllowAnonymousAttribute()] and it wasn't.
After adding this attribute to the root controller I no longer received login prompts.
This is what the root controller looks like after adding the attribute filter:
[AllowAnonymousAttribute()]
public class RootController : ApiController
{
...
}
The root page now displays as expected.
My employer has a local ADFS server. We are using o365/SharePoint Online with ADFS so when you attempt to access a SharePoint cloud site you are take to login page on our network.
I need to develop a simple ASP.NET C# website hosted locally on a server on a network.
At a high level what is entailed in using ADFS on asp.net/iis websites? And can it be set so that the same login page is used?
If I have a webpage on a local webserver authenticated by the same ADFS and Iframe that page inside a sharePoint web page authenticated by the same ADFS. Should the page with render without authenticating?
1) I'd recommend checking into Windows Identify Foundation (WIF). Although your app will need to run under TLS/SSL, you probably will just need to run the FedUtil.exe application to generate your application's metadata for ADFS to consume when creating an RP.
2) In theory this might work, but the Iframe'd page will still redirect to ADFS momentarily to get an authentication token. It is just that the login page won't be displayed.