This question surely have been answered before. We need to develop a SSO solution for a client and until they have installed ADFS (which will take some time)...
Our application runs on 4 different applications/ports on the same IIS. We have tried setting authentication mode="Windows" and disabled anonymous access on all applications but receive a 401 unauthorized when the front end (port X) calls one of the backend Web apis (port Y,Z..). The problem is that the authentication is only valid for the first application (front end).
Can we pass the authentication on in some way? I've read about Intranet Zones, etc. but am struggeling a bit as to how this can be done
I've run into this problem myself and found the answer the article titled Forms Authentication Across Applications on MSDN
Relevant Sections Below:
To configure forms authentication across applications, you set attributes of the forms and machineKey sections of the Web.config file
to the same values for all applications that are participating in
shared forms authentication.
Applications that run ASP.NET version 2.0 or later can share forms
authentication ticket information with earlier versions of ASP.NET if
you include decryption="3DES" in the machineKey element for each
ASP.NET version 2.0 (or later) application.
Related
I'm currently building an auth server using Identity Server 4 with a spa (react) application that authenticates against it. I would now like to also take another application that is in current existence (this is ASP.NET MVC 5, targets .NET 4.5, currently uses ASP.NET Identity 2 management classes for managing users and signout/sign in using cookie authentication) and update it so that it can log in externally with this new auth server (so a user can log in using the existing authentication, but also use this auth server now - so that a user session could be shared between this existing app and this other spa app). The problem is as I understand it, that we need to use PKCE to authenticate with the auth server, but there doesn't appear to be a way to do this with the MVC 5 app - I can install the Microsoft.Owin.Security.OpenIdConnect package, but it doesn't allow for using PKCE since this is a newer thing (apparently if you target .net 4.6.1 there is a way to make that work with that version of the OpenIdConnect package). I can't change our target, it needs to stay .NET 4.5 (to upgrade to 4.6.1 or higher would cause all kinds of problems with the build and current packages, it would be a larger undertaking than my organization is willing to take on at this time). Is there a way that anyone knows of to make this work using an ASP.NET MVC 5 app that targets .NET 4.5 and an auth server that uses Identity Server 4? Would the only way be to use a GrantType.Implcit flow instead of requiring PKCE with a GrantType.Code, and would that even be advised now?
Thanks!
In this case you are dealing with 2 clients, spa app & ASP.NET MVC app, each client can have its own flow (grant type). We can use authorization code flow with PKCE, for the spa app. And Implicit flow for the ASP.NET MVC.
PKCE is suggested for interactive applications:
a front-channel step via the browser where all “interactive” things happen, e.g. login page, consent etc. This step results in an authorization code that represents the outcome of the front-channel operation.
a back-channel step where the authorization code from step 1 gets exchanged with the requested tokens. Confidential clients need to authenticate at this point.
The MVC app you described, is just doing authentication, then no worries it's fine to use implicit.
I have a post for implementing it here
Within our organization, our applications are registered as RP’s to our organizational ADFS server, which is v2. Traditionally, apps in the org have been built as single, monolithic apps using WS-Federation (passive authentication). Web API’s, also hosted within each app, are secured simply by the fact that the same FedAuth cookie is being sent over the wire when making the ajax calls from the app’s client-side code in the browser.
We are moving towards building a set of backend Web API’s, which we want to secure so that these are callable by any client, not just a web browser and not just by the hosting application itself. As such, we want to move towards using JWT tokens for these Web API’s. We've also started using ThinkTecture's IdentityServer (v2) to help in this regard.
We have just a few questions which I'm hoping the community can help provide us with some answers/pointers:
How should we configure IdentityServer and apps so that the apps use
the existing organizational ADFS login page?
How can we configure/integrate ThinkTecture IdentityServer v2 with
the organizational ADFS so that our API's can be secured using JWT
tokens but without forcing the user to provide their credentials
again (once they have a SAML token via WS-Federation)?
Are there any features in IdentityServer v3 which are compelling
enough to upgrade from IdentityServer v2 to v3?
1 & 2 - You might want to check out how to establish Relying Parties. Here's a whole article from BrockAllen (the genius behind IdentityServer) that walks you through the ADFS/IdentityServer2 integration.
http://brockallen.com/2013/04/14/getting-json-web-tokens-jwts-from-adfs-via-thinktecture-identityservers-adfs-integration/
3 - As far as I know, IdentityServer3 (IS3) was written to support newer authorization frameworks OpenID for the modern stack better than IS2 (which doesn't support OpenID). Either is fine for use. I personally started with IS3, mainly because of the support and documentation involved. It also integrates very well with OWIN/Katana, so it can self host reasonably well with no hiccups during implementation and deployment. One advantage IS2 has over IS3 is that IS2 has an admin UI you can use configure and register sites, IS3 doesn't. More info about this along with the thought process behind IS3 can be found here:
http://leastprivilege.com/2015/01/25/identityserver3-1-0-0/
I have a basic ASP.NET MVC 3 site using Forms authentication, which will be internet-facing.
I also want to implement a Windows application, purely for intranet usage, which will allow users to maintain various aspects of the ASP.NET user database (it has additional tables and fields beyond the stock schema).
My initial thoughts are that I could do this by having various actions in my controller classes, into which I could pass a dedicated username/password and then within each action method validate those credentials using Membership.ValidateUser() .
I realise I could use mixed-mode authentication with Windows authentication for the intranet part but this seems to me like a lot of unnecessary faffing since the intranet users won't be using a browser to do this.
The Windows application will running on the corporate intranet and will be accessing those MVC 3 actions on the website via internal HTTP requests using this dedicated username/password in the query string.
Question: Is this safe enough?
Hi we have a similar situation, we chose to build the management interface into the web application and using ASP_NET Roles to give access to it.
Otherwise (not sure how it works) but in the properties of a Windows Forms project you have the option of using forms authentication, this could possibly be a better solution.
I'm developing an ASP.NET MVC site that utilizes forms authentication for part of the application. During development, I need to be able to give external parties access to a development server hosting the site. Since I don't want to expose the site to the entire internet, I need to password protect it while still allowing forms authentication to be in use.
Mixing of Windows and forms authentication doesn't work. Is there a standard way of doing this? I would have to think this is a common scenario. The article on MSDN doesn't seem to apply to my situation: http://msdn.microsoft.com/en-us/library/ms972958.aspx
Update: The first two answers suggest adding in standard IIS basic/digest authentication. As far as I know, this is not compatible with forms authentication because the user's identity will be set to the Windows account, not the identity used through forms authentication. I need the two to be completely independent. Any thoughts?
You could protect it in IIS, give those details to the external parties, and leave the forms auth as it is.
Disable anonomous access to force the users to login via a windows account before accessing the site.
I knew a guy who did this using Apache and a reverse proxy.
http://www.apachetutor.org/admin/reverseproxies
Well unfortunately what you're trying to do is not possible in IIS7 (integrated mode), but there is a workaround. I suggest you to read this article written by Mike Volodarsky a former program manager for IIS7 at Microsoft. Article addresses your problem and there is even a sample code you could use.
Besides what it comes with in 2.0 (the generated aspnetdb.mdf), is there a standard login authorization authentication system for asp.net Internet websites? One that can plug into a website.
"the generated aspnetdb.mdf" is the ASP.NET Membership model. You can use it in websites without the generated aspnetdb.mdf.
From an article in MSDN called Introduction to Membership:
ASP.NET membership gives you a
built-in way to validate and store
user credentials. ASP.NET membership
therefore helps you manage user
authentication in your Web sites. You
can use ASP.NET membership with
ASP.NET Forms authentication or with
the ASP.NET login controls to create a
complete system for authenticating
users.
See my answer and comments here, too.
You can use aspnet_regsql.exe to create the required tables/sprocs/views in any sql server db of your choosing. Once you've added the proper connection string and membershhip configuration, you can use all of the membership stuff that was added with .net 2.0
4 Guys has a pretty good tutorial on how to implement the membership system, and they cover using aspnet_regsql.exe.