We have an asp.net web application which maintains a table with user information, passwords and roles. I am trying to import this information to a Membership database and ultimately use them for Form Based Authentication in a Sharepoint 2013 web application. I also noticed that the Membership database which I created does not store passwords. At this point I am a bit confused as to how to proceed with creating a FBA for my sharepoint site using the same member credentials and roles from my existing table.
It does actually store passwords. You probably have it configured for ‘hashed’ passwords – so you can’t actually see the passwords in the table – only a 1 way hash of the passwords. If you set the passwordFormat to Clear, the passwords will be in plain text within the db.
That being said, for security I do suggest you use Hashed. Do a search on google on how to hash your existing passwords so they can be put in the db in the correct format. But if you want to get it up and running quickly, use Clear and then Hash them in the future once you’ve got everything working.
And just a note - the password field is on the aspnet_Membership table.
Related
I have a set of encrypted financial data for investors and need to store it in a database. The investors must be able to see the data when logged in to the app but the developers and everyone else mustn ot be able to see it.
Additionally the investors are not tech savvy and can not be given a key to use apart from a username and password.
What technologies/encryption approaches can I take with the app so that the financial data can be kept secret from me and other developers by the company, I'm assuming they encrypt it before uploading it for example, but allow the valid users to access it.
Is there a way to do this without putting a technical burden on the investors so that they don't have to have anything more than a username and password whilst also not storing their "keys" in the database so that a developer could technically decrypt it.
We make heavy use of dynamic datasources. We retrieve server name and database names from a table in a SQL Server database. A package loops through the server names and database names and executes once for every server, for every database.
These values are then put into the ServerName and InitalCatalog fields of the dynamic connection. User and password are pre-defined (and therefore the same for every connection). I would like to fill the user + password from a table too but then I have to store the passwords as clear text in that table.
Is there a way to store the password encrypted in that table and decrypt it when I need to use it? Any person having access to the SSIS package is allowed to know the passwords but they should not be easily read from the table containing the connection strings.
All suggestions to handle this (f.e. using different approaches) are very much appreciated !
The preferred solution is to keep using integrated security.
Normally the job will try execute the step under the account of the SQL Agent, that is not what you want.
Proxy account is a replacement for the credentials for the SQL Agent account (msdn.microsoft.com/en-us/library/ms175834.aspx), also not helpfull in this case.
I remember that on Windows 2000 we used a trick by creating same local accounts with identical username and passwords on all servers to overcome the SSO limitation, it will probably work in your situation.
Yes, you can encrypt/decrypt a column. See Microsoft's walkthrough here:
https://learn.microsoft.com/en-us/sql/relational-databases/security/encryption/encrypt-a-column-of-data?view=sql-server-2017
Best practice is to then create a view that decrypts the column and then grant user-level (i.e., SELECT, ALTER, INSERT, UPDATE, etc.) access to the view only because the view must have the symmetric key to decrypt the data. Exposing the key can be a security vulnerability, so you want that locked down as much as possible. A view with limited user access is the best place to allow a key to be exposed (if there is ever a good place to expose a key, which there is not).
But, Ako is correct. Use integrated security.
I'm new to couchDB and still reading tutorials. My question is if it is the normal way to represent every user of my application as a new database user, as it seems to be explained that way everywhere I look?
Let's say I have an online game with many different players - would I create a new "database user" for every player who registers? Or would I make my own database "players" and create a sign-in logic in the app? Not being used to document-driven DB's it seems strange to me not to distinguish between db-users and users of my application...
You could do it either way. First about couchdb users
Users in couchdb are stored in a special _users database
Database permissions are handled by a special _security document. This is specific to every database.
In security documents you add users that you have already stored in the _users database previously.
So you can certainly create a database per user. Before doing that ask yourself if the data that you store in each database is truly independent. Because you can't run map reduce queries across databases. So if you are planning to do aggregation across data for different users then this approach will not work.
Couchdb can also help you with app level authentication. Since couchdb uses a cookie based authentication:
Store your "business logic users" in the special _users database.
Authenticate it with the _session endpoint.
Extract the cookie header and sent it with your application headers.
All the logic for authentication is implemented for you by couchdb. All you have got to do is manipulate headers. Send the cookie from your application and when authenticating with couchdb send it with couchdb's headers.
If you prefer to write entire session management in your application that is fine too. In this case simply store the users in your database and verify that they exist before authenticating them. Like you would do with another database.
The benefit of using couchdb is that it is secure by default --using pbkdf2 encryption scheme to encrypt passwords.
If you instead want to manage all docs using a single database, but still implementing read/write ACLs, you can check the Chatty Couchapp Tutorial app from Smileupps App Store
It's a pure couchapp, relying on CouchDB only as its backend. The tutorial is still work in progress but the couchapp is fully working and you can download its source code.
It implements role/user based read/write ACLs using a single CouchDB database. This way you don't have to setup N replications where N depends on the number of your users. You only have one database containing all your data, easy to be queried on the fly(with temporary views) and for maintenance operations. Of course you can decide to increase the number of database, depending on type of your data and use cases.
A single couchapp contains all the necessary code for frontend, admin dashboard and server side API implementing business rules
The user, depending on his roles have different access to different sections. i.e. he can access the frontend website, but not the admin dashboard.
You can install the free trial, then download the source code with Smileupps deployment tools, change it, upload it back and check your changes.
I'm developing custom client/server application that requires client to log in with their username and password. The user accounts are not related to Windows/AD accounts in any way. After login, client application will request other services from server system.
My question is what is the best way to implement this? What kind of architecture would fit best here? I guess some kind of ticket/token authentication system needs to be implemented???
Thanks
You may in fact want to implement a system which passes "tickets" along between the different parts (login server, client, app server). This ticket will contain basic information such as the user ID (the username, the row id, etc). This ticket will either be encrypted with a secret key that the authorized servers share, or will be stamped with a hash of the ticket contents salted with a secret key that the servers share. The first way makes it possible for only the authorized servers to create and read the ticket, and the second way makes it possible for the authorized servers to verify that only the authorized servers could have created the ticket but permits anyone to read the ticket. All app servers will check the ticket (by attempting to decrypt it or by verifying that the hash matches) before proceeding with any actions that should be protected. If this is a web app, then cookies are a good place to store the ticket.
You haven't said much about your architecture, other than it is Client/Server, so I am assuming you're using some sort of forms designer like Windows Forms in VS. In these cases I have always used some form of database table authentication, as it is easy, simple to setup, and reasonably secure. You can even set up groups and roles this way, without much fuss.
Table: Users
Fields: UserID PK
Login Text
Password Text
...
Table: Roles
Fields: RoleID PK
Role Text
...
Table: UserRoles
Fields: UserID FK
RoleID FK
Is user profiles an appropriate place to store things like number of items per page in a custom grid user selected? (I you can store it in the view, but it won't be per user this way).
My first though was to store these settings in user profiles, but there are problems with access permissions for programmatically creating user profile properties boiling down to you either have to give every user 'Manager User Profiles' permission in SSP or you have to run the application pool under a domain user, not NETWORK SERVICE. Both scenarios are unrealistic for me, so I'm now looking for another way to store such 'per user' settings.
Thanks!
Edit: I'm now considering ASP.NET profile mechanism with an additional DB to store user properties.
Given that the information is not sensitive a simple database with values stored against AD login should suffice.
And as you have the ASP.Net user database already, storing the information there would be the best option.
Maybe a Global List, that is only accessible for the SHAREPOINT\SYSTEM User and that you can then Query in a SPSecurity.RunWithElevatedPrivileges Function.
Disadvantage: You require Custom code to read/write to that list.
Cookie?
Sure they have limitations, but it is fairly easy to create the control to run javascript to add/edit the value