I am working with a c#.net application right now where I have smartcard authentication working properly, by allowing users to pick their digital certificate and enter their pin. However I want to do away with allowing the user to pick their certificate and have one of their certificates picked for them automatically(every user has the same certificates). This would make it so that when a user tries to enter the site, they are simply presented with a pin prompt. Any ideas on how to go about doing this? All the users I work with use Internet Explorer 7 and have workstations with ActivIdentity and Tumbleweed.
Write a Java applet to do the job at client side using PKCS#11 wrapper or, if you can restrict your users to use IE, create and use an ActiveX. I have already done both. For ActiveX you have to have it digitally signed to declare it as a safe ActiveX.
It is not straight forward task but I found Java applet easier to implement. The downside is that JRE (Java Runtime Environment) should already be installed at client side and plays nice with the browser. User also has to grant permission to the applet to connect to his smart card at first run.
Related
I'm testing WebAuthn (https://webauthn.me) with the intent to implement it in a web portal. However, I need Windows users to be able to use Fingerprint sign in, not just USB Security Key.
When testing from Windows 10/Chrome (latest) I only get the option to use USB Security Key, even though the laptop has a built-in fingerprint reader that is connected to Windows Hello (I can sign into Windows with the fingerprint reader). Also PIN and Password are enabled in Windows hello.
I do not have a USB Security Key device, and have never had one setup with this computer.
However, when I test WebAuthn.me and click the Register button, I am prompted with the options "External security key or built-in sensor" and "Add a new Android phone". When I select the option "External security key or built-in sensor", Windows pops up a modal box asking me to set up my security key:
However, there is no option to use a fingerprint, PIN, or password instead.
Since the fingerprint reader and PIN/Password are integrated into Windows Hello, and actively working, why won't it let me choose any of those options instead of the physical USB Security Key? Is there a parameter in the WebAuthn request that I'm missing or possibly a registry change that needs to be made?
Note that WebAuthn.me works as expected on Android Chrome (option to use Lock Screen as the login method allows fingerprint, code, etc, to be used).
Thanks for any explanation of why Windows would hide the Fingerprint/PIN/Password options and only allow USB Security Key when Windows Hello already knows about the fingerprint reader, PIN and Password as legitimate ways to authenticate the user.
Windows Hello requires RS256 (alg: -257) to be added to the pubKeyCredParams array. Try using https://webauthn.me/debugger which enables this by default.
I have installed webdav for Domino and made the required changes in the webdavconfig.nsf.
If I give designer rights to anonymous users, I can access and update the word documuments in the database through Internet Explorer and MS Word, but if I change them back to no rights, i cant. Of course I want to edit them with my own credentials.
What am I doing wrong?
OS windows 10
URL which works anonymous (????? are hidden)
webdavs://dev.?????.nl/webdav/domino/eod.docx
https://dev.?????.nl/development/webdab.nsf
https://dev.?????.nl/webdav/domino/
Any help would be appreciated!
I wrote that application.
You are in the tricky land of authentication. Domino supports: Basic, FormBased, Cookie based (LTPA) SPENEGO and SAML. The later 3 need configuration work.
What happens when you use WebDAV is that no longer your browser, but a local library (belonging to Explorer or Office) talks to Domino.
You can "manually" try that using File - Open and paste the URL to the document (the one with https://, not webdavs://).
The only thing that happens with a webdavs:// url: a little helper checks, based on extension in the registry, what app is needed (Word, Excel, OpenOffice) and then calls that app with the https:// url as parameter. Like starting e.g. Excel from the command line:
excel.exe https://someserver/path/spreadshit.xls
By default Windows now uses NTLM or Kerberos authentication, neither of them supported by Domino (There used to be a proxy translating NTML to LTPA by a 3rd party). So no credential reaches Domino. Hence you need anonymous access rights.
For older versions of Windows I described what you need to do to get Basic Auth going.
Never came around to check what setting you would need on Windows 8 or 10 to allow basic auth there. Also, in theory, SAML or SPENEGO SSO might do the trick.
If you got Mac or Linux, you could check them first.
So the challenge isn't with the webDAV plugin as such, but in finding a common authentication ground between the OS and Domino. Hope that clarifies it a little.
Let us know how it goes!
I have bunch of WiFi names and passwords stored in my mobile but I want to know their passwords without making my mobile as root. Is there any way I can know that.In future, if I added any new password then can I stored them in separate file behind the scene.
I am using google nexus 4.
There is a way, if you can enable ADB (Android Debug Bridge) from the phone settings.
Just you need to do pull the file /data/misc/wifi/wpa_supplicant.conf to your pc. Contains the passwords stored.
Tutorial with the steps: https://www.quora.com/How-do-you-see-a-saved-Wi-Fi-password-on-Android-without-root-privileges
I am trying to make it so that when a user turns on their device (will either be a tablet or a laptop) a DocuSign document loads up immediately. The user must sign the agreement before using the device. After that I want them to have access to the device and each boot thereafter I want the device to boot up normally. Can anyone help me with that. I would prefer that the DocuSign document is a pdf, but the format is not the most important variable in this equation. Getting the idea to work is important, I'm completely open as far as file formats and computer languages go. The signed document would be sent to a predetermined email address. Thank you in advance for any help provided. -Domitros
Also, all devices will be running on windows 8
I was thinking of using a batch file to load the DocuSign document? But, like I said, I'm open to suggestion.
What I've done so far is as follows: I created a new standard local account. I set windows to boot up as the newly created user. On their desktop is only 1 icon, a shortcut to the Docusign user agreement that they need to sign. I'm set to receive notification when a document has been signed. Unless I can figure out a means of automation I will have to remote into the users device, via citrix, and erase the user mentioned above and set windows to boot up as the user with access to all the software necessary for the user to do their job. Seems like there is a better way, but I'm not seeing it.
In my a web application, I have a part to invoke an activex control .The Activex control is available in all the client PCs who are accessing my web application from web server. But When trying to run this ActiveX control from the browser in client machine (using Wshell), It was not getting invoked since "Run Activex Controls and Pluggins" are disabled in my browser. So I changed the browser settings to enable mode and Then the Activex control gave me the expected output. I afraid that this change in browser settings would allow any other website to harm my system. How could I get rid of this problem? Any thoughts? Thanks in advance
There had been a lotta secutiry changes introduced from Vista + IE7 onwards. Where in the IE starts in the procted mode, which helps protect users from attack by running the Internet Explorer process with greatly restricted privileges. Protected Mode significantly reduces the ability of an attack to write, alter or destroy data on the user's machine or to install malicious code.
More details : http://msdn.microsoft.com/en-us/library/bb250462.aspx#wpm_aarwm
So developers have to modify the applications to confirm to the new standards like starting the process from the plugin - sending widows messages from LI(Low Intergirty) to HI process etc.
You can digitally sign your ActiveX so that users do not have to compromise the security of their browser too much in order to allow it to run. But, essentially, ActiveX isn't very secure and these problems always pop up when you choose ActiveX...