I am calling the SharePoint 2010 REST/ODATA api and by default the data context uses DefaultCredentials, which is really the logged-in user of my Asp.Net application. If I don't attach DefaultCredentials to the context, then I just get 401 Unauthorized.
I was wondering how to call SharePoint API while using the Application Pool credentials? I am trying to follow the trusted systems security approach. Otherwise the SharePoint site needs to grant ODATA access and certain lists need be writable by basically everyone (gak!).
For example, with a SQL connection, I would just set "Integrated Security=true" to use the application pool credentials.
Am I right that you are running an ASP.NET application on other than the SharePoint server? (Outside of the farm; just a machine with IIS and ASP.NET.) If your ASP.NET application pool runs under the same user as your SharePoint web application you can temporarily impersonate the code of you handler or page to the application pool user and use the default network credentials:
using (HostingEnvironment.Impersonate()) {
ICredentials credentials = CredentialCache.DefaultNetworkCredentials;
// ... use the credentials
}
If you know credentials (name and password) of the application pool user from some configuration you can make the HTTP request using them directly:
ICredentials credentials = new NetworkCredential("user_name", "password");
// ... use the credentials
--- Ferda
Related
I have an Azure Application Gateway sending user (HTTPS) traffic to a single backend web server, which is hosting an ASP .Net Framework 4.8 web application in IIS 10; users sign-into the web application using Windows authentication. The Application Gateway is not using cookie-based affinity (as there is only one web server). ASP .Net is using a SQL Server session state database:
<sessionState mode="SQLServer" stateNetworkTimeout="30" timeout="30" allowCustomSqlDatabase="true" sqlConnectionString="Data source=***********************;Database=ASPState;Integrated Security=SSPI;Persist Security Info=True" />
When users sign into the web application, as it is using Windows authentication, they are automatically authenticated using their Windows credentials, so they do not have to enter their user id and password. However, they will sometimes be signed in as the wrong user (someone else who is already signed-in). This only happens when using Application Gateway, and does not happen if the users go direct to the web service URL (bypassing Application Gateway).
When this bug happens, the application logs suggest that ASP .Net is getting the session id for the wrong user, i.e., the session id of the other user who is already signed-in. In Global.asax.cs, Session_OnStart the following gets logged:
Session.SessionID = sessionId for the wrong user
HttpContext.Current.User.Identity.Name = Windows userid for the wrong user
Session.IsNewSession = True
HttpContext.Current.User.Identity.IsAuthenticated = True (this is to be expected because Windows authentication is being used, so the user is already authenticated by IIS)
My guess is that Application Gateway is not persisting the user's Windows identity correctly between requests.
I created an Azure Mobile App Service which is currently accessible 'Anonymously'
Anonymous access is enabled on the App Service app. Users will not be prompted for login.
To make it secure I can enable App Service Authentication which will ask users to log in
But this is not what I want - The data in this app is only accessed by Application without the need of each and every user to login to my app before using it.
So you might say, in this case, Anonymous access is fine but I want to restrict it with something at least like an API Key so I will have access to the API which my app can use to access the data to prevent random requests as anyone can just go and use Postman and start getting data without any authentication.
So in short, I don't want individual user authentication, but at least an API Key to ensure only requests made from my app are authenticated and nothing else.
I am using the following in my mobile app to create a connection and also doing Offline sync etc
MobileServiceClient client = new MobileServiceClient(applicationURL);
Any idea how do I do that?
FYI. My server side backend is in C#
Since you are using Azure Mobile Apps, for your requirement, you could leverage Custom Authentication for building your CustomAuthController to login and generate the JWT token for a specific user without user interaction. The core code snippet for logging would look like as follow:
MobileServiceClient client = new MobileServiceClient("https://{your-mobileapp-name}.azurewebsites.net/");
client.LoginAsync("custom", JObject.FromObject(new{Username="***",Password="***"}));
Note: As the above tutorial mentions as follows:
You must turn on Authentication / Authorization in your App Service. Set the Action to take when request is not authenticated to Allow Request (no action) and do not configure any of the supported authentication providers.
And you must explicitly add [Authorize] attribute for your controllers / actions which need to be authorized access. Details you could follow Authentication in the Backend.
With asp.net vPrev we was able to separate application pool account and access account for anonymous access ("anonymous user identity", IUSR be default). This is extremely helpful to secure the app: you may sure that no high level access will be provided for anonymous, even if application pool account has high privileges.
Is it any way to do the same for ASP.NET Core application? From my understanding of core's execution model that will not be possible, because IIS act just as a proxy. Am I right?
May be there are some ways to do the same but with an another approach? The main goal is to have ability to switch context between application pool and anonymous context. As simple example: when app starting we can read\write\do whatever with application pool account, but inside request context we will operate with anonymous user identity.
Not a fan of answering own questions, but subject is possible. You can get anonymous user context from IIS SDK:
using Microsoft.Web.Administration // from Microsoft.Web.Administration.dll, nuget microsoft.web.administration
// ....
Configuration config = serverManager.GetApplicationHostConfiguration();
ConfigurationSection anonymousAuthenticationSection = config.GetSection("system.webServer/security/authentication/anonymousAuthentication", siteName);
string userName = (string)anonymousAuthenticationSection["userName"];
string pwd = (string)anonymousAuthenticationSection["password"];
Of course this is not really secure (in have to run your app under account that have access to IIS) and you need to keep site name somewhere in config, but it works.
First I am new to the topic ADFS and Reverse proxy. The goal is a Single-Sign-On OAuth2 authentication for SPA Web application.
I have an on premises ADFS Server called "Server-A" which is on "Domain-A" and an web server called "Server-B" which is on "Domain-B". Also I have one proxy server called "Server-C". Now if any user want to access any resource of my web Server-B then they need to authenticate first and this happening via ADFS(Server-A), this ADFS call is happening via proxy Server-C.
Problem –
If I am trying to access ADFS server directly (without proxy) then user able to login and I am getting token and claims both. But if I am trying to access via proxy then when posting back the token throwing below error(found on ADFS event log) –
Encountered error during federation passive request.
Additional Data
Protocol Name:
wsfed
Relying Party:
Exception details:
System.ArgumentNullException: Value cannot be null.
Parameter name: encodedGenericRequest
at Microsoft.IdentityServer.Web.Protocols.GenericProtocolRequest..ctor(String encodedGenericRequest)
at Microsoft.IdentityServer.Web.Protocols.WSFederation.WSFederationProtocolHandler.GetOriginalRequestFromResponse(ProtocolContext context)
at Microsoft.IdentityServer.Web.PassiveProtocolListener.ProcessProtocolRequest(ProtocolContext protocolContext, PassiveProtocolHandler protocolHandler)
at Microsoft.IdentityServer.Web.PassiveProtocolListener.OnGetContext(WrappedHttpListenerContext context)
I am using ADFS 3.0 and Window Server 2012 R2 and reverse proxy using
ARR and URL rewrite module on IIS.
I am looking for a solution for the above issue.
Thanks in advance.
I have a ASP.NET application that need to access to ANOTHER application, the ANOTHER application expecting Kerberos authentication, it based on the user credential to response to the request. My ASP.NET app is running on a AD service account that is setup to allow delegate to the ANOTHER application (with proper SPN).
So the process is, user requests to the ASP.NET app, the ASP.NET app will impersonate the request to the ANOTHER application by delegation (with kerberos).
When I run the app in local machine (My ASP.NET resides), the request was successful, however, if the request is coming from remote client machine, it failed, from the ANOTHER application's log, it shows the Identity is not presented.
Any clue?
Have a look at the following which appears to be very similar to your situation:
https://serverfault.com/questions/270293/moving-my-website-to-different-server-changes-authentication-from-kerberos-to-ntl/270306#270306
There are some resources that that should help you troubleshoot.