I have an intranet application with Windows Authentication. And I want to have a database table that contains the allowed users that can access the application.
I want to get the username after someone try to log into (successfully, thinking about the user existence into domain), to check if it is present into database to allow the access, besides that, redirect to a static HTML saying he can't access the application.
How can I achieve something like that?
And about the [Authorize], User Roles that ASP.NET Identity provides can be used in Windows Authentication mode to solve this problem?
Related
We're trying to setup IIS so that is uses its IIS AppPool identity when going against ACL permission checks (when getting static files from the filesystem) so that we don't have to add "everyone" or "authenticated" users to the main app folder or specific folders.
We've found that setting authenticatedUserOverride to UserWorkerProcessUser achieves the above, but no longer lets us access the specific windows user hitting the website from within the MVC application.
Is there a better way to accomplish this? Again, we're trying avoid having the specific user's credentials validated against ACLs when accessing files.
You can still get the authenticated user that is accessing the site using the LOGON_USER in the Request:
Request["LOGON_USER"]
Scott Forsyth details this on his blog under option #4 (http://weblogs.asp.net/owscott/iis-using-windows-authentication-with-minimal-permissions-granted-to-disk).
As for the best way to accomplish this, I think you are on the right path. I have used this approach along with the roles authorization aspect of ASP.NET to allow/deny access based on membership.
Our customer is using LDAP and 3 web application. The problem is the user is constantly forced to log on to each different web application.
He shall be able to use Windows authentication / LDAP together with single sign-on in order to be able to use all 3 Web apps without redirect to each login page.
So far, I have found this solution:
https://msdn.microsoft.com/en-us/library/ms972971.aspx
in this case "This Web site verifies (Step 2) the user against their Windows credentials (through Active Directory)." I don't understand how to check users password.
In this example is used only userid. Does it mean, that I'm only able to get users ID and check if a user with the same ID exists in LDAP ?
I would like to know, if there's an another and better way how to implement described functionality.
Please help
I have the following architecture:-
Active directory server
IIS which will host asp.net MVC
Both the Active directory and the MVC web application are inside our company intranet.
I set the Asp.net MVC authentication type to be windows based.
But I have these questions:-
If our company employees tries to access the asp.net MVC web application from their home using their personal PC; will windows authentication work?
If the above answer is Yes; then how they will be typing their usernames, Something similar to username# domain.com ?
According to my above requirements, should I consider having form based authentication that is connected to AD? Instead of using windows based authentication?
Thanks for any help and advice
Best Regards
Assuming your website in IIS is visible to the outside through the firewall, then yes it will be accessible from home
depending on the browser, you should get a pop up asking for username and password, and the username should be typed
MYDOMAIN\JOEBLOGGS
This setup may well work fine but it depends on your needs - is your network admin happy to open this server up to the outside world
There can be a quirk if using Internet explorer externally, where IE does not display a pop up box, and instead tries to authenticate with the local windows username, which may not match AD username if it is a personal PC (to get around this on the client, go to Internet Options > Security > Custom Level then scroll down to User Authentication and select 'Prompt for username and password'
i have created web site with mvc. i have created security part of this web site. users can register on it. and information about user will stay on aspnet_users and aspnet_membership(roles in aspnet_roles). i looked at this tables and saw that all information are belong to a application(to my current web site). but i want to make so that when i will create a new web site all users which has registered on first site can logon without registration. how i can do it?
You could configure both sites to point to the same SQL database for authentication and authorization. For this you will need a separate instance of SQL server accessible from both sites.
I have a MVC application that I am now trying to add authentication and authorization to.
I want to allow users to get to the site and be automatically authenticated. So I set authentication mode="Windows" in the web.config, and enabled NTLM in the project options. The site now shows my domain name in the top right when I run it, but when I hit a action than needs DB access, it tells me access is denied for my user-name?
What step am I missing?
This is not necessarily an IIS or Windows Authentication issue. I would assume that your connection string looks something like this
Data Source=myServerAddress;Initial Catalog=myDataBase;Integrated Security=SSPI;
Now that you are using Windows authentication, the Domain\username is being passed to SQL to authenticate to the database. If you do not have the entire domain (or at least the subset logging into your application) as valid users in SQL, then you will get an unauthorized exception. You will need to a) pass a username/password to SQL in the conneciton string as below or b) add the users of your application to the security users of the database or c) use the impersonate attribute in the web.config file to impersonate a user that has access to both the application files on the web server and the database
SQL connection string with username/password
Data Source=myServerAddress;Initial Catalog=myDataBase;User Id=myUsername;Password=myPassword;
This is the subtle difference between authentication and authorization.
Authentication is the act of identifying who the user is (And you've done this bit)
Authorisation is the act of determining who is allowed to do what (You need to apply the appropriate access permissions to the database, for each of your users/roles)
The subject of database access permissions is a little to complicated for sensible coverage on this forum, so i suggest that you do a bit of research via Google, etc