I have a .NET Framework 4.7.2 MVC 5 site that is using Windows Authentication to authorise access to actions based on AD group membership. This works fine for a single domain, but we have domain trusts in place and ASP does not seem to resolve memberships from other domains.
e.g.
Two domains: Parent and Leaf
The site runs in the Parent domain, which has local security groups setup: SiteAccess-L.
SiteAccess-L contains a single member Leaf\SiteAccess-G, which in turn has our user Leaf\User.
When I dump the contents of HttpContext.User.Identity.Groups (casting through WindowsIdentity), I can see all the Leaf domain groups that the user is a member of, but not any of the Parent domain groups. This only happens for remote users, if I access the site locally, it seems to work.
Running a simple C# app on the desktop of the web server with the same user account and calling WindowsIdentity.GetCurrent() will bring me back both domain group membership.
Does anybody know what gives here, and how I access the full cross-domain group memberships in MVC? If I use GetCurrent() in MVC, I get the service-account that the application pool is running under.
Thanks.
I finally got a resolution to this, but I don't fully understand why.
The issue it seemed to be with an SPN. When accessing the web page through a URL such as http://mysite.parent/ and a SPN was in place for this host, the issue described would occur.
Removing the SPN resolved the issue and all groups were viewable by the site. This is clearly Keberos related, but my understanding isn't deep enough to categorically say for sure.
In the end, the SPN wasn't needed so it could be removed to resolve the issue. Reference: https://www.aligrant.com/web/blog/2020-09-28_iis__do_i_need_to_use_a_spn
Related
This is not like other questions you might find similar. My issue is way bigger.
Scenario:
I have 3 websites. All of them have a common database for authentication and stuff.
Problem is that i will need to expand to 2 more sites, which means more maintenance in login screens and so on. So i will dedicate time to make a "central website" to manage users, access, etc.
Also, Need to implement OpenId for Microsoft Works accounts (ie, Azure tenants).
DDBB User Model: (Simplified)
All users are in the same central database. Which does not contains
anything non-user related.
User is personal on all applications.
Users can have different Roles
Each "User-Role" is mapped to an application, a server and a
database.
Problem:
Created a site in AspNet Core, without any authentication done so I can do it myself since I found that mapping Aspnet Identity tables was no-go because of incopatibilities and overriding is way to complicated, specially when dealing with Managers.
So, Tried and got working a simple Authentication page using HttpContext.Authentication.SignInAsync and CookieAuthentication. Which works well and there is no need to use any of the Identity's implementation (which is not compatible with my backend).
But then I added UseOpenIdConnectAuthentication to have the OpenId auth, but I have no idea how to use it since its suposed to work out of the box when using Identity and when checked documentation they use this code in an controller action: signInManager.ConfigureExternalAuthenticationProperties and I do not have any SignInManager since Im not using Aspnet Identity.
Questions:
Is coping the source of ConfigureExternalAuthenticationProperties to make it work in my site an aceptable solution?
Should I continue to override all SignInManager methods and also probably implement other classes to make Aspnet Identity work with my model?
Tried Mapping the properties to my columns just to test it out and it gave me non debuggable errors, which i dont like to even think about the problems this can give me in the future. For example one error was that it coudnt parse byte[] to string.
How can I implement Microsoft Work Accounts authentication and Database authentication in the same AspNet Site?
Bonus topic
Recently I feel like programming is becoming Configuring instead of coding. Is it just me? Are we now Professional Configurers?
Thanks
We're trying to setup IIS so that is uses its IIS AppPool identity when going against ACL permission checks (when getting static files from the filesystem) so that we don't have to add "everyone" or "authenticated" users to the main app folder or specific folders.
We've found that setting authenticatedUserOverride to UserWorkerProcessUser achieves the above, but no longer lets us access the specific windows user hitting the website from within the MVC application.
Is there a better way to accomplish this? Again, we're trying avoid having the specific user's credentials validated against ACLs when accessing files.
You can still get the authenticated user that is accessing the site using the LOGON_USER in the Request:
Request["LOGON_USER"]
Scott Forsyth details this on his blog under option #4 (http://weblogs.asp.net/owscott/iis-using-windows-authentication-with-minimal-permissions-granted-to-disk).
As for the best way to accomplish this, I think you are on the right path. I have used this approach along with the roles authorization aspect of ASP.NET to allow/deny access based on membership.
I was deploying my asp MVC 5 web site in Azure Web Site. Everything was fine until I tried to manage my account (changging the password), it gave an error like this:
The anti-forgery token could not be decrypted. If this application is hosted by a Web Farm or cluster, ensure that all machines are running the same version of ASP.NET Web Pages and that the configuration specifies explicit encryption and validation keys. AutoGenerate cannot be used in a cluster.
I was using Asp Identity, so all the code is built in. I have been searching the solution and found two possibilities:
1) It is because there are two #html.antiforgerytoken. One belongs to the MANAGE controller form, and the other belongs to the login partial view int he navigation bar. I tried to exclude the login partial view, but the error persisted, so I concluded that problem might not be it.
2) As the error says, maybe it is about MACHINE KEY. I tried to input setting to the web config. There are two popular ways to generate this machine key, fist is using ISS and the second is using third party. I wanted to use the ISS, but my ISS8 is not showing a modul to see the machine key which is weird that I could not find any solution for it. Then I tried the third party, and created something like this:
<machineKey validationKey="4359B782C08EF91E2AA6CA8AD46C0D63BF323E97ABAA06FBDA1535A1FA1CD2B7702B2BACDC937074ED65FC16D3ECA0F674BBAC8675910AF921D301CA22343AA1" decryptionKey="1A956B2A0405EC07AEBEFBA40DA7E61E2E17F001B868D7507EB3F3CD2AFF060E" validation="SHA1" decryption="AES" />
Then I redeployed my website but the error persisted. Can anyone please help me?
I've asked similar question here because I thought the problem was in my custom membership provider.
Then I tried this:
I created two NEW asp.net MVC applications. In first one, I registered as new user using default membership provider. I closed this application, opened second one and ran it. In this application I was also logged in as user I created in first application. Logging in as user from other application doesn't work, but caching is remembered on this site. Why is it so? Is it a bug?
I think this can be expected behaviour:
If you open localhost/app1 and localhost/app2 you are on the same domain. So its valid that the same cookie is sent. I am not shure if localhost:5050 localhost:5060 are considered as the same domain. But I guess thats the case.
If the same cookie is sent the Memebershipsystem will evaluate this as the same user. Thats expected behaviour.
If you want to have these 2 webs use different pools of users you have to create a new application in the Mebershipsystem and configure it in web.config.
This will not affect the behaviour of a production system, because the 2 web will be on a different domain. each domain is only allowed to access its own cookies.
I am developing an ASP.NET MVC app with custom membership and role providers.
My custom role provider uses LinqToEntities to query the user/role mapping table and retrieve if a user is in a role or not.
When running on debug, local machine, everything is fine. When deploying on IIS7 however, I have this strange behavior:
When I change roles to a user, and then login with that user, it retains the old roles, instead of the new ones. It's like they are cached somewhere, but I already set the cacheRolesInCookie="false" option in the Web.config
Reading on the web, I saw that the option I mentioned is just a directive for the provider, meaning if I don't implement its usage, it will be ignored, is that right?
This leaves me puzzled. My provider should perform a fresh query every time a method is called. It works locally, but not on the deploy machine with IIS7.
Anyone knows if there's any hidden setting in IIS7 to make things work right?
Thanks.
After a long time I found the solution.
The problem was residing on the EF context I was using to read the users/roles.
I fixed it resintantiating the context every time a role is checked, instead of keeping the same context until application restarted.