My application is using the AD Authentication for Login using LDAP URL. All was fine until our SA told us to change the URL to LDAPS. Once I added the URL as LDAPS it throws an exception and does not allow users to Login. Please help me in this.
Working LDAP URL: LDAP://reg1.abc.com
LDAPS URL (NEW) : LDAPS://reg1.abc.com (Not working once changed)
Below is the code to Authenticate user through LDAP.
public static SearchResult AuthenticateUser(string userName, string password)
{
var directoryEntry = new DirectoryEntry(ConfigurationManager.AppSettings["ActiveDirectoryPath"], userName, password, AuthenticationTypes.Secure);
var directorySearcher = new DirectorySearcher(directoryEntry);
directorySearcher.Filter = "(samaccountname=" + userName + ")";
var result = directorySearcher.FindOne();
return result;
}
That's a common question that might be already answered at Unknown Error (0x80005000) with LDAPS Connection. Follow that link and try to add port 636 and custom certificate validation:
LdapConnection con = new LdapConnection(new LdapDirectoryIdentifier("server", port));
con.SessionOptions.SecureSocketLayer = true;
con.SessionOptions.VerifyServerCertificate = new VerifyServerCertificateCallback(ServerCallback);
con.Credential = new NetworkCredential(String.Empty, String.Empty);
con.AuthType = AuthType.Basic;
con.Bind();
In the given example Credential is using empty strings, that might need to be changed by real login/password if required.
Related
using (PrincipalContext Context = new PrincipalContext(ContextType.Domain, DomainURL, UserName, Password))
{
UserPrincipal Account = new UserPrincipal(Context);
Account.GivenName = strFirstName;
Account.Surname = strLastName;
PrincipalSearcher srch = new PrincipalSearcher(Account);
foreach (var principal in srch.FindAll())
{
var p = (UserPrincipal)principal;
String FirstName = p.GivenName;
String LastName = p.Surname;
}
}
If i use the code above to query Active Directory and the UserName(account) passed in the PrincipalContext constructor is in a domain that has no trust with the target domain(domain to be queried), i get the below error.
System.DirectoryServices.AccountManagement.PrincipalServerDownException: The server could not be contacted. ---> System.DirectoryServices.Protocols.LdapException: The LDAP server is unavailable.
Would i be correct to assume that if the PrincipalContext construct was changed to,
using (PrincipalContext ctx = new PrincipalContext(ContextType.Machine))
the code would execute successfully as long as the client is in the target domain?
Lets assume the first code with UserName and Password was called by a client in domain A trying to search for user info in domain B, here establishing context failed because the account used is in domain A that has no trust with domain B.
am i correct to assume that if i change the ContextType to Machine, and the client calling the code is in domain B, the code would execute succefully?
No, that would not be a correct assumption. ContextType.Machine means that you want to work with local accounts.
Your PrincipalSearcher will end up searching the local SAM database rather than Active Directory
I do have authorize attribute applied on my Web API.
I am calling Web API from MVC4 application in which I am using standard cookie based authentication.
I need to call Web API method on controllers from integration tests but because authorize attribute is applied I will always receive unauthorized exception.
What is the best way to solve this problem ?
PS. I don't want (need) to use other methods of authentication such as APIKey,Token in Auth Header and similar...
First of all, one key element in order to answer this question is to know what kind of authentication mechanism you use. For example, if you use basic auth, you can send the credentials when you are integration testing:
[Fact]
public async Task FooTest() {
var username = "user";
var password = "supersecret";
// construct your config here as I do below.
// RouteConfig and WebAPIConfig are my own classes
var config = new HttpConfiguration();
RouteConfig.RegisterRoutes(config);
WebAPIConfig.Configure(config);
var request = new HttpRequestMessage(HttpMethod.Get, "http://localhost/api/cars");
request.Headers.Accept.Add(new MediaTypeWithQualityHeaderValue("application/json"));
request.Headers.Authorization = new AuthenticationHeaderValue(
"Basic", EncodeToBase64(string.Format("{0}:{1}", username, password)));
using (var httpServer = new HttpServer(config))
using (var client = new HttpClient(httpServer)) {
var response = await client.SendAsync(request);
var result = await response.Content.ReadAsAsync<Car>();
// do you test now...
}
}
private static string EncodeToBase64(string value) {
byte[] toEncodeAsBytes = Encoding.UTF8.GetBytes(value);
return Convert.ToBase64String(toEncodeAsBytes);
}
Of course, your handler which handles the authentication should be able to authenticate you with those credentials.
On the other hand, as you will be hosting the application in memory, setting an authenticated principal to the Thread.CurrentPrincipal would be another option but wouldn't be my favorite option here.
I am using the new webapi.
Now I don't know if I am doing this correctly but I am trying to setup my api to return an authentication cookie within the HttpResponseMessages header to use on another an mvc application.
I am using the FormsAuthenticationTicket as I think its what I need to use like
public HttpResponseMessage Get(LoginModel model)
{
if (model.UserName == "bob")
{
// if (Membership.ValidateUser(model.UserName, model.Password))
// {
var msg = new HttpResponseMessage(HttpStatusCode.OK);
var expires = DateTime.Now.AddMinutes(30);
var auth = new FormsAuthenticationTicket(1, model.UserName, DateTime.Now, expires,
model.RememberMe,"password",
FormsAuthentication.FormsCookiePath);
var cookie = new HttpCookie("user");
cookie.Value = FormsAuthentication.Encrypt(auth);
cookie.Domain = "localhost";
cookie.Expires = expires;
msg.Headers.Add("result",cookie.Value);
return msg;
// }
}
return new HttpResponseMessage(HttpStatusCode.Forbidden);
//else
//{
// return "The user name or password provided is incorrect.";
//}
}
now within my login controller on my mvc application I call the service and get the data value from the header I set in the api controller.
string data = response.Headers["result"].ToString();
FormsAuthenticationTicket ticket = FormsAuthentication.Decrypt(data);
Everytime I try running the FormsAuthentication.Decrypt I keep getting an error
Unable to validate data.
I assume its due to when the api encrypts the data it uses some kind of key that the website doesn't know about. Am I right?
Can someone help out?
Thank you
I assume its due to when the api encrypts the data it uses some kind
of key that the website doesn't know about. Am I right?
FormsAuthentication.Encrypt and Decrypt methods use the machine key. So make sure you have configured the same key for both your Web API web application and the consuming ASP.NET MVC application.
You could also take a look at the following article which illustrates how you could use OAuth 2.0 with the Web API.
I a have a sample app, hosted on AppHarbor and now want to integrate authorization through facebook. So i downloaded nugget Facebook.Web.Mvc package to implement it.
After reading tutorial, in controller i have method:
public ActionResult Login(string returnUrl)
{
var oauthClient = new FacebookOAuthClient(FacebookApplication.Current) { RedirectUri = GetFacebookRedirectUri() };
if (!string.IsNullOrWhiteSpace(returnUrl))
{
returnUrl = Url.Action("Index", "Facebook");
}
dynamic parameters = new ExpandoObject();
parameters.scope = ExtendedPermissions;
var state = new { csrf_token = CalculateMD5Hash(Guid.NewGuid().ToString()), return_url = returnUrl };
parameters.state = Base64UrlEncode(Encoding.UTF8.GetBytes(JsonSerializer.Current.SerializeObject(state)));
SetFacebookCsrfToken(state.csrf_token);
string s = oauthClient.GetLoginUrl(parameters).AbsoluteUri;
ViewBag.FacebookLoginUrl = s;
//new LogEvent(s).Raise();
return View(new AccountModel());
}
View:
<a href="#ViewBag.FacebookLoginUrl" id="lUrl">
<div class="fblogin"></div>
In localhost this works for me.
But when i upload it to appharbor, i see, that generated link indicates to address + port 16013 (as support told always random port). So clicking it shows me facebook login window, than blank page.
I manually configured my app settings in facebook to this port but it did not helped.
Also i tried to access my site through this port - nothing.
Then i changed port number through jquery to 80, its also did not help.
you have had such problems?
I'm not familiar with the Facebook api, but I've had a similar problem.
I suspect that the returnUrl value being passed in is incorrect. It probably contains a port number that AppHarbor uses internally for load balancing.
See this article on how to create a public url for AppHarbor:
http://support.appharbor.com/kb/getting-started/workaround-for-generating-absolute-urls-without-port-number
Then make sure that the value in your returnUrl is publicly available.
You can now set the aspnet:UseHostHeaderForRequestUrl appSetting to true which effectively solves this problem. This can be done by adding a Configuration Variable to your application with the corresponding key and value.
Source on AppHarbor
We're building a commandline application that needs some data from the IIS server using forms authentication. How can I do forms authentication from a commandline application? I've tried but all that happens is that the request gets redirected to the login page.
I'm guessing that if I could include an authentication cookie the request with the right credential, the download would be fine.
I have control over both client and server. I can set the the machineKey in web.config, but can't figure out how to set this in the commandline application. This has to be the same validationKey to encrypt the cookie in the right format?
The server is written in asp-net mvc.
var request = (HttpWebRequest)WebRequest.Create(uri);
var formsCookiePath = "/";
var cookieName = ".FormName";
var domain = "localhost";
var username = "username";
var password = "pa$$word";
var ticket = new FormsAuthenticationTicket(1,
username,
DateTime.Now,
DateTime.Today.AddYears(10),
true,
password,
formsCookiePath);
var encryptedTicket = FormsAuthentication.Encrypt(ticket);
var authenticationCookie = new Cookie(
cookieName,
encryptedTicket,
formsCookiePath,
domain)
{
HttpOnly = true,
Secure = false
};
request.CookieContainer = new CookieContainer();
request.CookieContainer.Add(authenticationCookie);
request.UserAgent = "Internal downloader";
var loWebResponse = (HttpWebResponse)request.GetResponse();
Update:
Based on the answer from Zruty I used this example to generate the authentication cookie:
ASP.NET Authorization from Console Application & Timeout
You want to mimic the authentication code locally on your client? I think you're going the wrong way.
You should instead leave the server work (cookie generation) to the server. Make two subsequent requests: one with your login information (the server will generate you a cookie), and another one with the supplied cookie.