Authenticate Active Directory User within a WCF Service - ios

I am writing an iOS application that I would like to send a login and password through a WCF service residing on an IIS server developed in C#. I would like to verify that the USERNAME and PASSWORD is a valid Active Directory account. If so, then I will log them into the application on the iOS device and continue on. Is this possible? My ASP.NET application that will be hosting this WCF service could be either in Windows or Forms authentication mode depending on the client. Any code example that would allow me to use the passed credentials to verify that they are valid AD user credentials would be great.
Thanks

Related

Does app registration on the Azure Portal require any changes to intranet deployment using ClickOnce?

Microsoft has announced its intention to turn off SMTP AUTH:
https://learn.microsoft.com/en-us/exchange/clients-and-mobile-in-exchange-online/deprecation-of-basic-authentication-exchange-online
This change will affect an application I wrote for internal use by employees of the company. The app pulls info from the company database and merges the data into an email which is sent to designated business partners. The app connects to the Outlook SMTP server and, at present, is authenticating with account-name and password.
The app is launched from an intranet web server using ClickOnce and is set to be "available only online".
According to the documentation for setting up OAuth authentication, the application must be registered on the Azure Portal in order to obtain an OAuth token which would be used by the app when authenticating on the SMTP server.
Will this portal registration have any impact on how the application is made available to the users? Can we continue to launch the app from an intranet web server using ClickOnce?
EDIT: The following documentation appears to address some aspects of my question but I don't know, for sure, what is meant by "if you're not registering the application in a directory" and "outside of a directory" in the context of ClickOnce deployment where the application package is placed in a folder on the web server:
https://learn.microsoft.com/en-us/graph/auth-register-app-v2
Accounts in this organizational directory only
Select this option if you're building a line-of-business (LOB)
application. This option is not available if you're not registering
the application in a directory.
This option maps to Azure AD only single-tenant.
This is the default option unless you're registering the app outside
of a directory. In cases where the app is registered outside of a
directory, the default is Azure AD multi-tenant and personal Microsoft
accounts.

Identity Server without Login

Im trying to implement IdentityServer authorization and my scenario is below:
we have one home page for all our application "www.vision2025.com" and i have link to my mvc application "MarketingDashboard" where users are authenticated by home page and redirect to my mvc application using windows authentication. Now user can do any action in my dashboard which interact to web API.
Now i need to implemented IdentityServer to authorize all the web API call from my dashboard but no need of login.
Please suggest any idea
Thanks in Advance
I think you don't want to build IdentityServer because your enterprise company has already built ADFS (Active Directory Federation Services). You just want to ask who maintain AD and ask him to enable ADFS for OAuth2. This is a page to help you catch all scenarios here.
Because I don't know how far you can change for all applications but there are some solutions with ADFS you can go with:
Let your main server (acts as Home Page and where user redirects to ADFS to sign in) performs On-behalf-Of flow. In this scenario, your main server will be a linked server that transfer its taken access token which retrieved from ADFS. I strongly recommend this way because you just want to add as many as your new upcoming web and api. The cons are they require you ensure protect highly access token in your main server
Because OAuth 2.0 doesn't support chaining Resource Servers yet (such as you signed in Resource Server A, then use provided access_token to call Resource Server B in different clients), you need to allow your main server store his username/password (also knew as trusted back end server , means your enterprise allows this server can store client credentials). So each time you redirect user to target MVC Application, you should transfer encrypted username/password as well. Then your target MVC application can perform Authorized Flow or Implicit flow itself in Back-end code, then returned new access token to client web to perform calling Web API.

When to use Web server, installed application and service account authentication flows?

I want to build a clone of Sheetsu application using python. For this, I need to authenticate and authorize the user. I came across three types in OAuth 2.0 authentication flow. They are
1. Web server
2. Installed application
3. Service account
Can Someone explain me the difference between all the three?
OAuth2.0 Scenarios:
Web server
The Application which user interacts with is hosted on a web server. The user wants to delegate access to his data to this application
Suggested OAuth2.0 Flow:-
Authorisation Code Grant.
Installed application
Application which user interacts with is hosted on a device e.g. phone application or desktop application. Again, the user wants to delegate access to his data to this native application
Suggested OAuth2.0 Flow:-
Authorisation Code Grant with PKCE.
Service account
Application is hosted on a web server. The application requires a token to access data from an API, but not in the specific context of an end user
Suggested OAuth2.0 Flow:-
Client Credentials Grant.
Or, Resource Owner Password Credentials passing in a service account username and password - some legacy APIs work like this but avoid this flow when possible.
There is another type of app as well:
Single Page App (SPA)
The application which a user interacts with runs on their web browser server. The user wants to delegate access to his data to this application
Suggested OAuth2.0 Flow:-
Authorisation Code Grant with public client if available else,
Implicit Grant.

How to prevent OrganizationService from reusing the same STS Token?

I have an MVC application that connects to CRM via the SDK's OrganizationService. The user logs in via a form in the application using their username and password. The CRM organization uses claims-based authentication and is connected to an ADFS 2.0 server.
Whenever I try to authenticate a user via their username and password, the newly instantiated service reuses an earlier token it got from successfully connecting. This makes it possible for users to log back in with just the correct username - even with an invalid password. The connection I'm using is set to have an instanceMode of PerInstance and that doesn't appear to help either.
I feel like I'm missing something essential here. Do I have to do something to tell CRM to re-authenticate my users' credentials or do I have to do something to tell our STS server to invalidate the previously issued token?
Thanks.
Your MVC application should not connect to CRM with the credentials of its users. Instead you should use the credentials of the service account of your MVC application (i.e. the application pool identity).
Of course the service account must be a user of the CRM Organization and (in CRM) this user account should be allowed to impersonate other users.
When your MVC application needs to access CRM on behalf of a specific user, it creates/gets an OrganizationServiceProxy instance (which can be reused) and sets its CallerId property to the systemuserid of the impersonated user.

Authenticate between desktop client and a web application

I'm building a small web application using ASP.NET MVC3, in which I'm using the default ASP.NET Membership API to create and authenticate users.
There's also a small desktop client which updates the web application. My question is what would be the best way to authenticate the desktop client. Considering that users would register using their username and password via the website, I don't really want to store any user credentials on the desktop.
I was thinking about implementing an OAuth provider in my web application, and associating the token with the authenticated username. That way I would authenticate my desktop client like most twitter clients do now.
So basically my question, should I do OAuth, or maybe there's another popular option?
Why not expose a login action method that returns a token? This would avoid the added complexity of an oauth service. As long as your mvc app is decoupled and using services, your client can consume these same services.

Resources