In VS2013 I created a MVC 5 project where I chose Authentication as "Windows Authentication".
Now when I run the application, I get an automatic popup windows to logon to windows.
Here are my questions.
How can I avoid automatic login popup window on launch and have my own login screen.
How can I get list of active directory accounts and groups.
How can I validate if given name is valid account or groups.
How can I get list of roles.
I tried searching online , but unfortunately not successful.
Thank You
For #1...
This is usually primarily a function of the zone security settings in IE. If you add your app's URL to the Local Intranet Zone in IE, you should get the desired behavior.
Specifically, if you look under Custom Level and scroll all the way to the bottom under User Authentication\Logon, you'll see the different settings for each zone.
For the others, I'd suggest perhaps a separate question for each with what you've tried.
Related
Is there a strategy/approach that can be built to bring an ASP.NET MVC application into "single user mode" gracefully? By "single user mode" I mean something that when activated will block all new user access/logins, but allow existing users to complete their sessions and log out.
SCENARIO: I need to republish an active MVC application during the day in order to patch errors. Since we are conducting a new release I need to be able to do these patches sometimes a few times a day to squash bugs. Our users are all over the world and I don't have the ability to contact them individually to tell them of the patch, especially if it is a quick fix that is needed. So far I've just been republishing which means for some users their sessions will be destroyed, they will get errors when trying to navigate from one screen or form to another, etc.
What I would like is a feature that will let me log in as the site admin (custom Identity auth), flip a switch, and from that point forward (unless I flip the switch again) no new logins will be accepted. I would also need the ability to monitor sessions and ideally mark individual sessions for termination immediately if necessary, which I'm not sure is possible out of the box at all.
If there is no NuGet package or at least some code sample out there that can do it I'm considering rolling my own. One approach is giving the app admin a screen to set a boolean Application variable that is then checked during each user's login. If that Application variable is true then the authentication logic redirects the user to a friendly message that logins are disabled. Session management would be trickier, maybe have the base controller update an Application variable (dictionary?) on each page load, and then the admin can view a screen that shows a list of those sessions and can flag them for termination? And then the next time a flagged user loads a screen the base controller logs them out since they were flagged for termination. But I'm not sure if there will be threading/deadlock/etc issues with everyone accessing this Application variable repeatedly like that.
For reference, the application is used by about 3-5K different users per day, about 25-30k screen/page views per day. Backend is a combination of Oracle and SQL Server but that shouldn't matter, unless it would be better to track the session info in the DB.
This is not a hard requirement, but the impact on the users when the site goes down can be severe, so I want to make it as graceful as possible. Right now it is crude.
I have a new big project with ASP MVC 4 and I will need to build in the future a lots of tiny web application that contains:
A Banner ( like Google banner in black , for authentication, notifications , search …… etc. )
A body that must access the banner info and knows if the user is authenticated or not.
Let me explain, if we look at :
Google play (subdomain )
Google Map (subdomain )
Google Translate (subdomain )
Google Gmail (subdomain )
Youtube ( different domain )
We will notice that it’s exactly the same banner for all its subdomains and even different domain (youtube ), and they have just the content that changes, and if I’m already authenticated in google play I do not need to authenticate again in Gmail or YouTube .
I want to do the same thing with my websites :
here a link to explain in images: http://www.use.com/ba3e6c12424c7696be7f
My Questions or just need for confirmation:
1- It is possible to host a banner and websites in different domains and still not authenticate again in every websites? I ‘am thinking about YouTube domain and google domain which is possible. How can I get the same experience?
2 -I assume it’s very easy with subdomains without the need of OAuth 2 for authentication just the normal ASP MVC 4 simple membership will do the job, am ‘I right?
3- Assuming I choose ASP MVC 4 simple membership with subdomains , how can I organize my projects so I don’t have duplicated code for my banner in every project if i want the same experience as google banner ?
a) First idea is to build the banner, put it in an assembly and Render It with an HTML helper, is that a good option? )
b) Do I still have the same experience if I host every subdomain in a different server?
c) Can I choose to host the banner in subdomain1 and load It in a website in subdomain 2 with JavaScript? (do I still have the same experience)
4- Assuming I have to give every website in different domains (not subdomains), how can I manage the architecture? I just need some clues.
5- If I’m wrong on everything, can you guide me to have the exact same experience with complete different domains, or different subdomains with an elegant solution ?
Thank you in advance, and sorry for my bad English (third language).
You really have two separate questions here. First, how to include a bit of HTML in multiple projects. There's really a myriad of possibilities here. If all of your sites are in the same solution in Visual Studio, the easiest method is to simply pick one project to hold the partial view for the banner and then link to it in your other projects. You do this by right-clicking somewhere in your project in the Solution Explorer and choosing Add -> Existing Item..., find the file in the other solution, but instead of "Add" to confirm, click the arrow next to it, to expand the dropdown and choose "Add As Link".
Alternately, or if one or more of your sites is not in the same solution or is in another language altogether, then your best bet is probably just to save the snippet of HTML as a flat file, somewhere each site will have access to. Then, you just read in from this file and display it.
Your second question is more complicated: how to share authentication. If all of the sites are on the same domain (subdomains), then you can just simply set the cookie on the domain itself, and all subdomains will receive the cookie and have access to the authentication status. If you have sites on different domains, though, it gets exponentially more complex. You either have to implement something like OAuth, which is awkward if all the sites belong together (i.e. OAuth is only really used to authenticate with third-parties, no one really uses this to share auth between related but different domains.) Or, you basically create a server that provides authentication for the other sites.
It's a kind of complex setup, but you've seen it in action on places like Google-owned properties. When you go to login, it takes you to accounts.google.com, and then you're redirected to the originating site after logging in. Essentially, what's happening is that technically the only place you're "logged in" at is accounts.google.com. If one of the sites in the family needs authentication, it redirects you to accounts.google.com. At which point, if you have a auth cookie already, it's sent and accounts.google.com restores your authenticated session, it then redirects back to the original site, with some token that identifies that you are logged in. Going into all the details and how to actually set this up is far beyond the scope of what can reasonably be done here on StackOverflow, but this is a really good reference and starting point. Part 1 describes the theory. The next installment details how to set it up.
Having googled, the general advice is to create a standard, non-administrator account.
I just tried that. I only had one account, my own, which is an administrator and then created a second (not the Guest account). I logged out of my own account and into the new one and tried to change the time. Windows 7 popped up a box asking if my main account would allow this (and prompting for its password).
I have been told "it shall not be possible to change system date/time". I intended to deliver a PC with only a standard account and my s/w, but can't (I think) prevent the user from creating an administrative account and changing date/time.
Can I prevent this programatially from Delphi, or do I just have to say that if the user wants to be destructive I can't prevent it?
Generally this kind of restrictions are set using the Windows Group Policy
From delphi you can use the Group Policy API or the RSoP WMI Classes.
In your application, you can actually detect user changing system time while your application is running.
You will receive WM_TIMECHANGE when system time change.
When startup, you can saved the gettickcount (As StartTickCount) and now (As StartTime). When checking, you can check if the different between tickcount and the different between time match (allow a small discrepancy) and know the different. However, if the user change system time away from your application, this trick do not work. Maybe you can have a service which is auto start checking for this.
If you need to change back to original time, here is some resources :
CHANGE the system TIME
btw, in OS level, a normal user cannot create an admin user.
I have a web part which shows data in one of 3 different formats. The format is selected by clicking one of 3 buttons in the web part. This works fine.
A request has come through to store the last selected state so that the user does not always have to click their favourite view.
It seemed logical to define a Property and define Personalizable(PersonalizationScope.User) but this does not seem to work for most users as they only have Read rights for the page.
What is the best way forward here? Is Sharepoint the right place to store such info or should I be using my own storage?
Thanks
Using your own storage is an option but this means its some more development work for you. How about this option.
Modify your WebPart and add the option to the Web Part property.
Create a new permission level and add the following permission
Update Personal Web Parts - Update
Web Parts to display personalized
information.
This will make sure that users with read only access can only update webparts.
Step 2 will allow them to odify all webparts. You can modify each webpart and remove the following option for webparts which you dont want you users to edit.
Allow Editing in Personal View [Advanced]
This way you can lock all webparts except the one you want.
I have two users who have Full Control permissions to their department sub-site on SharePoint. They also have Full Control to the Pages document library. The Pages doc library has distinct permission from the site itself, but those two users have Full Control on both as mentioned.
When they try to create a New Page it gives them an "Access Denied" error. I can duplicate this problem with my non-admin account as well.
What am I missing to give these users the ability to create new pages on their site?
Assuming that the user has been granted enough rights to create pages at site level in the first place but is still unable to do so even with Full Control, then there is a high possibility that the user DOES NOT have READ access to the Master Pages and page layouts library. Check the library permissions at the root site collection and grant them the specified permission level accordingly.
Hope that helps.
This is a applicable to SP10 and SP13
Thanks
Ismail
It could also be TaxonomyHiddenList.
You must paste it into your browser - you cannot navigate to it and it is at the site collection level..
http://yoursite/yoursitecollection/Lists/TaxonomyHiddenList
List Menu -> List Settings -> Permissions for this list -> Grant Permissions
Maybe it is possibly to do with the Web Feature called "Content Organiser" which is enabled and not used. If it is activated, de-activate it and test again. This feature will affect document libraries, not lists.