I have an ASP.NET MVC 2 application in development that uses a web service to access security information (Roles, Permissions, etc). The users of these applications will be internal Company users. This web service security mode is currently set to "None".
What kind of web service security do you recommend for my situation? Should I use certificates?
For an internal use I suggest using Windows Authentication :
<system.web>
<authentication mode="Windows" />
</system.web>
Related
I have an existing MVC .net application that uses its own forms based authentication. Currently we only have forms authentication enabled
<authentication mode="Forms">
<forms loginUrl="~/Account/Login" timeout="2880" />
</authentication>
We are extending this application to a new subset of users. They are already on my idserver3 and they are using few other applications through idserver3.
Now i have to also support forms authentication and Authentication using idserver3. At the time of application start up, it could be determined if that installation requires Forms or Idserver authentication.
Is it possible to add Openid connect authentication with Idserver3 without using OWIN pipeline in my .net MVC client applications?
Are you using WIF? You've tagged it with WIF. WIF doesn't implement OIDC.
idsrv3 uses OWIN on its side but OIDC / OAuth is all based on REST so you can implement the calls natively on your side if you want.
However, it makes life a lot easier if you use the OWIN stack.
Identity Server client interface is based on OWIN, so I don't think you can have both. I recently had to convert an MVC app with Forms Authentication to Identity Server and I had to remove the forms authentication to do so.
I am looking to implement Simple Membership authentication for a wildcarded sub-domain application. Users will login to a root site (i.e. www.localhost.com) and be redirected to a psuedo sub-domain site (www.user1.localhost.com). There is only one application on the server.
The following web.config entry for authentication is not working:
<authentication mode="Forms">
<forms loginUrl="~/Account/SignIn" timeout="2880" domain=".localhost" />
</authentication>
The above entry will not authenticate users into the root site or any of the user specific sites. My local hosts file is configured correctly.
Is this authentication scheme possible with Simple Membership? Am I missing a step?
Whether you are using SMP or the standard membership provider has nothing to do with the FormsAuthentication process and the cookie transmission and decryption.
In addition to setting the domain property to your top level domain make sure that you have configured the same machine keys on both applications.
I have an MVC 3 website that is using Forms authentication. The user logins and navigates to a Silverlight 5 application. The Silverlight app is calling a Silverlight-Enabled WCF service on another port. Because one of my requirements is to use Https/SSL, I decided to move the WCF services into a "Services" folder in my MVC application.
To see if the service is working, I typed in the address of my service. I got an error message stating my service requires anonymous access, but the website is specified to use forms authentication. So, I removed my mexHttpBinding in my web.config for my service and added authenticationScheme="Negotiate" to my httpTransport of my binding. (I'm not to https yet).
Now, I get a 302 and am redirected to the log-in page. It seems that my service is suggesting i'm not logged in. So, I added
routes.IgnoreRoute("{resource}.svc/{*pathInfo}");
and
routes.IgnoreRoute("Services/");
but that hasn't made a difference. I think the service says i'm not authenticated, but I'm certain I am.
Can someone explain what I'm doing wrong?
All of this works when I debug on my localhost, but I can't access the service when I deploy to a server.
Edit
I may have found my answer. I turned on anonymous access for my website in IIS and changed the httpTransport's authenticationScheme to the default (Anonymous). I then added
<authorization>
<deny users="?"/>
</authorization>
along with
<authentication mode="Forms">
<forms loginUrl="~/Account/LogOn" timeout="2880" />
</authentication>
which seems to be requiring the user to be authenticated in order to access the service. I am now going to check my silverlight application to make sure it can reach the service and get/post data. This was all in a test application, so I'll have to change my real application accordingly. Then, I'll tackle ssl/https.
Does all this sound right?
EDIT 2
I had to ensure mex was enabled and aspNetCompatibilityEnabled was set to 'false' to get the conctracts to update in my silverlight app. But after updating my services, I set the aspNetCompatibilityEnabled to 'true', and everything appears to be working.
I hope I'm still headed down the right path...
I ended up setting up IIS to add the webservice as a website under the parent website. Then, I used the Location tag in the parent site's web.config to implement forms authentication on the webservice.
Is there a way to find out what identity an MVC web application is impersonating?
I've set web.config to include
<system.web>
<identity impersonate="true" />
For IIS7 in integrated pipeline mode, I believe this should make the application impersonate IUSR (my thinking is set out in my blog post Identity impersonation with IIS and ASP.NET.
The MVC application itself uses Forms Authentication, and I can see the logged in user ok at
System.Web.HttpContext.Current.User.Identity
But my application then has to call a COM component, and I need to be sure what account it is using. From my tests, it still seems to be using NETWORK SERVICE, rather than IUSR, so I'm looking for a way to verify which identity the application is impersonating when calling the COM component.
Take a look at System.Security.Principal.WindowsIdentity.GetCurrent().User
We have a small application we built in our spare time using the latest mvc3 and Entity Framework .net libraries available at the time, and deployed it. The management liked it, and they want it integrated into a heavy legacy .net 3.5 web forms application.
I need to somehow use the same authentication sessions across the two applications. I am using the same DB and Application for authentication using the .net membership and profile providers. This works fine, but users have to login separately into the MVC app even when they are already signed in for the main application. I am open to any suggestions: enabling state session at a different level, or shared cookies, etc
What is the best way to bypass this login requirement and whether I should integrate the mvc application into the webforms or keep it as an independent application? My main concerns affecting the decision would be time taken for complete integration, and later maintenance of the applications.
First, the fact one application is ASP.NET MVC does make no difference here :)
Second, here is one example of what to do from MSDN:
http://msdn.microsoft.com/en-us/library/eb0zx8fc.aspx
Small snippet from that page:
<configuration>
<system.web>
<authentication mode="Forms" >
<!-- The name, protection, and path attributes must match
exactly in each Web.config file. -->
<forms loginUrl="login.aspx"
name=".ASPXFORMSAUTH"
protection="All"
path="/"
domain="contoso.com"
timeout="30" />
</authentication>
<!-- Validation and decryption keys must exactly match and cannot
be set to "AutoGenerate". The validation and decryption
algorithms must also be the same. -->
<machineKey
validationKey="C50B3C89CB21F4F1422FF158A5B42D0E8DB8CB5CDA1742572A487D9401E3400267682B202B746511891C1BAF47F8D25C07F6C39A104696DB51F17C529AD3CABE"
decryptionKey="8A9BE8FD67AF6979E7D20198CFEA50DD3D3799C77AF2B72F"
validation="SHA1" />
</system.web>
</configuration>
.
P.S.
StriplingWarrior's advice of merging both applications although not really required but may be very useful for future integrations. You may later end up doing it anyway.
Forms authentication uses cookies to track users. Cookies can only be shared between the same domain. So for example if you had app1.foo.com and app2.foo.com simply configure those two applications to share the same domain cookie. For example both web.config should share the same forms authentication configuration:
<authentication mode="Forms">
<forms
loginUrl="~/Account/LogOn"
timeout="2880"
domain="foo.com"
/>
</authentication>
You also must ensure that both application share the same machine keys because an authentication cookie emitted by app1 needs to be decrypted by app2 with the same keys.
You may want to consider simply integrating this application into your Web Forms application directly. The two can coexist in the same application.
Store the session state in a database. Store the session key in the cookies of each sessions. At the AcquireSessionState event in the life cycle's of both applications, get the session id from the cookie, load the session data from the database and update your HttpContext.User. You will then have the same authentication data in both applications.