Is there any way to have a custom form for Windows authentication so that the device used when authentication doesn't need to support NTLM in order to work? Also, is there a way to keep the automatic login for intranet users so that they do not need to login if they are already on their computer?
Is there any way to have a custom form
for Windows authentication so that the
device used when authentication
doesn't need to support NTLM in order
to work?
I guess you want to be able to authenticate users coming from outside the intranet.
In that case, Windows Authentication is not the right choice since it uses Windows user's credentials for the authentication and therefore more applicable for intranet applications.
If you really want to have Windows Authentication, your client requires NTLM or Kerberos authentication support.
Also, is there a way to keep the
automatic login for intranet users so
that they do not need to login if they
are already on their computer?
For this you can use Windows Authentication.
Related
I am working with a project where users are currently being authenticated using IIS server windows authentication. I have been looking a solution to use authentication in mobile side since last 2 days but still could'nt figure it out as I have to use windows authentication I can't go with jwt or any other authentication mechanism.
If I understood correctly, you need to use your mobile phone for second factor authentication but at the same time, you do not want to use Two Factor authentication solution.
You can try MultiFactor Unlock and configuring trusted signal, see the below document for your reference.
Is there a good way to implement 2-Factor authentication on an MVC web application that is using Windows Authentication?
I see examples that show how to implement 2-Factor on a Forms-based MVC app, but couldn't find one for a Windows-based MVC app.
Any help would be appreciated!
2-factor doesn't make sense in the context of Windows Auth. The application is authorized by the user's domain account. The security aspect lies on the domain-end, not the application-end.
However, if you're dead set on doing this, you effectively can't use Windows Auth. That sounds a little contradictory, I know. How you would have to handle this is use application-based authentication, such as Identity, so the web application itself would hold the user accounts. Then, you can authenticate via connecting to LDAP directly. You'll have to set all this up yourself, in other words; no easy set it and forget like you get with Windows Auth. With something like Identity, you can implement 2-factor auth, so you're golden there. However, instead of validating the password via your application's database and users, you authenticate via LDAP.
This is actually pretty common among enterprise-class applications utilizing AD. Typically, they'll have a script that you can run, as a consumer of the app, to periodically update the application's user database from AD, so all the same users with the same details exist in both places, except for the password, which remains solely with AD. This way, the application can associate its own data with its copy of the user, but authentication and authorization still happens at the AD level.
I am developing an MVC3 application for a customer service team.
I am using default login and registration controls in my application.
I have to use both Form Authentication and Windows Authentication.
For the customers who come online to insert their comments, it will be Form Authentication for them.
For the customer service staff, the system has to use their Windows Authentication to login them (if they they have logged into the
their windows account the website should recognize their login details and authenticate them.)
How can I make my MVC3 application to authenticate both Windows Authentication for the staff and Forms Authentication for others?
Thanks
i think you must create your own authentication on top of FormsAuthentication .
check this maybe helpful
http://www.khalidabuhakmeh.com/asp-net-mvc-5-authentication-breakdown-part-deux
We have two existing legacy web applications, one for the intranet using windows authentication within the domain, and one internet application, performing a custom web forms username + password based authentication. Now a new web applications is developed and will be available in the internet to both internet and intranet users, handling both authentication models. Therefore we decided to use WIF. We're going for ASP.NET 4.5 MVC 4 on Windows Server 2012.
The intranet authentication shouldn't be a problem as we can use ADFS 2.0 here.
But we currently have no clue how to solve the username + password authentication. It looks like we need to develop a custom UserNameSecurityTokenHandler to authenticate users which provide username + password information which is verified against our custom membership provider. But I need some assistance with the whole workflow...
Assume that we have a custom login page for internet users; and assume that we managed to route internet users to this login page (in ASP.NET MVC), what's the missing part from here to a valid token? How would the form or the MVC controller action which received the provided username + password proceed to trigger the configured WIF identity provider?
The most elegant solution would be to create another STS for the external users and have ADFS trust this as an identity provider:
External users will be redirected to the IdP STS that would use the usr/pwd database. Internal users will authenticate through ADFS directly (against AD).
In this scenario, ADFS is acting both as an IdP and a Federation Provider.
For this to work you need both ADFS and the IdP (and the app) exposed to the internet. An STS you can use that leverages membership is IdentityServer, which is open source and you can of course customize for your needs.
With this architecture you don't need any special customizations/extensions in the app. You will need to handle "home realm discovery" though. Which is the process of knowing where to authenticate users on (e.g. intranet vs. extranet). Presumably, you might have different URLs, etc.
is the SAML protocol (Sing Sign ON) used soley for web apps and web services, or is it also used for standard applications?
REVISED:
I am looking for some windows (Standard Applications (not web based)) protocols for Single Sign On
If you are looking at Windows specifically, why not use Kerberos and Integrated Windows Authentication? It's built into Active Directory and Domain Controllers. It doesn't really work once you start crossing into the Internet and different security domains but it works well behind your firewall in a corporate environment.
However, SAML can be used for desktop applications. I've run into applications before that would retrieve the Kerberos ticket from the Desktop, make a WSTrust/RST call to an STS to validate the Kerb token and get back a SAML token in the RSTR that would be embedded into a Web Services call that the desktop application needed to make.
SAML allows secure web domains to exchange user authentication and authorization data and by definition would require an internet connection to do so. So no you would not want to use it for a desktop application.
Revised
here are the links for active directory implementation with Delphi.
http://www.agnisoft.com/white_papers/active_directory.asp
http://adsi.mvps.org/adsi/Delphi/index.html