asp.net and windows authentication help

Visitors can check out the Forum FAQ by clicking this link. You have to register before you can post: click the REGISTER link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below. View our Forum Privacy Policy.
Want to receive the latest contracting news and advice straight to your inbox? Sign up to the ContractorUK newsletter here. Every sign up will also be entered into a draw to WIN £100 Amazon vouchers!

You are not logged in or you do not have permission to access this page. This could be due to one of several reasons:

You are not logged in. If you are already registered, fill in the form below to log in, or follow the "Sign Up" link to register a new account.
You may not have sufficient privileges to access this page. Are you trying to edit someone else's post, access administrative features or some other privileged system?
If you are trying to post, the administrator may have disabled your account, or it may be awaiting activation.

lilelvis2000 replied

20 June 2014, 15:26
Originally posted by suityou01 View Post

No. Dry your eyes and start doing something about it. I would suggest putting together ann options paper (don't forget a do nothing option).

Compare and contrast your options. Let the business decide. If they choose an option that is loads of work and reinventing the wheel. Keeeeeeeeeeeeeeeeeeeeeeeerching.

If they choose to introduce domain trusts on the back of your option paper, then you have a great little war story for a future interview.

You are more in control than you realise.

I finally managed to crack the middle man nut. He finally came round and has said that he "believes" there is a trust and is speaking to their internal dev department about the setup.

If that happens than I can at least simulate things with a local setup. All I'd need to do is get some name/email info from the AD. and web.config can handle the group authorisation.

Should have the details by end of day...which is almost here. Hmmmm..

Well, at least I got to work on my tan today! even if I earned £0..
Leave a comment:
suityou01 replied

20 June 2014, 11:24
Originally posted by lilelvis2000 View Post

What it is frustration.

I am told that as they are a global company trust can't happen. Well there goes the project then.

No. Dry your eyes and start doing something about it. I would suggest putting together ann options paper (don't forget a do nothing option).

Compare and contrast your options. Let the business decide. If they choose an option that is loads of work and reinventing the wheel. Keeeeeeeeeeeeeeeeeeeeeeeerching.

If they choose to introduce domain trusts on the back of your option paper, then you have a great little war story for a future interview.

You are more in control than you realise.
Leave a comment:
lilelvis2000 replied

20 June 2014, 10:56
Originally posted by suityou01 View Post

[1] Kerching
[2] Ah. Kerching.
[3] Mmmm. Kerching.
[4] Keeeeeeeeeeeeeeeeeeeerching.

What it is frustration.

I am told that as they are a global company trust can't happen. Well there goes the project then.
Leave a comment:
suityou01 replied

19 June 2014, 14:05
Originally posted by lilelvis2000 View Post

This is what I keep telling them...but I think the middle man is the problem. All I get back is that the app must hit both ADs. Anyway I think can hack something akin to what I was describing above..with the fake authentication, then a AD check than a revoke if necessary.

I've been on this three days now..it was only scheduled for four!

middle man is the "architect"..he's got far less experience than me and he's a arts grad who pretends to be a programmer. the most annoying bit that all the code is vb.net...so it takes twice as much text to do everything.

[1] Kerching
[2] Ah. Kerching.
[3] Mmmm. Kerching.
[4] Keeeeeeeeeeeeeeeeeeeerching.
Leave a comment:
lilelvis2000 replied

19 June 2014, 14:02
Originally posted by suityou01 View Post

Your client is not quite understanding windows security.

Your external users will be authenticated on the external AD. You will have no access to this from your internal AD unless a domain trust exists.

For SSO to work, your external users need to be authenticated on the domain. VPN access or some such. Once they are authenticated on the domain, they will receive a token, which contains the SID.

For info, your users SID and SamAccountName are cached in the IIS metabase. So if a user changes their name, SSO will break for them until you flush the cache on IIS, either by bouncing the box, restarting the w3c, restarting the app pool or logging in on that box with the user account that has changed.

asp.net - IIS Returning Old User Names to my application - Stack Overflow

This is what I keep telling them...but I think the middle man is the problem. All I get back is that the app must hit both ADs. Anyway I think can hack something akin to what I was describing above..with the fake authentication, then a AD check than a revoke if necessary.

I've been on this three days now..it was only scheduled for four!

middle man is the "architect"..he's got far less experience than me and he's a arts grad who pretends to be a programmer. the most annoying bit that all the code is vb.net...so it takes twice as much text to do everything.
Leave a comment:
suityou01 replied

19 June 2014, 13:52
Originally posted by lilelvis2000 View Post

Suppose I'll give it a go. User doesn't want a login screen, just wants to straight to the app. Internal users are not a problem its the external ones who are on a different AD that are the problem.
No doubt the authorisation won't work and just get that 'denied access' screen.

These guys are really tight with their security..I doubt they'll allow impersonation. But what the hey..I've got a little hair left.

Salik.

Your client is not quite understanding windows security.

Your external users will be authenticated on the external AD. You will have no access to this from your internal AD unless a domain trust exists.

For SSO to work, your external users need to be authenticated on the domain. VPN access or some such. Once they are authenticated on the domain, they will receive a token, which contains the SID.

For info, your users SID and SamAccountName are cached in the IIS metabase. So if a user changes their name, SSO will break for them until you flush the cache on IIS, either by bouncing the box, restarting the w3c, restarting the app pool or logging in on that box with the user account that has changed.

asp.net - IIS Returning Old User Names to my application - Stack Overflow
Leave a comment:
lilelvis2000 replied

19 June 2014, 13:46
Originally posted by suityou01 View Post

You tell me. Is this SSO or do they type it in?

Assuming SSO, and your app pool is set to impersonate you could use :

Code:

System.Security.Principal.WindowsIdentity.GetCurrent().Name;

Suppose I'll give it a go. User doesn't want a login screen, just wants to straight to the app. Internal users are not a problem its the external ones who are on a different AD that are the problem.
No doubt the authorisation won't work and just get that 'denied access' screen.

These guys are really tight with their security..I doubt they'll allow impersonation. But what the hey..I've got a little hair left.

Salik.
Leave a comment:
suityou01 replied

19 June 2014, 13:01
Originally posted by lilelvis2000 View Post

From the documentation I believe that in Windows Authentication, after the user has been authenticated, yes you get their credentials.
With the rest, you get the account the page is running under..typically one of the IIS accounts.

see Page.User Property (System.Web.UI)

Unless your app pool is set to impersonate.
Leave a comment:
lilelvis2000 replied

19 June 2014, 13:00
Originally posted by mudskipper View Post

Page.User.Identity.Name ? Or does that only work after authentication?

From the documentation I believe that in Windows Authentication, after the user has been authenticated, yes you get their credentials.
With the rest, you get the account the page is running under..typically one of the IIS accounts.

see Page.User Property (System.Web.UI)
Leave a comment:
suityou01 replied

19 June 2014, 12:59
Originally posted by lilelvis2000 View Post

How do I get the user name? I need that to query the AD and check that the user is in a specific set of groups allowed to use the application.

Are you suggesting that I :
Session_OnStart: Authenticate them with a authentication cookie. redirect to another page
On that page, grab their username off their PC (which I think you can do once you've authenticated them), check with AD
if OK redirect to the home page, if not revoke the cookie and redirect to page to display 'forbidden' message.

This could work with Forms type authentication possibly. worth a go

You tell me. Is this SSO or do they type it in?

Assuming SSO, and your app pool is set to impersonate you could use :

Code:

System.Security.Principal.WindowsIdentity.GetCurrent().Name;
Leave a comment:
suityou01 replied

19 June 2014, 12:57
Originally posted by lilelvis2000 View Post

How do I get the user name? I need that to query the AD and check that the user is in a specific set of groups allowed to use the application.

Are you suggesting that I :
Session_OnStart: Authenticate them with a authentication cookie. redirect to another page
On that page, grab their username off their PC (which I think you can do once you've authenticated them), check with AD
if OK redirect to the home page, if not revoke the cookie and redirect to page to display 'forbidden' message.

This could work with Forms type authentication possibly. worth a go

Not quite as clunky. I would probably write some web services to do the lookups in AD, as this would potentially benefit other applications or future application development. Talk to your architect first.

No need for cookies, you use the session object.

To read the AD you would do something like

Code:

_directoryEntry = new DirectoryEntry("LDAP://DC=topLevelObjectName,DC=YourDoman,DC=YourDomainSuffix"); SearchResultCollection results = null; using (DirectorySearcher ds = new DirectorySearcher(_directoryEntry, "(&(objectClass=user)(objectCategory=person)(samAccountName='" + samAccountName + "'))")) { ds.PageSize = 1000; ds.PropertiesToLoad.Add("sAMAccountName"); ds.PropertiesToLoad.Add("mail"); ds.PropertiesToLoad.Add("objectSid"); //Other properties can be added here, such as the property that holds which applications your user can use. Could be a bit flag. In fact the more I think about it, the more a bit flag sounds like a good idea. }
Leave a comment:
mudskipper replied

19 June 2014, 12:53
Originally posted by lilelvis2000 View Post

How do I get the user name? I need that to query the AD and check that the user is in a specific set of groups allowed to use the application.

Are you suggesting that I :
Session_OnStart: Authenticate them with a authentication cookie. redirect to another page
On that page, grab their username off their PC (which I think you can do once you've authenticated them), check with AD
if OK redirect to the home page, if not revoke the cookie and redirect to page to display 'forbidden' message.

This could work with Forms type authentication possibly. worth a go

Page.User.Identity.Name ? Or does that only work after authentication?
Leave a comment:
lilelvis2000 replied

19 June 2014, 12:49
Originally posted by suityou01 View Post

Global.asax. Session_OnStart event. Do your checks there. If they fail your home grown authentication (using ad lookups) then bounce them to a home grown error page.

How do I get the user name? I need that to query the AD and check that the user is in a specific set of groups allowed to use the application.

Are you suggesting that I :
Session_OnStart: Authenticate them with a authentication cookie. redirect to another page
On that page, grab their username off their PC (which I think you can do once you've authenticated them), check with AD
if OK redirect to the home page, if not revoke the cookie and redirect to page to display 'forbidden' message.

This could work with Forms type authentication possibly. worth a go
Leave a comment:
suityou01 replied

19 June 2014, 11:50
Originally posted by lilelvis2000 View Post

I have a client who wants a ASP.Net web app changed such that it uses NTLM to authenticate users. There are two classes of users, those inside their network including via VPN and those authorised from outside their network (external users). But, users on their Domains are on one AD and the external users are on another AD server.

The only way I know this can be done is to establish trust between the servers. But for some reason, either their IT department doesn't understand that, or they are refusing. I don't know what the issue is as I speak to a middle man. All I get back is that I must check both AD servers. Very frustrating.

I'm pulling my hair out at this point.

So, if their IT department is not interested in changing the setup. Is there anyway using Windows authentication I can somehow check two AD forests. It doesn't seem possible to me because IIS is doing all the authentication work before my app even gets a look in. By the time my app page loads the user is authenticated and authorized.

I can't see any other way to do it, other than with trust. The client does not seem interested in using Forms at all. Which is odd because the app which I am changing currently uses Forms authentication.

Global.asax. Session_OnStart event. Do your checks there. If they fail your home grown authentication (using ad lookups) then bounce them to a home grown error page.
Leave a comment:
lilelvis2000 started a topic asp.net and windows authentication help

19 June 2014, 09:29
asp.net and windows authentication help

I have a client who wants a ASP.Net web app changed such that it uses NTLM to authenticate users. There are two classes of users, those inside their network including via VPN and those authorised from outside their network (external users). But, users on their Domains are on one AD and the external users are on another AD server.

The only way I know this can be done is to establish trust between the servers. But for some reason, either their IT department doesn't understand that, or they are refusing. I don't know what the issue is as I speak to a middle man. All I get back is that I must check both AD servers. Very frustrating.

I'm pulling my hair out at this point.

So, if their IT department is not interested in changing the setup. Is there anyway using Windows authentication I can somehow check two AD forests. It doesn't seem possible to me because IIS is doing all the authentication work before my app even gets a look in. By the time my app page loads the user is authenticated and authorized.

I can't see any other way to do it, other than with trust. The client does not seem interested in using Forms at all. Which is odd because the app which I am changing currently uses Forms authentication.
Tags: None