• Visitors can check out the Forum FAQ by clicking this link. You have to register before you can post: click the REGISTER link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below. View our Forum Privacy Policy.
  • Want to receive the latest contracting news and advice straight to your inbox? Sign up to the ContractorUK newsletter here. Every sign up will also be entered into a draw to WIN £100 Amazon vouchers!

asp.net and windows authentication help

Collapse
X
  •  
  • Filter
  • Time
  • Show
Clear All
new posts

    asp.net and windows authentication help

    I have a client who wants a ASP.Net web app changed such that it uses NTLM to authenticate users. There are two classes of users, those inside their network including via VPN and those authorised from outside their network (external users). But, users on their Domains are on one AD and the external users are on another AD server.

    The only way I know this can be done is to establish trust between the servers. But for some reason, either their IT department doesn't understand that, or they are refusing. I don't know what the issue is as I speak to a middle man. All I get back is that I must check both AD servers. Very frustrating.

    I'm pulling my hair out at this point.

    So, if their IT department is not interested in changing the setup. Is there anyway using Windows authentication I can somehow check two AD forests. It doesn't seem possible to me because IIS is doing all the authentication work before my app even gets a look in. By the time my app page loads the user is authenticated and authorized.

    I can't see any other way to do it, other than with trust. The client does not seem interested in using Forms at all. Which is odd because the app which I am changing currently uses Forms authentication.
    McCoy: "Medical men are trained in logic."
    Spock: "Trained? Judging from you, I would have guessed it was trial and error."

    #2
    Originally posted by lilelvis2000 View Post
    I have a client who wants a ASP.Net web app changed such that it uses NTLM to authenticate users. There are two classes of users, those inside their network including via VPN and those authorised from outside their network (external users). But, users on their Domains are on one AD and the external users are on another AD server.

    The only way I know this can be done is to establish trust between the servers. But for some reason, either their IT department doesn't understand that, or they are refusing. I don't know what the issue is as I speak to a middle man. All I get back is that I must check both AD servers. Very frustrating.

    I'm pulling my hair out at this point.

    So, if their IT department is not interested in changing the setup. Is there anyway using Windows authentication I can somehow check two AD forests. It doesn't seem possible to me because IIS is doing all the authentication work before my app even gets a look in. By the time my app page loads the user is authenticated and authorized.

    I can't see any other way to do it, other than with trust. The client does not seem interested in using Forms at all. Which is odd because the app which I am changing currently uses Forms authentication.
    Global.asax. Session_OnStart event. Do your checks there. If they fail your home grown authentication (using ad lookups) then bounce them to a home grown error page.
    Knock first as I might be balancing my chakras.

    Comment


      #3
      Originally posted by suityou01 View Post
      Global.asax. Session_OnStart event. Do your checks there. If they fail your home grown authentication (using ad lookups) then bounce them to a home grown error page.
      How do I get the user name? I need that to query the AD and check that the user is in a specific set of groups allowed to use the application.

      Are you suggesting that I :
      Session_OnStart: Authenticate them with a authentication cookie. redirect to another page
      On that page, grab their username off their PC (which I think you can do once you've authenticated them), check with AD
      if OK redirect to the home page, if not revoke the cookie and redirect to page to display 'forbidden' message.

      This could work with Forms type authentication possibly. worth a go
      McCoy: "Medical men are trained in logic."
      Spock: "Trained? Judging from you, I would have guessed it was trial and error."

      Comment


        #4
        Originally posted by lilelvis2000 View Post
        How do I get the user name? I need that to query the AD and check that the user is in a specific set of groups allowed to use the application.

        Are you suggesting that I :
        Session_OnStart: Authenticate them with a authentication cookie. redirect to another page
        On that page, grab their username off their PC (which I think you can do once you've authenticated them), check with AD
        if OK redirect to the home page, if not revoke the cookie and redirect to page to display 'forbidden' message.

        This could work with Forms type authentication possibly. worth a go
        Page.User.Identity.Name ? Or does that only work after authentication?

        Comment


          #5
          Originally posted by lilelvis2000 View Post
          How do I get the user name? I need that to query the AD and check that the user is in a specific set of groups allowed to use the application.

          Are you suggesting that I :
          Session_OnStart: Authenticate them with a authentication cookie. redirect to another page
          On that page, grab their username off their PC (which I think you can do once you've authenticated them), check with AD
          if OK redirect to the home page, if not revoke the cookie and redirect to page to display 'forbidden' message.

          This could work with Forms type authentication possibly. worth a go
          Not quite as clunky. I would probably write some web services to do the lookups in AD, as this would potentially benefit other applications or future application development. Talk to your architect first.

          No need for cookies, you use the session object.

          To read the AD you would do something like

          Code:
          _directoryEntry = new DirectoryEntry("LDAP://DC=topLevelObjectName,DC=YourDoman,DC=YourDomainSuffix");
          SearchResultCollection results = null;
          
          using (DirectorySearcher ds = new DirectorySearcher(_directoryEntry, "(&(objectClass=user)(objectCategory=person)(samAccountName='" + samAccountName + "'))"))
          {
              ds.PageSize = 1000;
              ds.PropertiesToLoad.Add("sAMAccountName");
              ds.PropertiesToLoad.Add("mail");
              ds.PropertiesToLoad.Add("objectSid");
              //Other properties can be added here, such as the property that holds which applications your user can use. Could be a bit flag. In fact the more I think about it, the more a bit flag sounds like a good idea.
          
          }
          Knock first as I might be balancing my chakras.

          Comment


            #6
            Originally posted by lilelvis2000 View Post
            How do I get the user name? I need that to query the AD and check that the user is in a specific set of groups allowed to use the application.

            Are you suggesting that I :
            Session_OnStart: Authenticate them with a authentication cookie. redirect to another page
            On that page, grab their username off their PC (which I think you can do once you've authenticated them), check with AD
            if OK redirect to the home page, if not revoke the cookie and redirect to page to display 'forbidden' message.

            This could work with Forms type authentication possibly. worth a go
            You tell me. Is this SSO or do they type it in?

            Assuming SSO, and your app pool is set to impersonate you could use :

            Code:
            System.Security.Principal.WindowsIdentity.GetCurrent().Name;
            Knock first as I might be balancing my chakras.

            Comment


              #7
              Originally posted by mudskipper View Post
              Page.User.Identity.Name ? Or does that only work after authentication?
              From the documentation I believe that in Windows Authentication, after the user has been authenticated, yes you get their credentials.
              With the rest, you get the account the page is running under..typically one of the IIS accounts.

              see Page.User Property (System.Web.UI)
              McCoy: "Medical men are trained in logic."
              Spock: "Trained? Judging from you, I would have guessed it was trial and error."

              Comment


                #8
                Originally posted by lilelvis2000 View Post
                From the documentation I believe that in Windows Authentication, after the user has been authenticated, yes you get their credentials.
                With the rest, you get the account the page is running under..typically one of the IIS accounts.

                see Page.User Property (System.Web.UI)
                Unless your app pool is set to impersonate.
                Knock first as I might be balancing my chakras.

                Comment


                  #9
                  Originally posted by suityou01 View Post
                  You tell me. Is this SSO or do they type it in?

                  Assuming SSO, and your app pool is set to impersonate you could use :

                  Code:
                  System.Security.Principal.WindowsIdentity.GetCurrent().Name;
                  Suppose I'll give it a go. User doesn't want a login screen, just wants to straight to the app. Internal users are not a problem its the external ones who are on a different AD that are the problem.
                  No doubt the authorisation won't work and just get that 'denied access' screen.

                  These guys are really tight with their security..I doubt they'll allow impersonation. But what the hey..I've got a little hair left.

                  Salik.
                  McCoy: "Medical men are trained in logic."
                  Spock: "Trained? Judging from you, I would have guessed it was trial and error."

                  Comment


                    #10
                    Originally posted by lilelvis2000 View Post
                    Suppose I'll give it a go. User doesn't want a login screen, just wants to straight to the app. Internal users are not a problem its the external ones who are on a different AD that are the problem.
                    No doubt the authorisation won't work and just get that 'denied access' screen.

                    These guys are really tight with their security..I doubt they'll allow impersonation. But what the hey..I've got a little hair left.

                    Salik.
                    Your client is not quite understanding windows security.

                    Your external users will be authenticated on the external AD. You will have no access to this from your internal AD unless a domain trust exists.

                    For SSO to work, your external users need to be authenticated on the domain. VPN access or some such. Once they are authenticated on the domain, they will receive a token, which contains the SID.

                    For info, your users SID and SamAccountName are cached in the IIS metabase. So if a user changes their name, SSO will break for them until you flush the cache on IIS, either by bouncing the box, restarting the w3c, restarting the app pool or logging in on that box with the user account that has changed.

                    asp.net - IIS Returning Old User Names to my application - Stack Overflow
                    Knock first as I might be balancing my chakras.

                    Comment

                    Working...
                    X