Quantcast
Channel: Security
Viewing all 4737 articles
Browse latest View live

Windows Authentication and Active Directory

March 2, 2017, 5:27 pm
$
0
0

I am building my first website. I want it to use Windows Authentication. I would like to set the User's roles based on their group permissions. So, I want to get the group they belong to. But, I am having trouble figuring out how to find them in Active Directory. I am using System.DirectoryServices.

If I use the following

Hello, <asp:LoginName runat="server" />!

I get "Hello, DOMAIN\Username!" where DOMAIN\Username is the user's Windows login.

I want to use that information to get their Active Directory Display name, so I created a function in the code behind:

protected string DisplayName()
{
    DirectoryEntry entry = new DirectoryEntry("LDAP://my.ldap.server/sAMAccountName=" + Page.User.Identity.Name);
    return entry.Name;
}

I assumed that would get me something since the LoginName WebControl displays the Page.User.Identity.Name for the user.

Instead, it returns an empty string. I tried return Page.User.Identity.Name so that it would essentially do the same thing as the LoginName control, but that also returns the empty string. In other words, I have no idea how to get the logged in user so that I can do a search in AD. There is a wealth of knowledge in MSDN that gives me zero examples of this type of scenario. Essentially, it expects me to already know the user I want to look up, but does not tell me where that information is going to be stored.

Search

Owin Refresh Access Token Using Refresh Token

March 3, 2017, 2:01 pm
$
0
0

Hi,

I had developed Owin Authentication in my project. I use Refresh token Id Globally for each user to grant access token.
Whenever user logs in it generate access token against given refreshTokenId and send response back to user.
when I try to refresh accessToken it calls "ReceiveAsync" method of "RefreshTokenProvider" where I Deserialize the token using following code context.DeserializeTicket(refreshToken.ProtectedTicket);
after execution of this method it calls "GrantRefreshToken" of "AuthorizationServerProvider" where it creates new accesstoken and this token is attached with refresh token and send back to user.
it works fine if I try to refresh token before AccessToken gets expired.
But When AccessToken gets expired and I try to refresh token it calls "ReceiveAsync" method of "RefreshTokenProvider" and deserialize token but after this method execution completion it did not calls "GrantRefreshToken" of "AuthorizationServerProvider".

Note : I had set refreshtoken  expiry date to null so that it will never expired but accessToken expiry time is 20 min.

any help would be appreciated.


Thanks

User & Roles

March 4, 2017, 2:57 pm
$
0
0

Hi

  How to Create User & Roles using Identity with Blank MVC Project.

Thanks

How to replace openssl signing

March 5, 2017, 2:11 pm
$
0
0

openss.exe is used to sign from command line using

openssl.exe rsautl -sign -in hash.bin -inkey private.key -out signature.bin

hash.bin - binary data to be signed

private.key - private key file in format

-----BEGIN RSA PRIVATE KEY-----
MIIEpQIBAAKCAQEAwq+LrIGkqn66Vm8nb8mlnjDH0y6dkaZOwlyiglsIcWs6Oq82
...

How to perform same thing from .ASP.NET MVC4 C# application in MVC controller ? Are there some methods in .NET which can create signed data from private key? Which C# code produces same result as openssl ?

Or should openssl.exe executed from controller to sign like from command line? Or shoul bouncycastle or other additional libary used ?

Support (Aspnet identity)OWIN and Azure AD authentications for same applications.

March 6, 2017, 10:51 am
$
0
0

HI All,

I am creating new application which need to support both Asp.net Identity (owin) authentication and Azure AD authentication.

My company employees will be added to Azure AD where customers (public users will be registered through registration screen) need to register freshly and access web site. Please provide detailed information to enable both authentications and making my web site token based authentication.

My MVC web site and API will be hosted in Windows Azure. Customers will be using asp.net identity table for authentication where as employees will be using Azure AD for authentication.

please provide detailed information

Please suggest.

aspnet_Profile windows forms

March 6, 2017, 12:03 pm
$
0
0

Hi. I need to read/write the table aspnet_Profile in a Windows forms.

I tried this solution https://www.codeproject.com/articles/290929/using-asp-net-profile-feature-in-a-web-application that works on web application, but not in Windows forms.

I have this exception

Eccezione non gestita di tipo 'System.TypeLoadException' in System.Web.dll Ulteriori informazioni: error load type 'KatalegaleAccountManager.wProfile' dall'assembly 'System.Web, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a'.

On the call

public static wProfileCustom GetProfile(string userName)        

{            

return (wProfileCustom)Create(userName);        

}

Exists any possibility to read/write informations in Windows forms? thanks

matteo ghetti

Website Administration Tool / Kerberos Authentication

March 6, 2017, 7:53 pm
$
0
0

Does the Website Administration Tool (WAT), user membership for a website, support and use by default Kerberos Authentication with MS SQL Server? 

How to create Windows Authentication in asp.net and link to login page?

March 9, 2017, 2:19 am
$
0
0

I have a website that have a master page and other page. My question is I want to allow all user to access the home page but if the authorized user want to access others page, they have to log in. The log in is use the PC login which is the Windows login.How to create the log in? It is same with the usual login?

Can I have have any suggestion how to start it? I am new and still learn to use asp.net.

Search

ASP.NET Identity

March 8, 2017, 4:32 pm
$
0
0

I am working on an implementation of ASP.NET Identity 2.1, and I need to know exactly what the bit-ness is that the password hasher is using. I have looked at the source code on codeplex and on github, and each of these code bases indicates that they are core. So, I cannot be exactly sure if what I am seeing there is an indication of what v2.1 does.

Can anyone point me in the right direction to specify what the settings are that are used by Identity 2.1 to hash a password?

Thanks.

Windows Authentication through IIS to take windows login

March 10, 2017, 8:05 am
$
0
0

Hi,

I am creating an asp .net application which will access one of my organization's website and will fetch data from there.

How should i achieve this using windows authentication through IIS.

I have already Deployed it on IIS with windows authentication option enabled. But it is not working.

Thanks.

Accessing ASP.NET MVC CORE 1.1 webapp from a webserver via cookies, please discuss.

March 10, 2017, 11:42 am
$
0
0

Hello all,

As part of an integrating an internal application on a public website only available via authentication we have the following scenario to consider:

Physical structure:

  • The public website is hosted on the web;
  • The internal web application hosted internally on our network;
  • Router configuration allows for ssh encrypted tunneling between the public website and our network;
  • Router configuration via NAT and port forwarding allows the public website webserver to view only the port and only the address of the machine that hosts the webapp on our network;

Software plattforms:

  • Internal software application ASP.NET CORE 1.1 MVC hosted on kestrel, and NGINX - featuring SSL certificate;
  • Public website ( legacy ) powered by joomla and php - featuring also SSL certificate;

Software plan:

  1. After user authentication on public website the public webserver will login on the internal application ( cookie based ) by code ( not browser ) via post and will generate a page with an iframe authenticaded pointing to a view of the internal application for user interaction;
  2. The internal application will have an action for this particular login that allows only the role of the user of public website and allows only requests from the address of the machine hosting the public webserver;
  3. The view that will be part of the generated iframe also allows only the role of public website user and also filters the client address to allow this public website access only.

Problems / questions so far:

  1. We have not been able to login from the public webserber to the local application ( asp.net core with cookie auth ) via code, can you explain the steps on how can this be done via HTTP?
  2. Is the use of an iframe on the public website page to access the view on the internal application a good idea or do you suggest another? ( note that the authentication to internal application is done prior to showing the view and user is not supposed intervene of that step )
  3. Can you comment / suggest with justification improvements to this scenario?

Thank you very much in advance.

Invalid token on confirmation & reset, sometimes

March 10, 2017, 10:23 pm
$
0
0

Hi,

When users generate reset or confirmation tokens in ASP.NET Core, few users get the error invalid token.

I have tried encoding/decoding, and checked that the security stamp is null.

I also made sure that confirmation and reset aren't mixed so each code has it's correct method.

I have read several topics but couldn't find an answer yet.

Thank you

ASP.NET MVC identity: Invalid token while resetting password

March 13, 2017, 3:18 pm
$
0
0

Hi , am trying to add the reset password reset functionality in my web application , so  when enter my email address and submit the form i receive the email that contains  the token etc , then when i click on the link i got redirected to the reset password page , there i enter my email and the new password  , then when i hit reset button i got the following  error from the resetPassword action , "INVALID TOKEN" here 's my code and thank you.

 public async Task<ActionResult> ForgotPassword(Models.ForgotPasswordViewModel model)
        {


            if (ModelState.IsValid)
            {
                var user = await UserManager.FindByEmailAsync(model.Email);
                if (user == null)
                {
                    // Don't reveal that the user does not exist or is not confirmed
                    return View("ForgotPasswordConfirmation");
                }
                // var provider = new DpapiDataProtectionProvider("CoreProject");
                //UserManager.UserTokenProvider = new DataProtectorTokenProvider<ApplicationUser>(provider.Create("ForgotPassword"));
                string code = await UserManager.GeneratePasswordResetTokenAsync(user.Id);
                var callbackUrl = Url.Action("ResetPassword", "Home", new { userId = user.Id, code = HttpUtility.UrlEncode(code) }, protocol: Request.Url.Scheme);
                await SendMail(user.Email,callbackUrl);
                return RedirectToAction("ForgotPassword", "Home");

  public async Task<ActionResult> ResetPassword(Models.ResetPasswordViewModel model)
        {
            var user = await UserManager.FindByEmailAsync(model.Email);
            if (user == null)
            {
                ViewBag.error = "Invalid email adress";
                return View(model);
            }
            else
            {

                //var provider = new DpapiDataProtectionProvider("CoreProject");
                //UserManager.UserTokenProvider = new DataProtectorTokenProvider<ApplicationUser>(provider.Create("ForgotPassword"));

                var result = await UserManager.ResetPasswordAsync(user.Id,HttpUtility.UrlDecode(model.Code),model.Password);
                if (result.Succeeded)
                {
                    RedirectToAction("Login");
                }
                else
                {
                    return View(model);
                }
            }
            return View();

forms authentication timeout and persistent cookies

July 20, 2006, 7:14 pm
$
0
0
I was always told that it was wise to minimise the forms authentication
timeout for both performance and security reasons (the documentation also
recommends this
http://technet2.microsoft.com/WindowsServer/en/Library/f69977f1-1415-45f2-9e51-c1dac4aa03b21033.mspx?mfr=true
"You might consider changing the timeout value to a shorter amount of time,
to shorten the session lifetime and to reduce the possibility of cookie
replay attacks.").

However in asp.net 2.0, persistent cookies no longer have a hardcoded
timeout of 50 years (thanks for that), but instead take their timeout from
the timeout attribute on the forms authentcation node. I'm not sure how the
two gel together, as it seems I can either choose performance and better
security or else persistent cookies. At present for a few asp.net 2.0
websites I'm having to set timeout's of days/weeks, and I'm not completely
comfortable with this. It seems to me that MS should have provided two
settings, one specific to forms authentication, and one to persistent
cookies.

Am I picking up something wrong here, as at the minute I think to get around
this limitation, I'm going to have to extend the forms authentication timout
for persistent cookies via code rather than relying on the timeout value.

Thanks,
Cathal

 

Storing addtional user properties in AspNetUsers

March 16, 2017, 10:11 pm
$
0
0

Hi, 

I am using Asp.net Core Identity.

To enable additional user information, I created a class, let's say "MyUser" with a number of custom properties, and made sure these correspond to columns in AspNetUsers.

In ConfigureServices, I added:

services.AddIdentity<MyUser, IdentityRole>();

And I get this using dependency injection in my controllers

Now I can get the full user class with:

var user = await _userManager.GetUserAsync(HttpContext.User);

The user contains the default properties (UserName, Email, etc), but also my additional properties from the MyUser class.

This gives me direct access to the properties on the user I want to keep.

I would like to hear your views on this. How far can you extend this, is there a line that I should not cross? For example, i would like to store an encrypted json string that contains the users smtp server data (server, port, SSL/TLS, uid, password). I can also store that in a separate table and do a lookup using the user.Id as the key, but storing it in AspNetUsers is more convenient. 

Any thoughts, ideas, concerns?

Thanks

Pieter

Search

Understanding Identity

March 19, 2017, 12:24 am
$
0
0

Hello everyone and thanks for your help in advance.  I have a few old webform projects that use forms authentication as security and am interested in transitioning to the identity framework, but need a better understanding before proceedings .  I've read a few articles on getting started such as https://docs.microsoft.com/en-us/aspnet/identity/overview/getting-started/introduction-to-aspnet-identity and https://docs.microsoft.com/en-us/aspnet/identity/overview/getting-started/adding-aspnet-identity-to-an-empty-or-existing-web-forms-project but need to understand a few details.  The example for webforms shows the need to change the startup file to:

using Microsoft.AspNet.Identity;
using Microsoft.Owin;
using Microsoft.Owin.Security.Cookies;
using Owin;

[assembly: OwinStartup(typeof(WebFormsIdentity.Startup))]

namespace WebFormsIdentity
{
   public class Startup
   {
      public void Configuration(IAppBuilder app)
      {
         // For more information on how to configure your application, visit http://go.microsoft.com/fwlink/?LinkID=316888
         app.UseCookieAuthentication(new CookieAuthenticationOptions
         {
            AuthenticationType = DefaultAuthenticationTypes.ApplicationCookie,
            LoginPath = new PathString("/Login")
         });
      }
   }
}

Is this only for webforms, or is the same changes needed for MVC or WebApi?  Second, lets say I wanted certain pages to require login, but maybe other pages to be available without authentication.  If I understand correctly, under this startup configuration, no page will be available without login.  How do I accomplish the public/private blend I outlined above?  Any help would be appreciated.
 

ASP.NET Identity Manager to manage page

March 19, 2017, 10:02 am
$
0
0

Now that I can use ASP.NET Identity Manager to manage the users and Roles. By the way, I am doing it in web form at the moment.

Next what I want to learn is what will be a good way to manage the page based on Roles. Means example Admin Role can access to page1.aspx and page2.aspx while User Role can access to only page3.aspx.

Write my own custom code or there is a Microsoft built-in class to do this?

Regards, Steve

Play Youtube private video in C# Asp.net

March 21, 2017, 5:09 am
$
0
0

Hi All,

I could successfully upload video on YouTube channel through YouTube API in C# Asp.net as private. Also i got id for uploaded video. Now i want play those private uploaded videos in C# Asp.net with the URL. I have Client Id,Secret Id also Refresh token.

Please provide solution or pseudo code for above.

Thanks in advance.

aspnet_regsql command did not install ALL tables?

March 22, 2017, 3:33 am
$
0
0

Hi i ran the aspnet_regsql from directory C:\Windows\Microsoft.NET\Framework\v4.0.30319\ and attached it to an existing database.  For whatever reason not all the tables were installed?  Tables installed were:

  • aspnet_Applications
  • aspnet_Membership
  • aspnet_SchemaVersions
  • aspnet_Users

All the other tables were not installed, this was not an issue except now we are considering adding roles to our existing application and with the tables particularly referring to roles are not present this is impossible.  Ultimately, we would like to introduce various roles and be able to manage.  Any suggestions greatly appreciated.

I am missing something with SSL

March 22, 2017, 4:44 pm
$
0
0

Hi I need some help implementing SSL on the development machine running under IIS Express Localhost. I'm missing something.

My setup is VS 2015 Community, ASP.net Webforms Project. I am using the IIS Express that the debugger defaults to. 

The Issue is the page will not display because the browser can not obtain a 'Secure' connection, or currently(after resetting IIS configurations) "This Site cannot be reached" .

I have deleted all the localhost certificates and application hosts entries and Reset IIS Express. 

Here are a couple settings:

WebApplication4 Project properties:      SSL Enabled=True,SSL URL=https://localhost:44322/,URL=http://localhost:50075/

WebApplication4 properties/WEB/Servers:       IIS Express,Project Url=https://localhost:44322/              

Chrome Error:        https://localhost:44322/              "This Site cannot be reached"

Any Thoughts?

Thanks

Viewing all 4737 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>