I'm new to .NetCore 2.0. I'm building a simple HR application that runs on our intranet in VS2017/C#.
Server: Window 2012 R2
Using IIS as a reverse proxy.
Windows Authentication only -- all other authentication disabled.
.Net Core Windows server hosting on the server is 2.0.5.
In previous application (.net framework). I simply set the authentication on the site to windows, disabled all other authentication and set the identity impersonate = true in the web.config.
In .NET core, this is not working when the application attempts to access the database. In this case, I get an error stating that the IIS user cannot access the database (which they shouldn't be allowed to, the current windows login credentials should be used instead).
I have already done what it says in this link
https://learn.microsoft.com/en-us/aspnet/core/security/authentication/windowsauth?tabs=aspnetcore2x
I am still getting an error stating that the IIS user cannot get access to the db, but I want it to impersonate the windows credential, not the IIS user.
In short, how do I get windows authentication to work in .NET Core 2?
Any help is appreciated. Thanks
Related
I have installed several application on a BizTalk 2020 server using BTDF 5.8 where I used to the application settings in the deployment to update any config for the BizTalk applications.
My own account is part of the SSO admin group and I use the in proc host account to install the apps into the BizTalk server. The proc host account is also part of the SSO admin group.
When I view the SSO using the admin or client utility no apps are shown. I also downloaded and run the BizTalk-Server-SSO-Application-Configuration-Tool. The tool also showed no current installed applications, but was able to add an application with it config.
But ideally I would like to view and edit current config as I am currently getting an error on a server with incorrect value.
Is there another tool to view and edit settings or am I missing something that must be enabled.
I'm currently trying to integrate an existing Blazor Server (ASP.NET Core 6.0, server-side only) application with my company's Keycloak authentication services. I need to use the existing .NET Authentication/Authorization libraries with the Keycloak - the Keycloak will hold all the relevant User data I need to access (e.g. ID, name, passwords, etc.) and use that data as query parameters to access the data stored in PostgreSQL. I've seen that this is possible with Microsoft SQL Server, so I'm wondering if the following is even possible:
Using something other than Microsoft SQL Server or SQLite to handle Authentication with .NET
Using a remote server database to handle Authentication instead of a local .db migration
Accessing Keycloak data for authentication instead of data stored in said local .db migration
If all of this is possible on Blazor Server instead of WebAssembly
There's tons of documentation on how to use SQL Server in a WebAssembly for authentication, but what little documentation exists for Blazor Server, and Keycloak, is for older .NET versions (usually 2.0) and very, very basic use cases. There's also questions already asked but haven't been answered. I'm still very new to Web development and Blazor, so if this isn't even possible, I wouldn't be surprised.
I am trying to write an WPF client which uses ADAL to authenticate against ADFS on a Windows Server 2012 R2. I have successfully implemented this using "Forms Authentication" where the user is prompted for the domain username and password. However, I want to take advantage of SSO and use the currently logged on domain user to authenticate against the ADFS.
Unfortunately, I'm only getting an error message saying:
This method overload is not supported by '< ADFS servername>'
I have done a lot of searching, but find some of the information contradictive:
This SO post about a Windows Store App (any differences to WPF?) where Vittorio Bertocci links to a blog on how to achieve it:
ADAL for Windows Store SSO
This SO post where Vittorio Bertocci claims that silent authentication is only possible with Windows Server 2016:
Authenticate with ADFS inside Console App silently
Is it a fact that Windows Server 2016 is required to perform SSO in conjunction with ADAL?
Is there any other way to do it?
EDIT:
After upgrading to the latest alpha of ADAL (3.9.302111717-alpha) I'm getting the more detailed error message
MSIS9611: The authorization server does not support the requested 'grant_type'. The authorization server only supports 'authorization_code' or 'refresh_token' as the grant type.
The code I'm executing is this:
string authority = "https://myServer.com/adfs";
string resourceURI = "http://myApp/";
string clientId = "XXXX-XXX-XXXX-XXXX-XXXXX";
string clientReturnUri = "http://anarbitraryreturnuri/";
var ac = new AuthenticationContext(authority, false);
var token = await ac.AcquireTokenAsync(resourceURI, clientId,new UserCredential());
I was able to implement a working solution using WS-Trust, so I am confident that the machine I'm running on has the privacy settings to enable the app to find the currently logged on user.
The Oauth2 endpoint looks as follows:
Also, my global authentication policy is set up like this:
Windows Server 2016 is only required for the password grant - in which you provide raw username and password. Your question seems to suggest you want to sign on with the currently signed in user, which would leverage Kerberos instead.
Kerberos based authentication should work with ADFS "3" and ADFS 2016 indifferently - as long as your client is connected to the domain network, the local machine does not have privacy settings that prevent your app from finding out the domain user currently logged in and the correct endpoints are enabled on the ADFS instance.
This will be a simple answer for those used to Windows authentication but as Solaris Sysadmin I am just looking for some clarification on how to implement Windows Authentication between an application running on an IIS7 Web Site (running on Server 2008 R2) and a Microsoft SQL 2008 Server.
The application at the moment uses this tag:
Data Source=mydbserverhostname;Initial Catalog=TheDBName;User ID=testuser; Password=apassword
In the specifications it is supposed to use this:
Data Source=mydbserverhostname;Initial Catalog=TheDBName;Integrated Security=SSPI;
I would like to go back and get the Windows Authentication working before I have to deploy to Production. From my understanding of Windows I need to have a Windows Domain account to authenticate against a Service Account which has been set on the SQL Server 2008.
What I am missing is how to achieve this and how to get it running as a service so that I can log out and leave IIS7 running the site and the SQL Server talking to each other.
I have read a couple of similar questions on this forum but the answers seem to be "just switch to SQL Authentication" which I need to avoid in the final implementation.
Any help would be appreciated.
When using the DefaultAppPool change the Identity to a custom username and password that matches the service account that has been created on the SQL Server/(LDAP) as per:
http://www.iis.net/learn/manage/configuring-security/application-pool-identities
I am building a site using ASP.NET MVC 2. The site itself needs to be public but the admin section should require a windows login and the user logging in needs to have local admin privileges on the server.
i.e. http://server/site should be open, but http://server/site/admin should force an admin login before proceeding.
Can this be done in code or by tweaking the web.config file? If necessary, making configuration changes to IIS is acceptable but I am trying to keep deployment steps down to a minimum.
I don't know if you can do this in web.config, or even if it's possible via IIS in an MVC application (since /site/admin won't exist on the file system), but it is possible to have different permissions for different folders under IIS. You will need to use the IIS manager to configure this.
You may also be able to use an AuthorizeAttribute on your admin controller.
This turned out to be fairly straightforward:
Enable Windows Authentication in IIS.
Enable Windows Authentication in web.config.
Decorate each action that needs to be secure with [Authorize(Roles = "Admin")].