I’m trying to access active directory in our server using Kerberos(GSSAPI).
Firstly try current windows user, if refused, user can input new one.
Most of the documents mentioned Kerberos can authorize without password (current user),but little about login with a new user.
In other soft (e.g. IE) When current user is not accepted, they request me to input a new user/pass. But I got few information about how to imply that.
In Kerberos ,What is the difference between “new user login with password” and “share authority between two links” ?
My goal is to let user input username/password and login AD with Kerberos, if current user is not accepted.(in c++)
The linkage between SSPI and GSSAPI seems to be a huge problem , I searched stackoverflow/google and got about 5-8 quistions/docs ,but none of them seems to help.(I will put links later)
here:ldap_sasl_bind_s(GSSAPI) - What should be provided in the credentials BERVAL structure
What I have tried:
About logging with new user/pass, I got no directions.
About logging with current user (through SSPI), I blocked in the last step - return the 4 byte auth-Id. No idea what to return.
Trying to write 0 or other random number, encrypted and send to server, it just refused.
Related
I am creating an electron application that connects to an Database and do POST and GET requests to retrieve and insert data into it, the problem is that in the code i have defined my database uri ( im using mongodb)
const uri = "mongodb+srv://<myusesrname>:<mypassword>#cluster0.wqbiu.mongodb.net/query?retryWrites=true&w=majority"
like in the example above, but if i pack my electron app the connection to the database as well as the credentials its visible if someone unpacks the app.asar file and look in the server.js file how i can solve this problem? i dont want any security breaches neither for me or the people that will be using my application, thanks in advance for any answer :)
An application that requires a secure connection to something cannot afford to have any username's or password's hardcoded into its code.
Instead, a procedure of authentication and authorisation is utilised.
Authentication is used to verify the user. IE: They are who they say they are, often achieved via the use of some type of login form.
Authorisation is used to verify the logged-in user is allowed to access the requested resource. EG: Is this user allowed to retrieve a list of all users email addresses from the database.
As a rough guide, a user will login with their username and password. You could use OpenID as well here if you wanted. Once the user is 'logged-in' you could set a cookie or session and save the session id in the DB against the user. Of course, all of this is done over HTTPS.
There are various ways to control the validity of the session such as but not limited to refreshing the expiration date / time every time the user hits the server, auto timeout if the user has not interacted with the server for more than X minutes, etc.
In your app, the user could try and interact with the database at any time, but if the user is not logged in, the server could return the appropriate response and prompt the user to login. Some form of API here is really the way to go.
If the user is logged in then then next step is to authorise the users request, ensuring they are allowed to perform what they are asking before sending a response back. If they are not authorised to access the resource (EG: Edit another user’s post) then an appropriate response is returned indicating so.
As you can see, securing your app will take some work but the result of not doing so could be devastating to you and your users.
"Issue description copied..."
I'm building a partner connector, which relies on a user name and password to connect to database (very similar to the existing Postgres / MySQL connectors provided by Google). In order to verify the credentials, I also need the database host information to be present in addition to username and password and this is the base of my problem.
The Google build connectors conveniently are allowed to collect user credentials and the database related information at the same time. Unfortunately, that doesn't seem to be the case for partner connectors as stated in the requirements
Point 5 "Use appropriate authentication method in getAuthType(). Do not request credentials via getConfig()."
The authentication itself happens before any other configuration details are known (there is just a dialog for username and password) and there doesn't seem to be a way to request additional information on the authentication screen itself. Once the credentials have been entered, the verification also happens immediately, before the configuration is being shown in the next step.
Once credentials are validated successfully, Datastudio then assumes the schema and data can be requested.This excludes the option of a dummy confirmation, because there doesn't seem to be a way to tell credentials are invalid and need to be changed after checking the other configuration details on the next screen.
That makes me unsure, how to determine valid credentials in my use case as I need to know the variable endpoint to authenticate against. I definitely want to avoid storing any user credentials myself in an external database, because this opens up another can of worms.
Has anyone successfully solved a similar issue before and can provide guidance here?
This is a known limitation of the authentication methods for Community Connectors.
A workaround would be to use authtype NONE and then request the credentials and database information in the config. This is, however, not a recommended approach.
I use IdentityServer4 and Xamarin.Forms. All work fine. But there is a question. When i log in and then exit the mobile application or re-build then, when I log in again, I automatically log in! Without asking for a username and password!
I want to note, I did not log out in IdentityServer, just closed app.
It seems that the server remembers the ip address of the application, and if a request for authorization repeatedly arrives from it, without prior log out, then it automatically log in.
This is my guess. I did not find it in the documentation. And did not find the corresponding records in the database
It's because of the cookie based authentication scheme that is set up on your Identity Server 4. You are logging in through your device browser client so after the user logs in the cookie is left and thus the skip of login screen next time there is an attempt to log in.
I am maintaining some code that uses:
pam_ldap version 186
which compiles against
openldap 2.4.40
We are using Active Directory on Windows 2012 for the LDAP backend.
pam_ldap successfully authenticates when given the correct credentials, and sends back the correct error when the credentials are incorrect. The issue i am having is when a user is marked as "User must change password at next login", and i login using the correct credentials, it just sends me the Invalid Credentials error. I looked at the pam_ldap code, added some debugging, and it looks like the code calls "ldap_parse_result" and an LDAPControl structure needs to be filled in, which it then uses to detect for the LDAP_CONTROL_PWEXPIRING flag. But no matter what i do, the LDAPControl variable points to null.
Is there anything i need to configure on the AD differently, or any additional setup in the code i need to do to detect the "User must change password at next login"?
thank you
-=- adamtg
The "User must change password at next login" setting is set when the pwdLastSet attribute is 0. So you can test for it by checking if that attribute is 0.
More details here: https://learn.microsoft.com/en-us/windows/desktop/adsi/user-must-change-password-at-next-logon
I have an application that runs on Windows Mobile 6 Professional PDA devices. The application is installed by browsing a url from the device and downloading a cab.
Users capture information in the application and this is then replicated back to a SQL 2005 server using merge replication and IIS v6.
Although the user needs to log into the application on the device anybody who knows the url could download and install. Also if you know a users password anyone with a device could update that users information.
I would somehow like to authenticate the devices either at the installation or replication stage (or both).
Is it possible to authenticate a device based on serial number or IMEI (mobile phone ID) number?
Is there a way to load a certificate onto the device so only certificated devices are allowed to connect?
I want a system that is not too hard to implement and support. The users must be able to update their own devices and they are not very good at remembering complicate procedures or password.
One possible solution would be to send the unique device id as part of authentication. There's a post on using GetDeviceUniqueID on the Windows Mobile Team Blog.
You could store this unique id when the user first connect to the server and verify it prior to each merge.
This approach helps to ensure that the user logging in is doing so from their own phone. It solves the problem of a remote intruder downloading your program to their own phone and logging into a legitimate users account. Of course, if such an intruder has access to your users phone AND password, all bets are off.
You have conflicting requirements:
The users must be able to update their
own devices and they are not very good
at remembering complicate procedures
or password.
and:
Also if you know a users password
anyone with a device could update that
users information.
If your users can only (barely) be expected to use a password, then you cannot expect to be able to protect in any case against anyone else who has their password.
There's no 'magic' authentication that will tell you a particular user or device is legitimate beyond what you provide.
You can password protect the download, you can load certificates, you can get the PDA information (and even the cellular information), but unless you add another authentication mechanism, at the end of the day all you've got is a password.
The password is your weakest link, and you seem to be indicating that you can't provide more strict access, but you somehow need it?
If you have another authentication channel (phone, email, SMS) then you can provide a more robust, meaningful authentication.
For instance, you could make your program operation dependent on a "public.key" file with a per-user public key that your server requires for use. Once the user logs in to your website, have them give you their phone number (so now you have the phone number and the password) and send an SMS with a link to a temporary download for the key. Make a new key for each user, keep their private key on the server, and encrypt (or at least authenticate) every transaction between the device and server using this key pair.
Now if someone else wants to pretend they are their user, they have to get that file in one of three ways:
They take it directly off the PDA (they also need the password, as the public key should be protected by the user password)
They get the user to request a new SMS link, and somehow get the link without having the phone
They change the phone number and request a new SMS link
In any case, you are validating not only the password, but also an associate phone number. You can make it hard for users to change the phone number (validate against their email as well when they request a phone number change, have them call in, etc).
Of course you can do the same with other channels of communication, but users are getting more and more used to SMS authentication and download, so it isn't too much more hassle.
-Adam
You could generate slightly different cab file for every download. The only difference would be security token your application would use as user/password analogue. That should be a public key for real security.
You could send them SMS with a code each time they access your application.