Is there any chance to get the integrated windows authentication working on linux in ASP.NET Core? Is there a middleware which could enable this feature? Since its working on windows using kestrel, I thought it might not be impossible to get this working on linux.
EDIT: Is there a way to get the current windows user via NTLM?
No, there's no middleware for this. Kestrel doesn't even support it directly, it's forwarded from IIS.
Related
I have a .NET Core 3.1 WPF app that I'm working on. In order to work with our older application it needs to validate credentials that are entered into a dialog for a local account. How can this be done?
It appears that all of the necessary classes have not been included in .NET Core yet, because the System.DirectoryServices package does not yet have the AccountManagement.PrincipalContext class that used to be used for this purpose.
Clarification
I have to validate creds for an arbitrary user account that may or may not be the account executing the app.
I hate to tell you, but the simple answer is that you can not. Interaction with active directory. There are limits on how integrated DNC 3.1 is - and you stumbled upon one. Supposedly dotnet 5.0 will better integrate.
For now, you can either use win32 / native syntax for this, or use a server side proxy that handles the authentication.
To my knowledge, you re requirements are simple not implemnented in the scope of the platform chosen.
Anyone please feel free to correct me.
Update: This is doable in .NET not core - so you can put up a smple website for this as service in .NET. So from the wpf side this turns into "make a http request".
With the recent release of .NET Core 1.0, we're in the process of migrating our RC1 applications to the final release. The only piece we can't seem to figure out is how to integrate Active Directory authentication.
Previously in the RC1 applications, we had used the System.DirectoryServices.AccountManagement library to handle the LDAP authorization queries. However, we can no longer mix this library with .NET Core v1.
Generally, what is the best way to integrate Active Directory authentication into our applications using the libraries available for use in the .NET Core framework? IdentityServer, some other third party service like Auth0 or something else?
The Novell.LDAP library has been ported to .NET Core you can find it in NuGet. There are numerous samples available, including a verify password sample.
Best is subjective, really there's only one way right now, given the missing DirectoryServices namespace (which is planning for 1.1) - federation.
You'd have to install ADFS, and expose it to the internet. Then you configure it to act as an OAuth2 endpoint, and use the generic OAuth middleware to redirect logins to your ADFS server. You could also install the latest ADFS beta, which needs the latest Windows Server beta, and use OpenID Connect, but that's a lot of beta risks you may not find acceptable.
Or, if you just want the latest MVC pieces, run it on .NET Desktop, where you have full access to the directory services namespace.
The System.DirectoryServices namespace is currently being implemented in .NET Core, work is ongoing.
https://github.com/dotnet/corefx/issues/2089
Just want to say that they just issued a pre-release of the Microsoft.Windows.Compatibility which contains the System.DirectoryServices components needed to integrating with Active Directory
https://www.nuget.org/packages/Microsoft.Windows.Compatibility/2.0.0-preview1-25914-04
How can I authenticate to a web service hosted in IIS that is secured with Integrated Windows Authentication?
Do I use HTTP headers to add username and pwd?
I am trying to call this web service from UNIX in C.
I'm rather a newbie to IIS myself, and I'm just starting to dance around this topic, but I saw your note and thought it was crazy that no one has answered in so long!
I believe that the typical way that windows authenticates is Kerberos. You may have to go through some gyrations to get the Windows Kerberos server to get you a ticket that you could put in the SOAP header. That is at least the direction in which I would start researching... but it could heavily depend on your Windows domain configuration. At the very least, you'll probably need to do quite a bit of poking into Windows Domain configurations and concepts.
If I port an old client/server to Silverlight RIA services, how can I avoid the extra security work?
Ideally, the client would pass the client's windows credentials to the middle tier; the middle tier would impersonate the client and access the database.
Is this possible?
As far as memory serves it is possible to set authentication mode in Web.config,
<system.web>
<authentication mode="Windows"></authentication>
</system.web>
Should do the trick
Silverlight will work with the ISS authentication quite well. So long as you can get your old authentication working in IIS you should be able to plug into it.
They have some good documentation on how it works, hopefully this is helpful.
http://msdn.microsoft.com/en-us/library/ee707361%28v=VS.91%29.aspx
If you did not previously use an IIS based authentication you can write a custom authentication provider that will plug in.
I don't know much about AIR apps, but I like what I'm seeing so far. So now, I'm wondering if this type of app would make sense in the intranet at work.
Before I invest time and effort into ramping up on AIR development, I would like to know: is it possible for an AIR app on Windows to do single sign-on authentication against Active Directory? I'm thinking of maybe an AIR app that uses a logged on user's Windows credentials to connect to web services hosted on IIS with Windows auth turned on.
I know that IT security would get on my case if I rolled an app that makes a user enter a password. Any workaround that's not kludgy and accomplishes SSO with AD would be cool too.
I have successfully setup Tomcat 6.0.26 running on CentOS 5.4 (Final) with Java 1.6.0_17-b04 using the SPNEGO servlet filter from spnego.sourceforge.net to automatically authenticate WindowsXP SP3 with IE 7.0 against a Windows 2003 R2 Active Directory domain. In addition, I have an Adobe AIR application developed for use on an intranet that can also authenticate via SPNEGO just like IE7.
Before getting Tomcat working on CentOS, I followed the "pre-flight checklist" and "install guide-tomcat" links at sourceforge.net to get Tomcat working with the SPNEGO filter on a Windows XP server. Once I got things setup so that IE could auto-authenticate, Adobe AIR just worked.
Once I had the username, I wrote some code to pull user groups from the AD LDAP. Helpful links for Java LDAP code may be found at starting at http://forums.sun.com/thread.jspa?threadID=726601.
Definitely. If SSO works in IE it works in your AIR app. We are currently deploying an app that does just this.
AIR running on Windows will use the SSO settings from Internet Explorer. As long as your users can login with SSO in IE, they can do the same in AIR. This can be done with group policy settings pretty easily: add your site as an Intranet site, enable Integrated Windows Authentication, and you're good to go.
Haven't run into any problems so far. We've tested it with about 10 users. YMMV.
Using AIR you can read files from the file system and you can open network connections, so that should get you somewhere.
What would the use of the SSO be? Describing a possible job that this AIR app should perform will help people to give a more helpful answer.
Charles,
If you have an example of some code that pulls I.E. credentials, I would be really grateful to see it. I'm working on building a Flex app that accesses content on a SharePoint server that uses the active directory to authenticate permissions.