How can I authenticate to a web service hosted in IIS that is secured with Integrated Windows Authentication?
Do I use HTTP headers to add username and pwd?
I am trying to call this web service from UNIX in C.
I'm rather a newbie to IIS myself, and I'm just starting to dance around this topic, but I saw your note and thought it was crazy that no one has answered in so long!
I believe that the typical way that windows authenticates is Kerberos. You may have to go through some gyrations to get the Windows Kerberos server to get you a ticket that you could put in the SOAP header. That is at least the direction in which I would start researching... but it could heavily depend on your Windows domain configuration. At the very least, you'll probably need to do quite a bit of poking into Windows Domain configurations and concepts.
Related
Does anyone know is it possible to do a single sign up web application with ADFS in a "pure" angularjs enviroment? I am at the point to decide which framework for my next project. One of the main requirement is the ability to do "single sign up" with ADFS, but I don't want to "mix" angularjs with asp.net, just make thing more complicated. I would like to go pure angular without any asp.net framework, is it even possible?
I know there are a lot of questions on this topic, but it seems no one is really answering the question. Is it because it's not doable?
By the way, It is an intranet web application.
The problem is not with your ADFS server, the ADFS protocol itself, AngularJS, JavaScript or the browser.
It's with the way you tell your client-side application that the user is logged in from your server-side application.
As far as I know there is no way to do "pass-through" authentication over HTTP so you will need to have your users go through the preauthentication step.
With ASP.NET you get an access token "for free" because the ASP.NET application runs on a machine that's in the "trusted" ADFS network. Your browser on the other hand is not. The only way for ADFS to know you are who you say you are is to preauthenticate you.
I just implemented it using the Azure Active Directory for JavaScript library. After IT registered my app for me, I was up and running in 10 mins. There is an AngularJs example in the source code. https://github.com/AzureAD/azure-activedirectory-library-for-js
You should also register your development workstation so you can test locally.
I'm trying to call an OData service (the OOTB one included with SharePoint 2010) that's secured with Windows Authentication from a Silverlight 5 app. In my research (specifically this post) I saw somewhere where it says:
Warning: While it is possible in Silverlight to do x-domain calls, so
long as the other domain has a correctly configured
ClientAccessPolicy.xml file, if the other domain needs you to logon,
there is no way to provide your credentials.
So my question is, is there really no way to call a OData service cross domain that's secured with Windows Auth? This seems to be what the above post is stating, but I find it hard to believe it just isn't possible...
Answering my own post to follow up on the research I found... Because NTLM is a negotation of each request, you can't do this very easily. I could override the generated DataContext proxy, but it would get pretty messy. Here's what the negotation looks like: innovation.ch/personal/ronald/ntlm.html
I'm trying to authenticate my silverlight application to get windows user name, which then I use to get some further information. Have looked it up, but the answers I found were about configuring the web service to get it. Is there a way, to get windows credentials strictly in Silverlight? I cannot find .Credentials, the only thing I see is .ClientCredentials, but apparently it doesn't show the required information. I am getting the string "System.ServiceModel.Security.UserNamePasswordClientCredential". It actually allows me to set up the name, not retrieve it. Also there is a web service called authentication.asmx, but as before it applies to other purposes. Neither do I have any web service I could reference to and configure them. Or am I missing something? Perhaps I can retrieve the windows credential by NTLM or Kerberos? I am using Visual Web Developer 2010 Express with Silverlight 5.
My Experience is that the Membership framework that is present in the asp.net world is not available in silverlight. In order to achieve something similar I had to implement a web service (WCF) that was directed at the domain's active directory (ldap) server. Silverlight is a very strict framework in terms of interoperability, its good for security but has some limitations.
I am not sure about your level of knowledge of the active directory but here is a link that deal with a lot of the possible operations and has sample C# code to go along.
http://www.codeproject.com/Articles/18102/Howto-Almost-Everything-In-Active-Directory-via-C#40a
If I port an old client/server to Silverlight RIA services, how can I avoid the extra security work?
Ideally, the client would pass the client's windows credentials to the middle tier; the middle tier would impersonate the client and access the database.
Is this possible?
As far as memory serves it is possible to set authentication mode in Web.config,
<system.web>
<authentication mode="Windows"></authentication>
</system.web>
Should do the trick
Silverlight will work with the ISS authentication quite well. So long as you can get your old authentication working in IIS you should be able to plug into it.
They have some good documentation on how it works, hopefully this is helpful.
http://msdn.microsoft.com/en-us/library/ee707361%28v=VS.91%29.aspx
If you did not previously use an IIS based authentication you can write a custom authentication provider that will plug in.
I've been struggling with this for a few days, and I hope someone can suggest some solutions.
I have a self-hosted WCF service, the main interface to this service will be a Silverlight application that is hosted in a non-IIS, potentially shared, environment.
I'm aware of the TransportWithMessageCredential and a custom authentication validator. The only requirement of this seems to be that the host has HTTPS and a valid SSL certificate. However, there are certain enviroments the product will be operating in where they don't wan't the hassle of paying for and maintaining a certificate, or the shared environment doesn't allow SSL.
The easy answer would be to tell them to find a new host/admin, but I've been asked to see if there are any other fesible authentication mechanisms.
Any suggestions?
Thanks
Without SSL there really isn't any way for you to secure the users credentials "across the wire". You "could" do some encryption in the Silverlight app, but this really amounts to obfuscation vs. "real" security.
The only option that I can think of in this scenario would be moderately secure would be a 3 factor solution such as giving all the users SecureID key fobs.
We had the same problem. We made the installer for the WCF service that creates a self-signed certificate, adds it to the system certificate store and configures the binding with HTTPS port. The Silverlight application had a link to download this certificate from the WCF service. So users could download this certificate and install it in the Trusted Root certificate store.