I don't know much about AIR apps, but I like what I'm seeing so far. So now, I'm wondering if this type of app would make sense in the intranet at work.
Before I invest time and effort into ramping up on AIR development, I would like to know: is it possible for an AIR app on Windows to do single sign-on authentication against Active Directory? I'm thinking of maybe an AIR app that uses a logged on user's Windows credentials to connect to web services hosted on IIS with Windows auth turned on.
I know that IT security would get on my case if I rolled an app that makes a user enter a password. Any workaround that's not kludgy and accomplishes SSO with AD would be cool too.
I have successfully setup Tomcat 6.0.26 running on CentOS 5.4 (Final) with Java 1.6.0_17-b04 using the SPNEGO servlet filter from spnego.sourceforge.net to automatically authenticate WindowsXP SP3 with IE 7.0 against a Windows 2003 R2 Active Directory domain. In addition, I have an Adobe AIR application developed for use on an intranet that can also authenticate via SPNEGO just like IE7.
Before getting Tomcat working on CentOS, I followed the "pre-flight checklist" and "install guide-tomcat" links at sourceforge.net to get Tomcat working with the SPNEGO filter on a Windows XP server. Once I got things setup so that IE could auto-authenticate, Adobe AIR just worked.
Once I had the username, I wrote some code to pull user groups from the AD LDAP. Helpful links for Java LDAP code may be found at starting at http://forums.sun.com/thread.jspa?threadID=726601.
Definitely. If SSO works in IE it works in your AIR app. We are currently deploying an app that does just this.
AIR running on Windows will use the SSO settings from Internet Explorer. As long as your users can login with SSO in IE, they can do the same in AIR. This can be done with group policy settings pretty easily: add your site as an Intranet site, enable Integrated Windows Authentication, and you're good to go.
Haven't run into any problems so far. We've tested it with about 10 users. YMMV.
Using AIR you can read files from the file system and you can open network connections, so that should get you somewhere.
What would the use of the SSO be? Describing a possible job that this AIR app should perform will help people to give a more helpful answer.
Charles,
If you have an example of some code that pulls I.E. credentials, I would be really grateful to see it. I'm working on building a Flex app that accesses content on a SharePoint server that uses the active directory to authenticate permissions.
Related
I have followed Adrian Halls book to create a cross platform app with a Mobile Service API backend. I have successfully got unsecured access to the backend working from Android, iOS and Desktop (WPF) clients. I am moving on to adding security to the API using the Authorise attribute. I would like to add social authentication using MicrosoftAccount (formerly passport/Live ID).
Since Adrian wrote his book the Microsoft.Azure.Mobile.Client and the authentication and authorisation landscape seem to have moved on. The samples given in the book no longer build and Microsoft's social authentication and AAD authentication seem to have been rolled into one API.
I have spent days searching for up to date and relevant information but there seems to be lots of stuff on the internet that is either out of date or only shows examples of authenticating using Facebook or Google from Xamarin clients or authenticating against Azure AD.
I am using .NET 4.7 and WPF for the desktop app. I am also using Microsoft.Azure.Mobile.Client V4.0.1. and my questions are:
Should I be using the Microsoft.Identity.Client to authenticate users from my desktop client; and,
If so can someone point me to an example of the client flow that I need to follow, specifically how do I get the authorisation token that I need to pass to the new MobileServiceClient.LoginAsync() function that uses the identification provider and token parameters?
If so can someone point me to an example of the client flow that I need to follow, specifically how do I get the authorisation token that I need to pass to the new MobileServiceClient.LoginAsync() function that uses the identification provider and token parameters?
According to your requirement, you want to use client-flow authentication with MSA. As I known, MSA authentication uses the Live SDK for signing users.
Since Live SDK is deprecated, you could leverage OneDrive SDK for CSharp for logging with MSA, and you could follow the detailed steps for achieving this purpose:
Install the client libraries via NuGet:
Microsoft.OneDriveSDK
Microsoft.OneDriveSdk.Authentication
Log into Microsoft Account Developer Center and create your app, add the native application platform, then Register your app with Microsoft Account.
Then you could follow the code below and add to your WPF application as follows:
For more details about OneDrive SDK for CSharp, you could refer to here and Authentication Adapter for the OneDrive SDK.
UPDATE:
It's my fault. I did not mention that the above code would automatically open a web browser. Per my test, you could configure the parameter returnUrl to https://login.microsoftonline.com/common/oauth2/nativeclient when constructing your MsaAuthenticationProvider instance.
I was in a similar boat - and here is summary from the top of my head - There two security libraries currently in play for authorization- ADAL, and MSAL.
ADAL
This is the first library that came out, and services like B2C must each be handle separately using this library.
MSAL
One security framework to rule them all!
https://github.com/Azure-Samples/active-directory-xamarin-native-v2
This library has a go live license, but technically it's still in Beta.
Head to Mobile.azure.com for the last info in creating a mobile application, and this article on a V2 endpoint.
When you register an application for Authorization - there are two categories a "Converged" application, and a "Live SDK application" ( see https://apps.dev.microsoft.com/#/appList) - why they would choose these names is beyond me to understand. IMPORTANT Translation - Converged application ONLY work with MSAL, the other ONLY works with ADAL. THAT will go a long way for you to get the authentication working, as the Application / Client ID must match the correct SDK, and hence endpoint.
In the end, we chose to stay with ADAL for now as we were having problems with MSAL. MSAL is the future however, as all services will be incorporated, and it should be an easier SDK to use.
Here are some links that I kept, all of which refer to ADAL or MSAL:
http://aka.ms/aadv2
https://azure.microsoft.com/develop/identity
https://learn.microsoft.com/en-ca/azure/active-directory/develop/active-directory-authentication-scenarios#native-application-to-web-api
https://github.com/AzureAD
https://github.com/AzureAD/microsoft-authentication-library-for-dotnet
These links are about month old - HTH
I have a standalone web application (not an add-in) and I would like to access Project Server PWA oData from this web application without using the PWA username/password combination.
I can do this for SharePoint oData by registering my web app in Azure AD and configuring the application to require "Read" permissions from "Office 365 SharePoint Online"
If you are interested to do this for SharePoint data, see this article for details: https://www.itunity.com/article/integrating-angularjs-aad-office-365sharepoint-part-1-622
My problem is that I want to do the same for a Project Server, but can't see any relevant Project Online permission in Azure AD.
Has any one ever accessed Project Online using Azure AD tokens?
My 10 Minutes of Internet Researchâ„¢ leads me to believe this isn't available but that it was a planned feature at one point. [see here]
Without knowing much (anything) about Project Server, this seems like a situation I've dealt with on AWS at work. We have a bunch of endpoints that are secured using IAM (AWS) credentials and we can't leave those creds lying around in our app (because that would be silly). Our solution is to generate access URLs server-side and hand them out, these typically will have a time limit and be restricted to a very specific action.
A quick search for Azure's equivalent to IAM tells me that you might be able to do something similar though I'm unsure it exists for Project Server.
That failing, you could always set up an intermediary micro-service that acts as proxy and has the username/password combo. We do stuff like this all the time with Lambda (AWS's serverless functions).
I'm about to start development work on .NET 4.0 winforms application running on top of a Microsoft SQL Server 2012 database.
The number of users supposed to use the application might be any where between 2 to 10 and the application should be able to run either on a single stand alone computer or in an intranet in a windows environment.
in case the application is run on a single computer, each user would log into the application (not into windows) and perform what ever tasks they are authorized to do and then log out of the application.
If the application is configured to run on a small intranet, each user would log into the application from there respective office computers and do what ever they are authorized to do.
So, the application can run on a single none networked machine, where a single windows login account is being shared by staff at the facility but i have a requirement to allow access to certain application functionality depending on who is logged into the application, NOT who is logged into windows as the account might just be shared.
I have previously deployed ASP.NET applications in networked environments and used the SQL Membership, Roles and Profiles provider for authentication and authorization While for winforms apps, i have relied on active directory authentication.
Now with this particular project, i am wondering what the best solution might be. Probably some one here has implemented a solution for such a scenario and can give advice.
I have looked at this http://www.codeproject.com/Articles/27670/Implementing-Application-Security-with-Client-Appl solution but i still want to hear from the SO masses.
ALSO, any recommendation for a better post Title is welcome.
Once I worked in a WinForm application which was supposed to run on intranet, each user would log into the application....and this application was using centralized web service to authentication and other CRUD operation....The service was mediator between WinForm app and DB.
The approach given in code project article which u mentioned in question...is also fine.
Anyway I also got curious here....As you said u are about to start development in .Net 4.0 Winform.....I would like to understand why you made this choice over WPF? What reasons u got to favor WinForm in your scenario ?
First my apologies if I failed to find an answer searching - I tried a variety of search topics but none that were directly related.
I have a Lightswitch app deployed and working fine, running on IIS 7 and Windows Server 2008. It is an internal intranet app only.
I am using only FORMS AUTHENTICATION, all others are disabled.
The app works fine for MOST windows users.
However, some windows users get nothing but a blank screen - no login, no "loading..." and no silverlight "98%" display.
In the IIS log, I don't even see where it looks like it is being accessed when they attempt to load the app?
So, my question is, since this is FORMS authentication only, what could be causing it to NOT work based on which windows user is trying to run the app?
In other words, on the same Windows 7 machine, it works for 10 users, but not for others.
by the way, the application is remote - it is not running on the local machine.
The users ARE able to access the other ASP.NET applications hosted by the same IIS server in the same root inetpub folder.
The lightswitch application is using the ASP.NET v4.0 Classic app pool in calssic managed pipeline mode.
Any help greatly appreciated!!!
Happy to post any details/config/logs - I did not do so yet as I wasn't sure what would be most useful....
On the users machine you need to use Fiddler or the F12 tools in Internet Explorer to see exactly what calls are being made to the server and which ones are failing. LightSwitch is just an ASP.net website that launches a Silverlight application.
So the only other thing I can think of is that those users do not have Silverlight installed on their machines?
The users need to install the latest version of Silverlight. Apps built with LightSwitch 2011 require v4 or above and those built with LightSwitch for Visual Studio 2012 require v5
Silverlight Installation
How can I authenticate to a web service hosted in IIS that is secured with Integrated Windows Authentication?
Do I use HTTP headers to add username and pwd?
I am trying to call this web service from UNIX in C.
I'm rather a newbie to IIS myself, and I'm just starting to dance around this topic, but I saw your note and thought it was crazy that no one has answered in so long!
I believe that the typical way that windows authenticates is Kerberos. You may have to go through some gyrations to get the Windows Kerberos server to get you a ticket that you could put in the SOAP header. That is at least the direction in which I would start researching... but it could heavily depend on your Windows domain configuration. At the very least, you'll probably need to do quite a bit of poking into Windows Domain configurations and concepts.