I am wrapping the password credential provider and adding an extra password
field. I have it set up so I can do my own password validation logic and
work with the extra field.I have created the field already but i am unable to understand where to apply the logic in the code section for validation.Can anyone specifically point to the functions in the credential provider to do this?
its not in the CP itself, look on https://github.com/LastSquirrelIT/MultiOneTimePassword-CredentialProvider
for more understanding.
You can either stop the credential provider from completing serialization in the GetSerialization method, or you can implement and register a sub authentication filter
If going the filter route, you will need to come up with some shared secure process for sharing the password between the credential provider and the LSA, which is not trivial.
Related
On a JHipster application, I've added a custom authentication provider, to verify user and password of Active Directory users that have login inside. This custom component implements AuthenticationProvider, and inside "authenticate" method, istance an ActiveDirectoryLdapAuthenticationProvider object to get authentication and verify presense on specifical groups.
With a simple A.D. test environment I've no problem, but in production, my company ask me to bind a service account, and I cannot found any method to setup manager-ad and password. How can I get around this problem?
On Spring documentation I've read the phrase "There is no concept of a "manager" user."
My app use 5.1.8.RELEASE
Thanks!
Looking at the code, it validates the user's credentials by binding using the user's credentials. That's really the only way to validate credentials.
I assume, since it has already made a successful bind, it just continues on making whatever search it needs to.
There might be a way to use different credentials for reading the groups, but it all depends on what your current code looks like. But there really is little point in doing this. You have to bind using the user's credentials to validate their credentials. So you may as well continue using that same connection.
I had created a sub-authentication package for Windows-7 login. It worked successfully for local account logins.
I then tried to implement same sub-authentication package for active directory in Windows server 2008 r2. I placed my DLLs in Windows\System32\ folder and modified registry values of Kerberos as this Microsoft document explains for sub-authentication dll.
The value I set was in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos Value: Auth0 set to C:\Windows\System32\SubAuth.dll (am I right here?).
But while authenticating I notice that my sub-authentication package doesn't get called as I don't get asked for the second factor while authenticating user on client machine against AD.
Am I missing something in setup or there is something I have to change in my Sub-authentication package.
Let me know if I have missed on any information here.
PS: Sub-authentication package is developed as per the Microsoft's Credential Provider documentations (in Msv1_0SubAuthenticationFilter routine).
Looks like this is by design - Msv1_0SubAuthenticationFilter routine from kerberos\ssv1_0 subauth package will not be called for cached domain interactive logon.
For interactive logon сall chain will be something like:
LsaApLogonUserEx2->MsvSamValidate->MsvpSamValidate->MsvpPasswordValidate
LsaApLogonUserEx2->MsvSamValidate->MsvpSamValidate->Msv1_0SubAuthenticationRoutine
But for cached interactive logon сall chain looks like:
LsaApLogonUserEx2->MsvpPasswordValidate
<and there is no call to Msv1_0SubAuthenticationRoutine here>
To achieve what I have asked in question, I needed to hack around in Microsoft's authentication package.
Here's what I did.
To communicate to active directory & make the authentication w.r.t. AD, I had to do it before hand in credential provider.
So my control flow for the solution goes like this in Credential provider:
Check whether user is connected to network.
If yes, then communicate with AD server, which is predefined & validate user against AD entry.
If user is validated then ask for 2nd factor in credential provider only & then on successful validation, pass user to sub-auth module & bypass 2nd factor in sub-auth.
If user is not connected to network, then validate with sub-auth module.
So basically, I had to first perform 2nd FA if the user needed to validate against AD & perform password authentication later on in the sub-auth module.
I have a custom hash that I apply to passwords so that it matches the legacy .net membership provider hashing. I apply the hash clientside when registering users, but the forgot password link, since it is done by parse without the has, creates an issue.
Can I create a cloud code method or event handler that can capture password reset events so that I can hash it?
I tried creating my own forgot password cloud code function but it seems to not be able set the password since there is no logged in user during the cloud code function request.
If you want to manipulate user objects while in Cloud Code, use the Parse.useMasterKey() method to override the normal security settings. Although I can't really recommend trying to manipulate the password yourself of course.
I've setup two membership providers: my custom provider and the Sitefinity provider. My custom membership provider is set as the default.
I want to use Sitefinity's Profile provider for both sets of users. However, the profile provider only seems to work for the users that I pull out of the Sitefinity membership provider.
After poking around with Reflector a bit, it seems that the Telerik Profile Provider assumes that the username exists in its own DB.
User userByName = this.Application.GetUserByName(userName);
if (userByName != null)
{
// magic happens here...
}
All the magic only happens if it was able to retrieve the user locally. Seems to violate the principles of the providers. Shouldn't I be able to arbitrarily add properties to any user regardless of the membership provider?
(I've also posted this on the Sitefinity forum, but haven't got a response yet. SO has spoiled me. I've come to expect an answer in minutes, not days.)
If I understand you correctly you want to use the sitefininty provider as a base and attach some additional information to the users profiles.
In general I would advise against trying to mingle with internal sitefininty management. Instead try to attach whatever functionality you want to execute to the standard provider.
What I have done in these situations in the past was creating a Membership Provider Wrapper (In your case a ProfileProviderWrapper) that holds an internal reference to another profile provider, while being a Profile provider itself.
This way you can execute any code you want before/after calling back to the actual underlying provider (or maybe your not calling back at all).
For example: Before returning the profile you could attach additional properties to it.
This way you don't break the sitefinity behavior, while still being able to interfere.
Are there Custom ASP.NET Membership Providers for sale with added security?
For example, the ability to have multiple Questions/Answers that are randomly presented for Password reset, set number of login attempts, force password resets every 30 days, prevent duplicate passwords for new password for a certain period of time, etc
I've recently updated my custom provider with some of your requested features. Unfortunately it's not exactly for sale, but I did want to tell you that it wouldn't be terribly difficult to do on your own.
The multiple question/answer feature and the force reset (password expiration) actually can be implemented using any provider because they're not directly enforced by the provider. To enable Password Resets you could simply define a constant in your appSettings, i.e. "PasswordLifetimeInDays". Then in your Login page simply override the Authenticate method and inspected the LastPasswordChange property of the MembershipUser. If their password has expired then redirect them to a ChangePassword page, otherwise log them in. Check out this article for a walk through of implementing this feature.
The pre-generated question scenario is also something that doesn't really fit in as provider functionality. Although, a third party solution could contain this mechanism in a separate API I suppose.
The SqlMembershipProvider already provides a way to set the number of login attempts via the MaxInvalidPasswordAttempts attribute.
Really, the duplicate passwords functionality is the only piece that truly belongs in the provider implementation as it requires an additional table to track the password history.
Let me know if you ever decide to implement this stuff on your own and I could offer some more guidance.