I'm working on software that runs on a shared computer in a meeting room. The computer is logged into the network with a room account.
Is there a way without requiring the user to log out of the room account, to authenticate themselves using a Smart Card or Biometric Device against Active Directory? The user needs access to network shares and possibly other Active Directory secured resources.
This video from Ignite 2018 on the Surface Hub 2 has an example of what I'm trying to do https://www.youtube.com/watch?v=lPEE-zOcnKI. At 1:09 in the video, a second user is able to authenticate herself while the first user is still logged in.
For the video, this is new features for the Microsoft Surface Hub 2.
For the computer, for now, you could not log in and authenticate the user, especially using a Smart Card or Biometric Device against Active Directory. In the same network, you could use the remote desktop connection to connect your work computer, but this way cannot be authenticated with a smart card or Biometric Device.
Maybe this feature will be considered for the computer in the future.
Related
I want to monitor in real time if a USB Token is plugged in.
My plan is to install a local application (that I'll try to develop) on my organization's PCs (Windows), this application will monitor in real time USBs ports and check if the Token is plugged in. If a user plugs his USB Token, I want to my local application to be notified.
Is this possible?
We want to use a technical user in a mobile application (iOS). This user needs to access MS Graph API.
I currently find no method to acquire a token from mobile without any UI interaction.
Is there any way we can achieve this is a clean way?
In the case of devices and operating systems (e.i. IoT) that do not provide a web browser, you can use the device code flow, which lets the user use another device (computer or mobile phone) to sign-in interactively. Here's more info on using device code flow with msal.
Using a mobile device, which is a public client, has many ways of acquiring a token (including silently, assuming a token is already in the cache), most of which involve a UI. Public clients are run on devices or desktop machines and are not trusted to safely keep application secrets. Here's more information on public client applications for msal .NET, which supports Xamarin iOS.
i'm running a Terminal Server (Windows Server 2012 R2)
And have a big problem accessing smart cards (in my setting German "Gesundheitskarten") on our Terminal Server in RDP Sessions. These cards are not used to provide login to a program, but to transmit data like Insurance Number, Street, Postal Code etc... to our Database.
The Problem is, that the Smart Card reader (https://www.identiv.com/products/smart-card-readers/contact-smart-card-readers/utrust-2700-r-contact-smart-card-reader) which is attached to the Server (via USB) is showing in the device manager but not accessible in an RDP Session. The manufacturers test programm says that the Smart Card Ressource Manager is NOT Running (which isn't true) which indicates the the device is not accessible.
When i logon directly on the server (without RDP) the reader works fine. (Logged in as Admin or User)
I would try to connect the reader to the client device, but there a numerous reasons against it. Just to name a few: We have all sorts of clients (Mac/Android/iOs/Windows) who need access to the reader when they are near our front desk. Mobile Devices and Macs do not support SmartCard redirection. Also the Application which reads the Cards is unknown to support the redirection setup.
(Just for clarification, i don't want to give our users direct physical access to the Server - they use the app via RDP or mainly via Remote Resources)
Is there any way to map/bind the USB Smart Card Reader to a user also in an RDP Session which is connected to the Server? Is there any group policy setting i forgot?
You have to crack WinSCard.dll and SCardSvr.dll.
Refer to this page: http://lifayk.blogspot.co.uk/2012/07/windows-smart-card-subsystem-and-remote.html
I had tested the method and it works on Windows 2012 R2 Standard and Dataceneter.
Corporate networks use AD mostly to authenticate users - in that desktop machines require signing in to a Windows domain - which is centrally managed/universal.
Now, if I had an iPad and I brought it into work, I wanted to be able to sign in to my AD so that if I type http://internal.link into my iPad browser, it would resolve just like it would on a Windows desktop machine inside that corporate network.
To do this, I presume that the iPad will discover the company wifi network, and I would like to sign in to that wifi using my corporate AD credentials. This leads me to my questions:
How can a wifi network tie itself to Active Directory, granting sessions only to properly authenticated AD users? Do I need to purchase particular wifi routers or do anything specific on the AD side?
If I was to sign in successfully somehow using my AD credentials, I will then have use of the company wifi - with accompanying access privileges to resolve internal-only URL's. What would it then take to get my iPad browser to enjoy features that are available to corporate IE users such as SSO (seamless sign on)? At worst, would an application at http://internal.link simply prompt me to sign in again with my AD credentials?
You're talking about two different technologies here:
AD is used to identify individual users on the network. It's for authentication and authorization.
DNS is used to resolve the hostnames of internal applications. I.E.: http://internal.link resolves to 10.0.0.5
With that said, your work probably has some sort of wireless authentication mechanism. I've never heard of them using AD for that, but I suppose it's possible. You need to get on the work's wifi. Once there, your IPad will either pick up it's DNS server settings from the network via DHCP, or you will have to manually configure them (most wifi networks use DHCP these days).
Assuming you are successful in getting on the Wi-Fi, and assuming that your DNS servers are established (via DHCP or otherwise), you should be able to hit any internal site from the iPad as long as the wifi network has access to those internal sites. There are various reasons that it wouldn't (i.e. firewalls, etc.). The internal site, if it's using AD/NTLM will ask you for credentials when you first visit it. You can usually just supply your AD username and password, and it will work fine.
I would ask your sys admin, he/she will tell you in a second. Even though it is set up with AD and that is rather common their are many possibilities for set up and it is most likely not set up over wireless.
My application needs to authenticate a user against active directory and determine the list of groups the user is a member of. I've developed a VB6 app to do this and it works fine.
The customer has come back and said they need the app to authenticate users even if active directory is not available (machine off network), similar to how Windows will still allow a user to log on to a system if a machine is off the network, if they've logged onto the machine previously.
How do I go about accessing the cached user information in VB6? I'm currently user ADI and LDAP.