I have a C# desktop app where a user enters his company ID card number as a simple form of "authentication" against a database table of valid employees. If the user is found in the table with the correct permission level, the app runs and the user can use all of the screens and menus in the application. Problem is anyone who has a valid user's ID number (perhaps from a lost or stolen ID card) can run the program and get to the data.
We want to make this application more secure. Is there a way to use the Windows ID and pwd to authenticate application users? At the very least we would like to force app users to re-enter the credentials (ID and pwd) of the currently logged in Windows user on the machine. If that fails to authenticate then the application quits and will not run.
What are my options for adding this "feature" to my app? What is the easiest way to do it? LDAP bind? Compare the Windows ID entered to the User ID found in LDAP? What is the most secure way to do it? I"m good with making my apps talk to the database, but I've never done much with Windows security or authentication, so you'll have to talk down at my level. We want to avoid storing Windows user ID's in the database. The app is a VS 2008 project, but I will someday need to do the same thing in my VS 2010 projects. Thanks!
Related
I have a custom application for internal use only where currently users are created by a super admin. Some of the users are from within the business and some external e.g. suppliers/customers.
I'm looking for a way to integrate MS Active Directory as a login option but want to be able to restrict which users from the business can actually use this method.
I have search through all the MS docs and have all the documentation on the different oauth approaches but not sure which one would be suitable for my needs.
I am thinking that perhaps i need to give the admin a way to browse the AD and select the users that can login which then creates inactive user accounts in the mysql database with some sort of MS user ID. Then provide a 'Sign in with MS' button that does the usual auth redirection process to MS and back to the site. At that point I can check an ID and if that matches an allowed user account and if so, sync the rest of the data e.g. name, email, phone etc..
Links I've already found:
https://learn.microsoft.com/en-gb/azure/active-directory/develop/authentication-scenarios
https://learn.microsoft.com/en-gb/graph/tutorials/php
https://github.com/microsoftgraph/msgraph-training-phpapp/tree/master/Demos/03-add-msgraph
Your first order of business is enabling a user to sign in to the Laravel-based app. For this, I strongly recommend not trying to re-invent the wheel (at least not completely), and make use of an existing Laravel package. Laravel Socialite is probably the best place to start, since it has a long list of existing community-provided Socialite providers, including three which work with Azure AD already: Microsoft, Microsoft-Graph and Microsoft-Azure. (Note: Though I haven't tested any of these myself, the first two seem to be the most promising, as they use the newer v2 endpoint.)
When it comes to authorization (controlling access), you have two options:
Control at Azure AD
Once you've got the app integrated with Azure AD, you can configure the app in Azure AD to require user assignment, and then control access to the app by assigning (or not) users to the app. Users who are not assigned won't even make it past the sign-in page.
You can use Azure AD's existing experiences for managing user and role assignment for the app, or you could go all-out and build this experience directly into the Laravel-based app itself, making use of the Azure AD Graph API to create the [app role assignments](https://learn.microsoft.com/en-us/previous-versions/azure/ad/graph/api/entity-and-complex-type-reference#approleassignment-entity and user picker experience.
Hint: In either case, remember that you can make the app "superuser" an "owner" of the app in Azure AD (Azure AD > Enterprise apps > (app) > Owners), which will allow them to assign users without needing to give them any additional privileges in Azure AD.
Control at the app
In this approach, you allow all users to sign in to the app with Azure AD, but then you use your app's own authorization logic to decide who makes it any further, and what roles they get in the app.
In reality, you will most likely find the best approach is to use a combination of the two, with some of the authorization enforced by Azure AD and the next level enforced by the app itself.
If you would do it in this way, it will be necessary that the super-admin has always this permissions in the AAD. From my point of view it is less practical.
I would perfer such app-assigments with help of Service Principal. You assign a role (look for app roles) to the user and then your business logic must decide which permissions the user has. If you would use the app roles feature, then you can restrict access to the role with it's help. All the user can login, but only users with a specific role would be able to see a content of the app.
I hope this hints can help to find a right direction, but there is no silver bullet solution... :/
We have developed a web program for one of our customers, where we use the company’s AD to validate the user. We use function AdsOpenObject('WinNT://... and this work fine, whoever one fail use of wrong password, and the user is disabled, and need to be reactivated. The AD is set up to use 5 fail login before disabling, and their mail system is working accordingly.
Any ide where to look for or any idea of using another method to validate a user against an AD. We use Delphi but other solution is welcome.
I'm looking to publish an app which gives users the ability to register and login using my hosted database. The user will supply their name, email and password.
I'm wondering what I need to do in order to get the app certified for the marketplace - what disclaimers/notices must I ensure the user agrees to before the app is certifiable? I'm presuming if I don't handle this, it will be picked up by policy 2.8.
Have you many more tips for getting an app published to the marketplace? First time user, really want to have my app up and running within the next month!
Thanks,
Gerard.
I don't need AD for anything more than getting a list of user names. My application uses it's own, custom auth, but it does checks based on the domain username of the logged on user, so the user names in my Users table should match those used by the logged on users.
E.g. For domain user johnblack to access features in my app, the app admin must create a user in my app called johnblack, but when creating this user, the username is a free text field. This allows the app admin to mistakenly create a user called jonblack. I want to make the user name field a dropdown, populated with users from the domain, when the admin adds a new user.
However, the epic saga involved in getting AD running on a VM on my Win 7 Home laptop is just too much overhead for now. Are their any mocks I could use, where my C# code needn't change to switch over to real AD?
Have a look at Active Directory Lightweight Directory Services (AD LDS) - formerly also know as AD/AM (AD Application Mode).
http://msdn.microsoft.com/en-us/library/windows/desktop/aa705886%28v=vs.85%29.aspx
It's a lightweight version of AD, which smells like AD, behaves like AD, but it's a NT service that you can start (and stop) at will, and it doesn't completely take over your machine/server - you can easily disable/uninstall it.
For storing WP7-app-data it would be great if it was possible to use the current users live account. Is this possible somehow? I guess not. The alternative is for me to setup my own server to store the data, which means I also will have to implement account-management and require the user to create a new login and password for my particular app/site. This is not very practical as the user already has a live account on the phone. A compromise would be if I could use the logged in live-account on the phone as some kind of token to validate that the logged in user is who he/she pretends to be, and then store the data on my website. Comments?
This is not possible for security reasons and I wouldn't expect it to change in the foreseeable future.
Allowing applications access to a users live account and be able to interact with content there would raise all sorts of possible issues, particularly around security.
On the phone the users data is sacrosanct and you (your app) cannot interact with it without the user knowing.