Our project(web application C# ASP.NET MVC3) is hosted on IIS 7.5 and we use certificate authentication. So we have SSL-require configured IIS.
Now we have a business task to allow some users to use our system. And there is no way to provide client certificates for them. In that case we need to use some additional authentication model (user-password or ntdomain based).
I don't know how to realize such model:
User gets on our project url;
If he has valid client certificate - we let him iteract with our application;
If he hasn't cert we show him a login form with "user-password";
If we use SSL-required configured IIS users would not be able to iteract with application without valid certificate at all right? And how to authenticate with certificate if IIS is configured with SSL-Accept?
Maybe you can configure two sites on your IIS? One with SSL and another without it? Your url will point to the SSL enabled site, and when a user without a valid certificate arrives you use some backup code to send him to the SSL free site?
Just guessing actually... I think this probably deserves a more meditated answer...
The problem was not so large as i thought before. IIS provides a check box to require certificate even if combobox(in SSL options of web application) is set to Accept instead of require. In that case IIS tries to get certificate at first. And if there is no cert it lets the user to iteract with application. And we can make custom authentication on that level.
With MVC (v.3+) there is nice way to use IAuthorizationFilter in that case
Related
I currently have an asp.net web api 2 site hosted in IIS secured with windows authentication. A requirement has now come in for us to support client certificate authentication in addition to windows, and I'm struggling to find out:
- if this is possible at all
- if there are any working examples available
I thought might be able to add an additional owin middleware or messagehandler or filter, but can't see any existing ones that do this specifically for windows rather than just relying on IIS. I know thinktecture identitymodel can do client cert, but not sure if the two can be combined?
Example of forms +win that i thought might be similar is here https://techblog.dorogin.com/mixed-windows-forms-authentication-for-ajax-single-page-application-e4aaaac0424a
Right so I managed to figure it out. Thankfully, if a controller returns a 401, IIS automatically adds the negotiate/ntlm headers, so if a user is on a windows browser, it will then automatically authenticate as usual. So with that in mind, to keep windows auth working, I:
updated the site in both IIS and VS to allow anonymous AND windows auth
added the [AuthorizeAttribute] as a global action filter (which causes the 401 to be returned if the user is not authenticated by the time they hit the filter)
To get client certificate auth working, I used the magnificent Thinktecture.IdentityModel library, which allowed me to add only one line to my Startup.cs file (we're using OWIN so this was easy)
app.UseClientCertificateAuthentication();
See https://github.com/IdentityModel/Thinktecture.IdentityModel/blob/master/samples/OWIN/AuthenticationTansformation/KatanaAuthentication/Startup.cs for an example
I have ws working for sending user login details through a websocket. However I know that someone sniffing packets could capture the password, so I wanted to use wss instead. However I now understand, through playing around with my back end, that firstly a certificate is required for it to connect properly, and secondly, if i cause the self signed certificate warning to sho0w, afterwards the websockets will work with wss, but that is not good enoyugh for clients. From googling this issue, I have found that A self signed certificate will probalby not be good enough.
And all I want is to provide a user with a safe way to login.....
So anyway I am now thinking it would be better to avoid having to use wss all together. I could use a conventional servlet for login but that will probably require a certificate too for https and I don't want to have to start paying people loads of money for certificates when my business might not even be that successful.
I have been thinking about other ways I could send the users password securely. One way might be to generate a hash in the browser. I know I could use some king of challenge along with a salt sent to the browser but I am not exactly sure how to do this and how safe this would be. I have the conventional login working with a salt, generating a hash with AES. Any suggestions?
I just want the users login details to be safe and I don't want to go down the route of certificates, it's annoying and unreliable.
Login should always happen through HTTPS. Not only the POST sending the user and password, but also the GET getting the login form, so the client can be sure is getting the right form and that his information will be posted to the right place.
You can send login details either by HTTPS or WSS if you want security. If you use a self-signed certificate you will provide transport security, but as the certificate is not signed by a CA, the client cannot be sure that the server with which is interacting is the right one, and that is why the browser shows a warning.
So, if you want security for your clients, you should get a signed certificate and use it for HTTPS and WSS (you can get them from 10 bucks per year in some places). Anything that you do in the browser is insecure by default, starting by the user not having certainty of being interacting with the right server and not a spoofed one.
Found this blog helpful even though it's directed to the raspberry pi and python/nodejs. http://simplyautomationized.blogspot.com/2015/09/5-ways-to-secure-websocket-rpi.html
Good concepts on security and authentication. I would recommend ALWAYS using ssl and not rolling your own crypto.
I have an api deployed to Heroku. It is currently open for everyone to see. I only want known android phones to be able to modify and access the api.
I don't want the user to have to login every time they use the app.
Can I add some sort of certificate to the phone to verify that it is credible?
Is OAuth the best approach for this?
Is there a better way to do this so the user doesn't have to login every time?
This is a fairly broad question (and hence there are several approaches). Without knowing the language/framework you are using it's also hard to give specific advice, but:
Your server can issue a cookie or token that the client can store locally for a duration. These tokens should include a timestamp and be authenticated (use a library that does HMAC authentication) to prevent clients from modifying tokens.
Clients should present this token or cookie on each request to your server via a HTTP header or the standard Cookie header.
You will need a login system to support the initial issue of the token/cookie.
Clients could also OAuth against your server (complex) or against an external service (GitHub/Facebook/Google/Twitter), but you will still need a way to track that state on the client (hence a token/cookie).
Cookie support should be included with the standard Android HTTP client, and most server side frameworks have support (or a library for) authenticated cookies.
We are getting security message like this while executing url:
There is a problem with this website's security certificate. The security certificate presented by this website was not issued by a trusted certificate authority.
Security certificate problems may indicate an attempt to fool you or intercept any data you send to the server. We recommend that you close this webpage and do not continue to this website. Click here to close this webpage. Continue to this website (not recommended).
More information
Same type of security alerts with message like this
This page is accessing information that is not under its control. This poses security rish, DO you want to continue?
How to avoid them through code either javascript, jsp or any way. We can not ask each user to modify their internet options. Please let me know if there is any solutions for this
That's browser behavior that you can't and shouldn't be allowed to modify using JavaScript, or anything else for that matter. In fact, these security alerts are there to warn the user that something is (potentially) wrong. If you could disable them, there would be no point in having them, right?
Fix whatever problems you have with the security certificate and you'll be fine. I'll guess here that your certificates are self-signed - buy one. They are not that expensive.
You need to install a current, valid certificate on your web server.
There is a problem with this website's security certificate could mean you need to check that the clock is set correctly.
Host all content on an https website. not an http one. You do not need a certificate then.
1> The security certificate presented by this website was not issued by a trusted certificate authority.
This message indicates that the page is using a HTTPS-based resource which has a certificate which does not chain to a globally trusted root certificate. If you don't know what resources/URLS are causing this, open the F12 Developer Tools and look at the Console tab, or run Fiddler and watch for the warning popup.
2> This page is accessing information that is not under its control. This poses security risk, DO you want to continue?
This message is shown when you attempt to use an XMLHTTPRequest object to request data from a cross-domain location (e.g. www.domain.com tries to grab data from domain.com). That operation is a violation of Same-Origin-Policy.
By default in IE, this is blocked, but inside the Intranet Zone, this feature is set to Prompt and thus you see this message instead.
To fix this, either change the request URL so that it does not go to a different domain, or use XDomainRequest, or use a serverside proxy page to make the cross-origin data request from the server rather than the client.
The Problem:
I am creating a vb6 application that will connect to a particular web service located on a a HTTPS site. The problem is, the HTTPS site I'm accessing requires all request to accept it's certificate policy. (as its a self-signed ssl certificate)
Basically I need the application to accept security certificate dialog boxes automatically. A sample security dialog is shown below:
Cheers in advance.
#EDIT:
I Cant' post an image yet as i am a new user... Please see the url below for a sample image:
http://oit.nd.edu/network/nomad/images/ie_certs.gif
Look for a property named Silent.
You will have to catch some other event, to reply to that dialog box. Although, I am not sure what is the behavior, if you set the Silent to true (i.e does it assume it to be Yes or otherwise?).
Most of HTTPS sites I know use self-signed certificates.
I don't know VB6 APIs for HTTPS, but for example in Java you should provide it a copy of the site certificate beforehand. That is:
export a copy of the certificate, for example from your browser certificate repository (in Firefox: Tools->Options->Advanced->Encryption->View Certificates etc.) - supposing you have have already visited the site with your browser;
detect which certificate repository your HTTPS API points to (there certainly is one)
import certificate into that repository
execute your program