NTLM authentication for OpenRasta - restful-authentication

Following from my previous question regarding OpenRasta authentication, I'd like to know if NTLM authentication can be configured for OpenRasta service that is running as executable outside IIS.
Cheers.

Sorry, I didn't read the question carefully enough. Unfortunately, I don't believe you can do this out-of-the-box. There is an HttpListenerHost provided by OpenRasta which encapsulates a System.Net.HttpListener instance as a private variable. See the code in this forum thread to see how to use the HttpListenerHost in a Console app. If the HttpListener variable were public or at least protected it should be a simple matter of setting the AuthenticationSchemes property along the lines of this code:
var host = new HttpListenerHost();
host.Listener.AuthenticationSchemes = AuthenticationSchemes.Ntlm;
If you really need this capability, you can get the source for OpenRasta and update it to expose the underlying HttpListener variable so you can configure it to your heart's content.
===================>>
ORIGINAL ANSWER FOR IIS:
First you create a standard WebForms or MVC project configured for OpenRasta as shown in the Getting Start wiki page. Next, configure the project as described in this Wrox article to support Windows authentication. Supporting Windows authentication will enable both NTLM & Kerberos authentication.

Related

Does anyone know how to handle browser authentication

I am trying to run the tests using Zalenium but the browser is asking for the credentials, so I am providing the username and password manually.
Does anyone know how to handle browser authentication?
My project uses Specflow, C# and Selenium
There are several options
You can login with http://username:password#website.com/page
Automate login process at #BeforeMethod or #BeforeClass
Set cookies. Although I don't advise this method since it doesn't speed up automation much and there is quite a bit of work to do to implement it.
You could put your web application behind a proxy that automatically injects the basic auth credentials. I did this once for a client a few years back.
I'm pretty sure I used: https://github.com/adamfisk/LittleProxy with https://github.com/ganskef/LittleProxy-mitm
But I had to write some code intercept requests and inject basic auth headers. Although from memory it was pretty straight forward.
If you don't need https then you could probably use cntlm and then set the basic auth header by hand using this:
-r "HeaderName: value"
Add a header substitution. All such headers will be added/replaced
in the client's requests.

asp.net Identity authentication .net core 2.1

I'm having an issue with a .net core 2.1 MVC application that is running on Linux boxes using kestrel behind an nginx web server. This environment has 2 web servers behind a load balancer.
The issue is the .AspNetCore.Identity.Application cookie used for authentication. I am able to authenticate and redirected to a controller decorated with the
[Authorize]
attribute (sometimes). However, on the next request, the cookie's gone and I get a 401. When we take one server out of the mix and force all traffic to one server, everything works as expected.
With Forms auth, the same problem could be overcome with specifying the machine key. What's the equivalent for .net core using identity? I found some links that went over my head. They mention doing something like this:
services.Configure<ForwardedHeadersOptions>(options =>
{
options.ForwardedHeaders = ForwardedHeaders.XForwardedFor | ForwardedHeaders.XForwardedProto;
});
I have no idea if this will fix the issue and I don't want to try things without knowing what they do.
I suspect what you experience has to do with data protection.
ASP.NET Core cookie authentication relies on the data protection layer to encrypt and decrypt data stored in the cookies. By default, a local key is created on each machine, meaning they can't decrypt cookies created by the other one, as stated in the official documentation.
I suggest that you go through the data protection configuration documentation page and evaluate your options. One of them is to store the keys on a UNC share and encrypt them with a certificate (all the links in this paragraph link to different sections of the same page).

Spring Security Kerberos SSO for a REST API (Tomcat)

Here is my problem:
Context :
-Windows Server 2012 with ActiveDirectory
-Tomcat
-Rest API (Spring)
I'm currently trying to restrict REST request. I want that only specific groups of the AD could access to specific resources. I'm restricted to Kerberos authentication.
System configuration
Create a user in domain "Tomcat"
setspn -a HTTP/apirest.domain#DOMAIN
Generate a tomcat.keytab using ktpass
API rest configuration
I'm using the spring security sample on github that you can find here :
https://github.com/spring-projects/spring-security-kerberos/tree/master/spring-security-kerberos-samples/sec-server-win-auth
I know that there is an EntryPoint and this is not needed in my context (API Rest). I've chosen this sample because it seems to use the windows authentication context and use it to automatically authenticate me in the spring security context. Right after, an ldap request is send to extract all information about the user logged. In my case, I need to extract the group.
I'm also using :
https://github.com/GyllingSW/kerberos-demo
To extract the role of the user with the class "RoleStrippingLdapUserDetailsMapper.java" instead of the "ActiveDirectoryLdapAuthoritiesPopulator". This implementation also offers localhost authentication but the issue with the NTLM token seems to be fixed in last commit of spring security.
I'm not really sure if this is the right way to do what I want.
My authentication seems to fail and I only have one things going wrong in my logs..
"Property 'userDn' not set - anonymous context will be used for read-write operations"
Questions
Do I have to run my tomcat service using the tomcat account ? (Seems to be, yes)
Am I doing the right things with Kerberos security ?
How can I get rid of the anonymous context?
The anonymous context seems to be set just right after Tomcat start. I want to get a context just after that my user (For instance, user1) requests the rest API (EntryPoint or whatever)
If there is something unclear let me know, I will try to reformulate!
Thanks,
You do not need to query LDAP to get information about which groups does user belong to. Active Directory already adds this information to the Kerberos ticket which is sent from browser to Tomcat.
You just need to extract this information from the token for example using Kerb4J library. It comes with Spring integration inspired by spring-security-kerberos project so it should be pretty easy to switch to it.
If you still want to query LDAP you need to authenticate in LDAP before you can make any queries. Again there's no need to use end-user accounts for it - you can use the keytab file for Kerberos authentication in LDAP and query groups using "Tomcat" account
I found a way to fix my issue.
In a REST API context, you have no entry point. I tried to set my entry point to an unmapped URL, just to do the negociation. By doing this, you will receive an HTTP response with the error code 404 (Not found) but with the right header was added by spring security (WWW-Authenticate).
The web browser will not send the ticket service if the error code is not 401.
To solve this problem, you have to create a CustomEntryPoint class (implements AuthenticationEntryPoint) and you need to override the "commence" method to return a 401 HTTP code with the right header.
I hope that could help. If there is a better way, let me know !

Laravel SAML WIA not working

I am using Aacotroneo/Laravel-Saml2 and have successfully setup a login system using ADFS. In another system I am using simpleSAMLphp elsewhere on the same domain successfully with WIA so I know ADFS is setup for that and that everything is setup correctly except the laravel application.
I have installed a browser addon to check the SAML logs for responses and requests. The only thing I can think of is that there is no client request ID sent through from laravel.
&client-request-id=d1ccbbdd-d55e-4828-eb24-0080000000b4
Any suggestions are appreciated. If I have missed a saml2 setting I am more than happy to try them, a lot of them don't seem to work or make any difference whether set to true or false.
Is it possible I need to setup encryption certificates and certain true/false combinations?
Thanks
Check this article
ADFS has non-standard SAML2 Authentication Context Class urn:federation:authentication:windows
By default this class has lower priority than urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
I would suggest making the following changes to AuthNRequest:
<samlp:RequestedAuthnContext Comparison=”minimum”
<samlp:AuthnContextClassRef xmlns:samlp="urn:oasis:names:tc:SAML:2.0:assertion">
urn:federation:authentication:windows
</samlp:AuthnContextClassRef>
<samlp:AuthnContextClassRef xmlns:samlp="urn:oasis:names:tc:SAML:2.0:assertion">
urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
</samlp:AuthnContextClassRef>
</samlp:RequestedAuthnContext>

Web api 2 - windows + client cert auth - is it possible?

I currently have an asp.net web api 2 site hosted in IIS secured with windows authentication. A requirement has now come in for us to support client certificate authentication in addition to windows, and I'm struggling to find out:
- if this is possible at all
- if there are any working examples available
I thought might be able to add an additional owin middleware or messagehandler or filter, but can't see any existing ones that do this specifically for windows rather than just relying on IIS. I know thinktecture identitymodel can do client cert, but not sure if the two can be combined?
Example of forms +win that i thought might be similar is here https://techblog.dorogin.com/mixed-windows-forms-authentication-for-ajax-single-page-application-e4aaaac0424a
Right so I managed to figure it out. Thankfully, if a controller returns a 401, IIS automatically adds the negotiate/ntlm headers, so if a user is on a windows browser, it will then automatically authenticate as usual. So with that in mind, to keep windows auth working, I:
updated the site in both IIS and VS to allow anonymous AND windows auth
added the [AuthorizeAttribute] as a global action filter (which causes the 401 to be returned if the user is not authenticated by the time they hit the filter)
To get client certificate auth working, I used the magnificent Thinktecture.IdentityModel library, which allowed me to add only one line to my Startup.cs file (we're using OWIN so this was easy)
app.UseClientCertificateAuthentication();
See https://github.com/IdentityModel/Thinktecture.IdentityModel/blob/master/samples/OWIN/AuthenticationTansformation/KatanaAuthentication/Startup.cs for an example

Resources