ansaurus

Question

ASP.Net - Using Basic Authentication without having Windows Users

Answer 1

+1 A:

I'm not an expert but I thought that the point of Basic was that it was Windows Authentication. Can you run a script to synchronise your DB users with your Active Directory?

If it's a corporate AD, you could consider having a second AD just for your app and synchronising users from both your corporate AD and your DB. If you don't need to synchronise passwords (e.g. build a pwd-mgmt page in your site) you could just use scripts or C# or something. If you want something more sophisticated with built-in password synchronisation, you could look at ILM 2007 (soon to be FIM 2010).

serialhobbyist 2009-12-11 11:18:49

The problem with this is that I have no way of knowing what any of the existing users passwords are. They are all salted and hashed etc.

Robin Day 2009-12-11 11:46:51

How if you put your synchronisation method in place (in the background) and then expire all passwords so that users have to set up new ones?

serialhobbyist 2009-12-12 13:17:52

Answer 2

+1 A:

Is the page an .html file or an .aspx file? If it's an .aspx, you should keep this page under anonymous access and check for authentication in the page logic itself

SergeyKazachenko 2009-12-11 11:44:21

It is an ASPX page so I can write any .net/c# code required for it. However, is it possible to go through IIS as anonymous and then still perform a custom HTTP Auth style authentication? Do you have any examples of this?

Robin Day 2009-12-11 11:51:49

I'm not sure I understand your question. You said "all authentication/security is managed using our application itself." So I assume once the user logs in there's a Session variable started, right?At the top of the page check that variable, if it's not set, redirect to "login.aspx"

SergeyKazachenko 2009-12-11 14:46:48

The page is accessed by Excel... Excel has no idea what to do with a page that redirects to Login.aspx.

Robin Day 2009-12-11 15:40:04

OK, then instead of redirecting, simply return a string "Please log in before accessing this page". I hope Excel can display that...

SergeyKazachenko 2009-12-11 17:47:56

Answer 3

+2 A:

As you've got a custom database of users, I'd recommend looking at building a quick membership provider that talks to your database schema.

MSDN has a good example on "How to: Sample Membership Provider".

You can then use the standard access control mechanisms of ASP.NET to lock down the page, require authentication, etc, along with controls like Login, LoginStatus and others to provide much of the UI you need.

Edit to add

A quick search found the following, which might help:

Web Service Security - Basic HTTP Authentication without Active Directory

Where Greg Reinacker presents "a fully working sample in 100% managed code demonstrating the use of HTTP Basic authentication, using a separate credential store (in this case, a XML file, although this would be easy to change to a database or LDAP store)."

Zhaph - Ben Duguid 2009-12-11 11:56:24

I may be wrong here, but doesn't this then rely on a Forms style of authentication, eg, requesting a page takes the user to a login page first before returning to the original page. The problem is, this is not possible from Excel which is why I need it to use HTTP Auth, eg, Basic Authentication.

Robin Day 2009-12-11 12:03:10

Ah, I see you point, but then you're stuck without windows users - which is as serialhobbyist points out, what Basic Auth uses.

Zhaph - Ben Duguid 2009-12-11 12:17:51

I've seen some possible uses of an HttpModule to implement Basic Authentication outside of IIS. I'll post here if I have any success.

Robin Day 2009-12-11 12:24:19

Yes, that seems to be what I found too.

Zhaph - Ben Duguid 2009-12-11 12:33:55

Answer 4

+1 A:

Ok, so I've found two solutions to this problem. One thanks to Zhaph - Ben Duguid's answer which is an HttpModule that allows ASP.Net to fully manage the authentication.

The second solution, and the one that I am going with, is thanks to this question/answer.

HTTP Authentication (Basic or Digest) in ASP Classic via IIS

I've stripped this down and have a simple test harness that seems to be working well. In this example, instead of a database call, it merely checks that the username and password match and considers that authenticated.

using System;
using System.Text;

namespace AuthenticationTests
{
    public partial class _Default : System.Web.UI.Page
    {
        protected void Page_Load(object sender, EventArgs e)
        {
            string authorisationHeader = Request.ServerVariables["HTTP_AUTHORIZATION"];

            if (authorisationHeader != null && authorisationHeader.StartsWith("Basic ", StringComparison.InvariantCultureIgnoreCase))
            {
                string authorizationParameters = Encoding.Default.GetString(Convert.FromBase64String(authorisationHeader.Substring("Basic ".Length)));
                string userName = authorizationParameters.Split(':')[0];
                string password = authorizationParameters.Split(':')[1];

                if (userName == password) //Perform your actual "login" check here.
                {
                    //Authorised!
                    //Page loads as normal.
                }
                else
                {
                    Unauthorised();
                }
            }
            else
            {
                Unauthorised();
            }
        }

        private void Unauthorised()
        {
            Response.AddHeader("WWW-Authenticate", "Basic");
            Response.Status = "401 Unauthorized";
        }
    }
}

Robin Day 2009-12-11 15:57:13

ansaurus

tags:

views:

answers:

ASP.Net - Using Basic Authentication without having Windows Users

related questions