DotNet Security: Yet another newbie need to ask about Authentication Code... :) ,DotNet Security.

Hello all,

My first post to the board and it's going to be a "I'm having trouble with my authentication code..." *lol* I was so determined to work it out myself too.

Ok, Through reading various posts & sites I've cobbled together a couple of pages to perform forms based authentication.

It all seems to work and I authenticate fine, however it doesn't seem to be passing the roles so that I can use User.IsInRole().

I'm writing the ticket and setting up the General Principal and there are no errors, but the bit of code I put in my index page to test if I could read the roles is coming back false.

Anyway, here's the code, please excuse the cludgyness, but my copy of VS.NET isn't here yet so this is all done using good old fashioned notepad.

web.config:
<CODE>
<configuration>
<system.web>
<customErrors mode="Off"/>
<authentication mode="Forms">
<forms name="./IMOECookie" loginUrl="login.aspx" protection="All" timeout="1" path="/"/>
</authentication>
<authorization>
<deny users="?" />
</authorization>
<identity impersonate="true" />
</system.web>
</configuration>
</CODE>

Login.aspx
<CODE>
<%... Import Namespace="System.DirectoryServices" %>
<%... Import Namespace="System.Security.Principal" %>

<html>
<script language="C#" runat=server>
string LDAPPATH = "LDAP://hundredacrewood.local/DC=hundredacrewood,DC=local";
string _filterAttribute = "";
int CookieTimeOut = 1;
public bool AuthenticateUser(string domain, string username, string password)
{

string domainAndUsername = domain + ..."\" + username;
DirectoryEntry entry = new DirectoryEntry( LDAPPATH, domainAndUsername, password);
try
{
// Bind to the native AdsObject to force authentication.
Object obj = entry.NativeObject;
DirectorySearcher search = new DirectorySearcher(entry);
search.Filter = "(SAMAccountName=" + username + ")";
search.PropertiesToLoad.Add("cn");
SearchResult result = search.FindOne();
if(null == result)
{
return false;
}
// Update the new path to the user in the directory
LDAPPATH = result.Path;
_filterAttribute = (String)result.Properties["cn"][0];
}
catch (Exception ex)
{
lblResults.Text = "Error: " + ex.Message;
return false;
}
lblResults.Text = "";
return true;
}

void LoadUser(string username)
{
DirectorySearcher search = new DirectorySearcher(LDAPPATH);
search.Filter = "(cn=" + _filterAttribute + ")";
search.PropertiesToLoad.Add("memberOf");
StringBuilder groupNames = new StringBuilder();

try
{
SearchResult result = search.FindOne();
int propertyCount = result.Properties["memberOf"].Count;
String dn;
int equalsIndex, commaIndex;

for(int propertyCounter = 0; propertyCounter < propertyCount; propertyCounter++)
{
dn = (String)result.Properties["memberOf"][propertyCounter];
equalsIndex = dn.IndexOf("=", 1);
commaIndex = dn.IndexOf(",", 1);
groupNames.Append(dn.Substring((equalsIndex + 1), (commaIndex - equalsIndex) - 1));
groupNames.Append("|");
}
}
catch(Exception ex)
{
lblResults.Text = "Error: " + ex.Message;
}
lblResults.Text = "";
FormsAuthenticationTicket authTicket = new FormsAuthenticationTicket(1, username, DateTime.Now, DateTime.Now.AddMinutes(CookieTimeOut), false,groupNames.ToString(), "/");
string encryptedTicket = FormsAuthentication.Encrypt(authTicket);
HttpCookie authCookie = new HttpCookie( FormsAuthentication.FormsCookieName , encryptedTicket);
Response.Cookies.Add(authCookie);
}

void Login_Click(Object sender, EventArgs E)
{
if(AuthenticateUser(UserDomain.Value, UserName.Value, UserPass.Value))
{
LoadUser(UserName.Value);
Response.Redirect(FormsAuthentication.GetRedirectUrl(UserDomain.Value,false));
}
}
</script>

<body>
<form runat="server" ID="Form1">
<h3>Login Page</h3>
<hr>
UserName:<input id="UserName" type="text" runat="server"/>
<asp:RequiredFieldValidator ControlToValidate="UserName" Display="Static" ErrorMessage="*" runat="server"/>
<P>
Password:<input id="UserPass" type="password" runat="server"/>
<asp:RequiredFieldValidator ControlToValidate="UserPass" Display="Static" ErrorMessage="*" runat="server"/>
</P>
<P>
Domain:<input id="UserDomain" type="text" runat="server"/>
<asp:RequiredFieldValidator ControlToValidate="UserDomain" Display="Static" ErrorMessage="*" runat="server"/>
</P>
<P>
<asp:button id="cmdLogin" text="Login" OnClick="Login_Click" runat="server"/>
</P>
<P>
<asp:Label id="lblResults" ForeColor="red" Font-Size="10" runat="server" />
</P>
</form>
</body>
</html>
</CODE>

Global.axas
<CODE>
<%... Application Codebehind="Global.asax.cs"%>
</CODE>

Snippet from Global.axas.cs
<CODE>
void Application_AuthenticateRequest(Object sender, EventArgs e)
{
String cookieName = FormsAuthentication.FormsCookieName;
HttpCookie authCookie = Context.Request.Cookies[cookieName];

if(null == authCookie)
{//There is no authentication cookie.
return;
}

FormsAuthenticationTicket authTicket = null;

try
{
authTicket = FormsAuthentication.Decrypt(authCookie.Value);
}
catch(Exception ex)
{
//Write the exception to the Event Log.
return;
}

if(null == authTicket)
{//Cookie failed to decrypt.
return;
}

//When the ticket was created, the UserData property was assigned a
//pipe-delimited string of group names.
String[] groups = authTicket.UserData.Split(new char[]{'|'});

//Create an Identity.
GenericIdentity id = new GenericIdentity(authTicket.Name, "LdapAuthentication");

//This principal flows throughout the request.
GenericPrincipal principal = new GenericPrincipal(id, groups);

Context.User = principal;

}
</CODE>

index.aspx (Yes I know I switched to VB.NET :) )
<CODE>
<script runat="server">
sub Page_Load

if Not Page.IsPostBack then
dim mycountries=New Hashtable
mycountries.Add("N","Norway")
mycountries.Add("S","Sweden")
mycountries.Add("F","France")
mycountries.Add("I","Italy")
rb.DataSource=mycountries
rb.DataValueField="Key"
rb.DataTextField="Value"
rb.DataBind()
end if
end sub
sub displayMessage(s as Object,e As EventArgs)
lbl1.text="Your favorite country is: " & rb.SelectedItem.Text
if User.IsInRole("Test") then
lbl2.text = "Test"
else
lbl2.text = "Not Test"
end if
end sub
</script><html>
<body><form runat="server">
<asp:RadioButtonList id="rb" runat="server"
AutoPostBack="True" onSelectedIndexChanged="displayMessage" />
<p><asp:label id="lbl1" runat="server" /></p>
<p><asp:label id="lbl2" runat="server" /></p>
</form></body>
</html>
</CODE>

A fair bit of cut and paste code, and the global.asax.cs was taken piecemeal from this site. But still not bad considering that I've never touched .NET or C# before and I've no books, or dev tools here (unless you count Notepad) :)

So, if anyone can help me crack the roles issue I'd be very grateful.

Keywords & Tags: newbie, ask, authentication, code, dotnet, security, .net

URL: http://dotnet.itags.org/dotnet-security/37911/

«« Prev - Next »» 3 helpful answers below.

Jenni

Can you try doing 2 things

1. Put this Code at the end of the Application_AuthenticateRequest(..)To See the List of Groups the Authenticated User is a Member Of
Response.Write ( "Groups: " + authTicket.UserData + "<br>");

2. make sure that the DomainName is a Valid One ( means tha the"Test" is a Valid Role or it exists in the groups array)

see how it works

luvdotnet | Tue, 01 Jan 2008 02:29:00 GMT |

Ok, I added the line with no success, so at the begining of AuthenticateRequest I put a simple Response.Write ("Got Here") to see if the section of code ran at all, but nothing.

So, I double checked the Security Group, and it was fine and added a line of code to display the contents of the variable before it's loaded into the cookie and it's as I expected A list of Groups separated by vertical bars and Test was one of them.

The problem has to either be:
A) The value isn'r being correctly loaded into the Cookie

Or my personal belief,

B) The AuthenticateRequest code isn't running at all or is running incorrectly.

jennih | Tue, 01 Jan 2008 02:30:00 GMT |

i am not sure if this is the problem but worth trying it

1 .You are creating the FormsAuthenticationTicket with theUserName thatwill be associated with the Ticket , which is right

FormsAuthenticationTicket authTicket = newFormsAuthenticationTicket(1, username, DateTime.Now,DateTime.Now.AddMinutes(CookieTimeOut), false,groupNames.ToString(),"/")

but when redirecting you are the UserDomain.Value when ( or tofire the Application_AuthenticateRequest ) can you please changeit to user UserName instead and see if it works

2. And also you said that you put some line of code Response.Write("Got Here") and its not hitting that means the AuthenticateRequestevent is not fired which means that The AuthenticatedUser is returningfalse or the User is not Authenticated can you please check on that aswell

void Login_Click(Object sender, EventArgs E)
{
if(AuthenticateUser(UserDomain.Value, UserName.Value, UserPass.Value))
{
LoadUser(UserName.Value);
Response.Redirect(FormsAuthentication.GetRedirectUrl(UserDomain.Value,false));// THIS SHOULD FIRE APPLICATION_AUTHENTICATEREQUEST Event , which meansthe User has to be authenticated first in ur code
}
}

3 .Also try adding the <allow users = "*' /> tag as well in theauthorization tag in the config ( this should not matter but worhgivign a try )

hth
Vivek

luvdotnet | Tue, 01 Jan 2008 02:31:00 GMT |

DotNet Security Related Links

DotNet Security Hot Answers

identity Impersonation and SQL permissions
I know this is a subject coming up at lot but I still seem to missing something!!Im running a SQL server on a 2k server box and developing an ASP.Net app on a win 2k box running iis locally and connecting to the SQL Server. The website is configured for Windows authentication and am using the we...
identity impersonate true or false
Hello,I have some images on my site that are saved in the website directory.The url is something like: viewimage.aspx?id=1234&code=sdfThe problem is that it cannot find the image. (unable to read directory)<identity impersonate="false"/But when I set this line to true it works.<identity im...
Ideal location for connection string?
Hi, all,I heard a lot that we should locate connection string in the web.config file. Well, for security reasons, sometimes we don't want others to open Web.config file and find out your database password. So what should we do? I'm just thinking why we don't leave the string in th...
I want to read Windows login name
Hello,I need to read Windows login name and to use it later in my application.I use :dim wp as new WindowsPrincipal(WindowsIdentity.GetCurrent()) and I am getting : NT-AUTORITÄT\NETZWERDIENST (sorry because of German but I do not know how to translate this). Btw. my logged name is "Develope...
I need to foil using the backbutton to "back into" a "secure" web page
I'm constructing a site which will be "protected" under Forms Authentication. So far, everything works great. The issue I'm trying to overcome now is once a user hits the "Logout" button, which calls FormsAuthentication.Clear() then redirects to my login page, the user can use the back...

DotNet Security New questions

Idea to solve the current shared hosting ‘Full trust’ issue.
Idea to solve the current shared hosting 'Full trust' issue.At the moment anybody that wants to provide a shared hosting environment must do it with 'Full trust' since when the trust level is reduced core Asp.Net functionality is lost (see: http://www.asp.net/Forums/ShowPost....
I need to make custom Providers
I need to build custom Providers for membership, roles, and profiles. Iwill be using the MySQL database. I found one example of writning acustom provider for Access, The author did not override all the methodsand such for his example, which has to be done in order for it to work,afaik. I'm...
I need to Inpersonate Windows NT Login
My application has a folder with anonymous access. It calls a database to login a user. If the user is in the database I want to redirect to a folder under the main application to access resources, mostly mp3 files, that do not have anonymous access.Setting the Web.config file has not solved the...
I have a problem with authorization on a COM+ proxy.
I installed a COM+ proxy to access a SQL Server. When I try to access this proxy throughasp.net page, I get an error page that is System.UnauthorizedAccessException.I have installed a proxy without any changes to the local machine. And I confirmed thatthe user id has the right to access to the p...
I deleted the aspnetdb and my app will not recreate it
I am using SqlServerLite, the ASPNETDB.MDF file in the App_Data Directory. I deleted the old db to experiment with creating the db and membership with different parameters (allowPasswordRecovery, etc...)Now my app is not recreating the Database. I can add the database manually, but the scripts...
I configured a new application but now I have lost my code
So I wanted to have my application in /content/ but keep a special locked away section in /content/authorized/My first thought was that the easy way to do this would be to add a new Web.Config in /content/authorized/ and set up forms authentication there, but of course, I can't do that on a...
I cant connect to the membership database with vs 2005 RC 1.
Hello, I configured my asp application with membership provider, the code below connects, I used management studio and it connects, but the membership and role functions doesnt work, the debugger says its unable to connect to sql server, look below the web.config, it has exactly the same connec...
HttpWebRequest and Forms Authentication Problem
I have a ASP.net web application whose pages are secured by form basedauthentication specified in web.config.When I try and use HttpWebRequest , the logon page is returned and not thepage I specified. I want to authenticate automatically by passing the username and password when accessing secure...
https, ssl, and other good stuff?
does anyone have good referrence sources on https://, SSL or both.thanks,psi...
https help
Hi,i am developing a site for a host that has certificate installed.How should i make the web application use https instead of http.will configuring in the iis application properties be enough, or something extra need to be done in the code.Regards...

(DotNet Security)Q&A: 'Yet another newbie need to ask about Authentication Code... :)', With 3 answers.

DotNet Security: Yet another newbie need to ask about Authentication Code... :)

Keywords & Tags: newbie, ask, authentication, code, dotnet, security, .net

DotNet Security Related Links

DotNet Security Hot Answers

DotNet Security New questions

DotNet Security Related Categories

ADO

ASP.NET AJAX

DotNet

DotNet Asp

DotNet Base Class Library

DotNet C# (C sharp)

DotNet Security

DotNet Visual Basic

DotNet Visual C

DotNet Webcontrols

DotNet Webservices

NET Architecture & Design

Web Forms