Windows Authentication

Windows Authentication

Old forum URL: forums.lhotka.net/forums/t/4516.aspx


Warren posted on Wednesday, March 19, 2008

 

I am getting my feet wet with CSLA code for the first time. I have PTracker working with Winforms (PTWIN) local proxy only. Now I am trying to determine the best way to use the CSLA framework for my authentication model.

I would like to use Windows authentication but want the users to be prompted again with their Windows login and password.   I would also like to use my own application database roles for authorization, not Windows groups.

Assuming this is this possible with CSLA, can someone please provide some advice on the cleanest way to get this done?

As a start I know I will have to change the app.config CslaAuthentication setting: <add key="CslaAuthentication" value="Windows" />   which I have done but this disables the login screen.

Thanks in advance.

RockfordLhotka replied on Wednesday, March 19, 2008

You'll have to write a different login form to do what you want. You'll want to get the user's Windows credentials, and then you'll need to authenticate them with Windows itself - and there are APIs in .NET to do this (though I don't know them off the top of my head).

You will still want CSLA to use Windows auth - you just need to change your UI to keep track of whether it has re-authenticated the user (because Windows already did the authentication, and so the principal object is already set and correct).

Warren replied on Saturday, May 24, 2008

My authentication model is a hybrid. I want the users to login to my application with their Windows user credentials even though they are already authenticated but then use the internal roles in my SQL Server database.

I have added the .Net routine which re-autheticates the user against an LDAP server into my login form which is cloned from the PTracker app.

Now I need to determine a way to graft my database roles onto the Identity object since I will be using Windows authentication minus any Windows roles.  My Winforms app can use the continue to use the SecurityDataset from Pttracker if I remove the userid. 

Any advice on how to best graft the roles is much appreciated.

 

Warren replied on Monday, May 26, 2008

I'm still trying to figure out how to best graft the application level roles onto the Windows Identity object but in the meantime I thought I'd share the piece I used to to the LDAP authentication. In my login form I added the following:

' Re-Authenticate this user with Active Directory

Dim LDAPDomain As String = My.Settings.LDAPDomain
If ValidateActiveDirectoryLogin(LDAPDomain, Me.txtUsername.Text, Me.txtPassword.Text) Then
   GetCurrentUser()
   Me.DialogResult = System.Windows.Forms.DialogResult.OK
   Me.Close()
Else
   MessageBox.Show("The system cannot log you on. Make sure your username and password are correct.")
End If

Private Function ValidateActiveDirectoryLogin(ByVal Domain As String, ByVal Username As String, ByVal Password As String) As Boolean
      Dim Success As Boolean = False
      Dim Entry As New System.DirectoryServices.DirectoryEntry("LDAP://" & Domain, Username, Password)
      Dim Searcher As New System.DirectoryServices.DirectorySearcher(Entry)
      Searcher.SearchScope = DirectoryServices.SearchScope.OneLevel
      Try
         Dim Results As System.DirectoryServices.SearchResult = Searcher.FindOne
         Success = Not (Results Is Nothing)
      Catch
         Success = False
      End Try
      Return Success
   End Function

 

 

 

 

 

tiago replied on Friday, May 15, 2009

RockfordLhotka:

You'll have to write a different login form to do what you want. You'll want to get the user's Windows credentials, and then you'll need to authenticate them with Windows itself - and there are APIs in .NET to do this (though I don't know them off the top of my head).

You will still want CSLA to use Windows auth - you just need to change your UI to keep track of whether it has re-authenticated the user (because Windows already did the authentication, and so the principal object is already set and correct).

That's waht I did in

FAQ: How to use Windows authentication in PTracker (PTWin) (C#)

http://forums.lhotka.net/forums/post/28161.aspx

I made some changes to PTracker authentication in order to have Windows Authentication. In fact you just need to change CslaAuthentication attribute. The nicest thing about it is that you can have both at the same time.

If the users that is authenticated under Windows exists in the users table, it gets logged on with no further questions. Otherwise (the windows user name doesn't exist in the users table) the login window will ask for username/password. This is quite useful when you have an application on a client but your laptop is not in the client's domain. You can still use your laptop and login in the application using the application admin username.

Cheers

tarekahf replied on Friday, May 15, 2009

Hi all,

Its really ammazing how many different ways we have found to implement different authentication methods.

I think we can wirte a book on this !!

Tarek.

tarekahf replied on Monday, May 26, 2008

I have made some effort in that regard and enabled Mixed/Dual Authentication: Window and Forms.


Please check the details here:

http://forums.lhotka.net/forums/thread/22529.aspx

I have the complete sample code. Please let me know if you want it. Once I am back in the office I can post it for you.

Tarek.

Warren replied on Tuesday, June 03, 2008

Thanks Tarek,

I ended up using LDAP to authenticate the userid/password. Then I take this userid and build the CSLA principle and identity objects.  I have a connection string containing a totally different userid and password which is granted execute access to stored procedures only.

The last piece I need to build is to encrypt the connection string in the app.config file. This is a challenge because my app is clickonce forms which means that I need to use a non-machine dependent method of encrypting the app.config.  I am looking at a solution like this one:

http://guy.dotnet-expertise.com/CommentView,guid,b3850894-3a8e-4b0a-aa52-5fa1d1216377.aspx

 

 

 

 

 

 

 

tarekahf replied on Friday, August 29, 2008

Dear Warren

Thank you for the feedback about using LDAP.

Just to make sure I understand what you meant.

Did you implement Forms Authentication and to validated the username/password against LDAP (Windows Active Directory), i.e., the user will enter his username/password and you check the validity of this user using .NET Against Active Directory (LDAP) ?

If so, then could you please kindly post a sample code on how to do such authentication against LDAP ?

Thank you again.

Tarek.

Wendy replied on Friday, August 29, 2008

Hi TareKahf.

In the post of 05-26-2008, 6:30 PM, you said that you have a sample code that enabled Mixed/Dual Authentication. Could you please help me, I tried, but not it works. 

I'm sorry for my english it so bad.

Wendy Mejías A.

wmejias@poder-judicial.go.cr

 

tarekahf replied on Saturday, August 30, 2008

Dear Wendy,

Please check this link for complete details about the required changes you asked for:

http://forums.lhotka.net/forums/25866/ShowThread.aspx#25866

I hope this will be helpful to you.

Tarek.

Copyright (c) Marimer LLC