Phần 6: Triển khai đăng nhập 1 lần SSO theo cơ chế Multi-site trên VMware vCenter Appliance 5.5


I. Mô hình tổ chức quản lý tên miền AD-DC:

Xuất phát từ quan điểm tổ chức tên miền nhiều cấp, nhiều vùng, nhiều phòng ban, thậm trí nhiều vùng / thị trường của Doanh nghiệp (tập đoàn, tổng công ty…)

các Doanh nghiệp sẽ tổ chức hệ thống quản trị tên miền theo nhiều máy chủ AD server.

Tham khảo link: https://letonphat.wordpress.com/2010/10/03/active-directory-windows-server-2008/

Trees:

– Trees là một nhóm các domain được tổ chức theo cấu trúc hình cây với mô hình parent-child ánh xạ từ thực tế tổ chức của doanh nghiệp, tổ chức. Một domain có 1 họăc nhiều child domain nhưng 1 child domain chỉ có 1 parent-domain mà thôi.

image

Forests:

– Forest là một thuật ngữ được đặt ra nhằm định nghĩa 1 mô hình tổ chức của AD, 1 forest gồm nhiều domain trees có quan hệ với nhau, các domain trees trong forest là độc lập với nhau về tổ chức, nghe ra có vẻ mâu thuẫn trong mối quan hệ nhưng ta sẽ dễ hiểu hơn khi mối quan hệ giữa các domain trees là quan hệ Trust 2 chiều như các partners với nhau.

– Một forest phải đảm bảo thoả các đặc tính sau:

· Toàn bộ domain trong forest phải có 1 schema chia sẻ chung

· Các domain trong forest phải có 1 global catalog chia sẻ chung

· Các domain trong forest phải có mối quan hệ trust 2 chiều với nhau

· Các tree trong 1 forest phải có cấu trúc tên(domain name) khác nhau

· Các domain trong forest hoạt động độc lập với nhau, tuy nhiên hoạt động của forest là hoạt động của toàn bộ hệ thống tổ chức doanh nghiệp.

image

 

II. Cơ chế hoạt động vật lý của AD cho vấn đề Multi-site / Multi Domain:

(Kerberos Authentication Process Over Forest Trusts)

image

Google translate dịch kinh khủng đọc không hiểu phiền các bạn bỏ qua, chỉ cần hiểu concept thôi.

  1. User1 đăng nhập vào Workstation1 bằng các thông tin từ các miền europe.corp.tailspintoys.com. Sau đó người dùng cố gắng truy cập vào một nguồn tài nguyên chia sẻ trên FileServer1 nằm trong forests usa.corp.wingtiptoys.com.
  2. Liên lạc Workstation1 Trung tâm phân phối khóa Kerberos (KDC) trên một bộ điều khiển miền trong phạm vi của nó (ChildDC1) và yêu cầu thẻ dịch vụ cho FileServer1 SPN.
  3. ChildDC1 không tìm thấy trong cơ sở dữ liệu SPN phạm vi của nó và truy vấn các tên miền global để xem nếu bất kỳ lĩnh vực trong tailspintoys.com chứa SPN này.Bởi vì một danh mục global được giới hạn ở forests riêng của nó, là SPN không được tìm thấy. Các tên miền global sau đó sẽ kiểm tra cơ sở dữ liệu của nó cho thông tin về bất kỳ tín thác forests được thành lập với forests của mình, và nếu tìm thấy, nó sẽ so sánh các hậu tố tên được liệt kê trong các đối tượng tin tưởng forests miền tin cậy (TDO) để các hậu tố của mục tiêu SPN tìm một trận đấu. Khi một hợp được tìm thấy, các tên miền global cung cấp một gợi ý định tuyến trỏ tới ChildDC1. Gợi ý giúp định tuyến yêu cầu chứng thực trực tiếp đối với các khu forests đích, và chỉ được sử dụng khi tất cả các kênh truyền thống xác thực (bộ điều khiển miền địa phương và sau đó tên miền toàn cầu) không để định vị một SPN.
  4. ChildDC1 gửi giấy giới thiệu cho miền cha của nó trở lại Workstation1.
  5. Liên lạc Workstation1 một bộ điều khiển miền trong ForestRootDC1 (domain cha của nó) được giới thiệu đến một bộ điều khiển miền (ForestRootDC2) trong tên miền gốc forests của forests wingtiptoys.com.
  6. Liên lạc Workstation1 ForestRootDC2 trong forests của wingtiptoys.com cho một token dịch vụ đáp ứng các dịch vụ yêu cầu.
  7. ForestRootDC2 liên hệ Global của nó để tìm ra SPN, và các Global tìm thấy một trận đấu cho SPN và gửi nó trở lại ForestRootDC2.
  8. ForestRootDC2 sau đó gửi giấy giới thiệu để usa.corp.wingtiptoys.com lại Workstation1.
  9. Liên lạc Workstation1 các KDC trên ChildDC2 và thương lượng vé cho User1 để đạt được quyền truy cập vào FileServer1.
  10. Khi Workstation1 có một vé dịch vụ, nó sẽ gửi thẻ dịch vụ để FileServer1, mà đọc thông tin bảo mật của User1 và xây dựng một access token cho phù hợp.

 

Cổng cần thiết cho Trusts

Công việc Cổng Outbound Cổng Inbound Từ-To

Thiết lập các quỹ trên cả hai bên từ rừng nội

LDAP (389 UDP và TCP)

Microsoft SMB (445 TCP)

Kerberos (88 UDP)

Endpoint độ phân giải – portmapper (135 TCP) cổng Net Logon cố định

N / A

Internal miền domain controller-External domain controller miền (tất cả các cổng)

Xác nhận sự tin tưởng từ các bộ điều khiển miền rừng bên trong đến các bộ điều khiển miền rừng bên ngoài (tin tưởng đi chỉ)

LDAP (389 UDP)

Microsoft SMB (445 TCP)

Endpoint độ phân giải – portmapper (135 TCP) cổng Net Logon cố định

N / A

Internal miền domain controller-External domain controller miền (tất cả các cổng)

Sử dụng Object chọn vào rừng bên ngoài để thêm các đối tượng đó đang ở trong một rừng các nhóm nội bộ và DACLs

N / A

LDAP (389 UDP và TCP)

Cổng Windows NT Server 4.0 dịch vụ thư mục cố định

Net Logon cổng cố định

Kerberos (88 UDP)

Endpoint độ phân giải portmapper (135 TCP)

PDC miền máy chủ nội bộ bên ngoài (Kerberos)

Miền domain controller-Internal External miền domain controller (Logon Net)

Thiết lập sự tin tưởng vào rừng bên ngoài từ rừng bên ngoài

N / A

LDAP (389 UDP và TCP)

Microsoft SMB (445 TCP)

Kerberos (88 UDP)

Miền domain controller-Internal External miền domain controller (tất cả các cổng)

Sử dụng Kerberos xác thực (client rừng bên rừng bên ngoài)

Kerberos (88 UDP)

N / A

Client-External bộ điều khiển miền domain nội bộ (tất cả các cổng)

Sử dụng xác thực NTLM (khách hàng nội bộ rừng để rừng bên ngoài)

N / A

Endpoint độ phân giải – portmapper (135 TCP) cổng Net Logon cố định

Miền domain controller-Internal External miền domain controller (tất cả các cổng)

Tham gia một tên miền từ một máy tính trong mạng nội bộ đến một miền ngoài

LDAP (389 UDP và TCP)

Microsoft SMB (445 TCP)

Kerberos (88 UDP)

Endpoint độ phân giải – portmapper (135 TCP) cổng Net Logon cố định

Cổng Windows NT Server 4.0 dịch vụ thư mục cố định

N / A

Client-External bộ điều khiển miền domain nội bộ (tất cả các cổng)

chú ýChú ý
Cổng 445 và có khả năng TCP port 139 là cần thiết cho khả năng tương thích ngược.

 

III. Cấu hình Domain Forests và Trusts:

Bước 1:

image

Bước 2: mở DNS Server và cấu hình

image

Bước 3: Cấu hình DNS Fordward

image

 

Bước 4: Tương tự trên con máy chủ AD2

image

Bước 5: Tiếp theo vẫn trên máy chủ AD2  mở Active Directory Domain and Trusts

image

Bước 6: Nhập tên miền của AD1 vào

image

Bước 7: Chọn Forest trust

image

Bước 8: Chọn Two-way

image

Bước 8: Chọn Both this domain and the specified domain

image

Bước 9: Nhập user name và mật khẩu domain admin của AD1

image

Bước 10: Chọn xác thực Forest-wide cho Outgoing

image

Bước 11: Chọn xác thực Forest-wide

image

image

image

image

image

image

Bước 12: Kiểm tra kết quả cấu hình Forest trust

image

 

Sau khi cấu hình cả 2 máy chủ phần AD Domain and trust:

image

 

V. Các bước thử nghiệm sử dụng Forest Domain Trusts trên RDP:

Để sử dụng được 1 dịch vụ như RDP mà khi đăng nhập bạn có thể dùng tài khoản từ AD1 hoặc AD2 đều truy xuất được hệ thống RDP/RDSH …

  1. Tạo một nhóm bảo mật mới trên DomainA (Domain với RDS)
  2. Thay đổi Nhóm Phạm vi  Group scope thành “Domain local”
  3. Thêm các thành viên từ DomainB đến nhóm kiểu bảo mật “Group type = Security” mới trong DomainA
  4. RDS Mở trên DomainA và thêm các nhóm bảo mật mới để Phân quyền truy cập RemoteApp.

image

Sau đó hãy thêm nhóm đó vào RDP configuration:

image

Bây giờ bạn có thể thử nghiệm đăng nhập từ tài khoản thuộc nhóm thành viên trên.

 

VI. Cấu hình SSO trên VMware vCenter Appliance:

Các bạn vẫn thực hiện các phương pháp SSO như phần 4,5:

Tham khảo link:

Phần 4: Triển khai đăng nhập 1 lần SSO giữa AD và VMware vCenter Appliance 5.5

Phần 5: Triển khai đăng nhập 1 lần SSO giữa AD-DS và VMware vCenter Appliance 5.5

 

Chúc các bạn thành công !

Phần 5: Triển khai đăng nhập 1 lần SSO giữa AD-DS và VMware vCenter Appliance 5.5


2. Phương án Active Directory as a LDAP Server:

Các phương pháp thể hiện trong bài viết này cho phép bạn quản lý người dùng và nhóm trong thư mục trung tâm của bạn. Điều này làm cho cả hai, vCenter Server 5.5 được cài đặt trên Windows Server và các dụng vCenter Server (VCSA).

  1. Mở vSphere Web Client (https: // <ĐỊA CHỈ IP hoặc tên máy chủ vCenter>: 9443 / vSphere-client)
  2. Đăng nhập như là administrator@vsphere.local
    Mật khẩu (VCSA): ngầm định ban đầu là  VMware
  3. Điều hướng đến Administration > Single Sign-On  > Configuration

image

4. Nhấn vào dấu + màu xanh lá cây để thêm một nguồn bản sắc
image

5. Hãy chọn loại nhận dạng Source: A) dựa trên Windows vCenter Server 5.5: Active Directory (Integrated Windows Authentication)

 B) vCenter Server Appliance 5.5 (VCSA):

image

6. Bấm OK

7. Quay lại phần Identity Sources bạn sẽ cần tạo thông tin liên quan tới cách kết nối giữa vCenter với AD để lấy được các users và groups từ active directory. Khi bạn kết nối kiểu Integrated Windows Authentication, thì các trusted domains phải có giá trị hoạt động. 

8. Chọn Active Directory và bấm vào “world with arrow” để chuyển trạng thái đăng nhập ngầm định là các tài khoản từ AD domain.

image

9. Bạn sẽ nhận được một cảnh báo cho bạn biết rằng “Điều này sẽ làm thay đổi tên miền mặc định hiện tại của bạn. Bạn có muốn tiếp tục? “. Điều này là không sao, vì bạn chỉ có thể có một tên miền mặc định.

Có vậy thôi, bây giờ bạn có thể thiết lập quyền truy cập và xác thực đối với hoạt động giữa AD với vCenter Server 5.5 gọi là SSO.

Để thay đổi cấu hình vCenter Server SSO với người dùng khác ngoài administrator@vsphere.local, bạn phải thêm chúng vào Nhóm LocalOS hoặc vSphere.local hoặc Nhóm thuộc Domain do bạn vừa cấu hình

image

 

10. Thêm các tài khoản lấy từ AD sang để phân quyền theo users/ group:

image

Tham khảo: http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=2058942 

 

Chúc các bạn thành công !

Phần 4: Triển khai đăng nhập 1 lần SSO giữa AD và VMware vCenter Appliance 5.5


Hệ thống đăng nhập SSO đều phụ thuộc vào 5 bước chuẩn :

image

Lưu ý:

  1. Bước 1 và 2 luôn cần được vẽ sơ đồ và thông tin về cấu hình mạng trước như:  IPv4, IP gateway, IP DNS local, AD Server name, vcenter server name, A, CNAME, Reverse lookup zone và PTR.
  2. Công cụ chuẩn bị cho kiểm thử cần chuẩn bị trước (tham khảo: https://technet.microsoft.com/en-us/library/cc794810%28v=ws.10%29.aspx )
  3. Các bước chạy kiểm thử LDAP/ LDAPS các bạn cần biết qua (tham khảo: https://thangletoan.wordpress.com/2015/03/01/phan-2-trien-khai-cau-hnh-dang-nhap-1-lan-sso-giua-moodle-v-ad-server-robusta-distance-learning-2015/ )

 

Hệ thống đăng nhập 1 lần SSO thường có 4 phương pháp kết nối giữa AD với vCcenter:

image

1. Phương án Active Directory (integrated Windows Authentication):

Bước 1: chuẩn bị trên DNS Server các thông số A, CNAME:

image

và PTR

image

 

Bước 2: Join domain từ vCenter Appliance đến AD Server:

image

Bước 3: Giờ là lúc cấu hình SSO lấy account từ AD sang cho VMware vCenter:

image

Lưu ý: nếu không chuẩn kỹ, chính xác các bước 1,2 các bạn sẽ gặp khá nhiều lỗi bực mình sau:

Lỗi 1: Giá trị bí danh không nên để trống  ‘alias’ value should not be empty :

image

 

Lỗi 2: cannot load the users for the selected domain

image

– Không cập nhật bản ghi PTR hoặc khi thay máy chủ vCenter, AD, Domain Controler quên không cập nhật bản ghi PTR đều là hậu quả của các lỗi trên.

Tham khảo: http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=2033742 

 

Chúc các bạn tránh được sai lầm và thành công !

Làm thế nào để đồng bộ Active Directory Sync trong khi Username và Password bị mã hoá theo OS 32/64bit ?


Part 1. Password Filter for OS

 

Contents

I.      Password Filters. 1

1.    Password Filter Functions. 2

2.    Password Filter Programming Considerations. 2

3.    Installing and Registering a Password Filter DLL. 3

To install and register a Windows password filter DLL. 3

II.     Enforce Custom Password Policies in Windows. 4

III.        Configuring Security Policy. 5

IV.       The RegEx Password Filter Sample. 6

V.    Installing the Password Filter 8

VI.       Source Code Compiler by VC++. 9

      Download boots link: 9

      Error when Building: 9

      Installation. 9

 

 

I. Password Filters

Password filters provide a way for you to implement password policy and change notification.

When a password change request is made, the Local Security Authority (LSA) calls the password filters registered on the system. Each password filter is called twice: first to validate the new password and then, after all filters have validated the new password, to notify the filters that the change has been made. The following illustration shows this process.

clip_image001

Password change notification is used to synchronize password changes to foreign account databases.

Password filters are used to enforce password policy. Filters validate new passwords and indicate whether the new password conforms to the implemented password policy.

For an overview of using password filters, see Using Password Filters.

For a list of password filter functions, see Password Filter Functions.

The following topics provide more information about password filters:

 

1.  Password Filter Functions

The following password filter functions are implemented by custom password filter DLLs to provide password filtering and password change notification.

Function

Description

InitializeChangeNotify

Indicates that a password filter DLL is initialized.

PasswordChangeNotify

Indicates that a password has been changed.

PasswordFilter

Validates a new password based on password policy.

 

2.  Password Filter Programming Considerations

When implementing password filter export functions, keep the following considerations in mind:

  • Take great care when working with plaintext passwords. Sending plaintext passwords over networks could compromise security. Network “sniffers” can easily watch for plaintext password traffic.
  • Erase all memory used to store passwords by calling the SecureZeroMemory function before freeing memory.
  • All buffers passed into password notification and filter routines should be treated as read-only. Writing data to these buffers may cause unstable behavior.
  • All password notification and filter routines should be thread-safe. Use critical sections or other synchronous programming techniques to protect data where appropriate.
  • Password notification and filtering take place only on the computer that houses the account.
  • All domain controllers are writeable, therefore password filter packages must be present on all domain controllers.

Windows NT 4.0 domains: Notification on domain accounts takes place only on the primary domain controller. In addition to the primary domain controller, the password filter packages should be installed on all backup domain controllers to allow notifications to continue in the event of server role changes.

  • All password filter DLLs run in the security context of the local system account.

For information about

See

How to install and register your own password filter DLL.

Installing and Registering a Password Filter DLL

The password filter DLL provided by Microsoft.

Strong Password Enforcement and Passfilt.dll

Export functions implemented by a password filter DLL.

Password Filter Functions

 

3.  Installing and Registering a Password Filter DLL

You can use the Windows password filter to filter domain or local account passwords. To use the password filter for domain accounts, install and register the DLL on each domain controller in the domain.

Perform the following steps to install your password filter. You can perform these steps manually, or you can write an installer to perform these steps. You need to be an Administrator or belong to the Administrator Group to perform these steps.

clip_image002To install and register a Windows password filter DLL

1.       Copy the DLL to the Windows installation directory on the domain controller or local computer. On standard installations, the default folder is \Windows\System32. Make sure that you create a 32-bit password filter DLL for 32-bit computers and a 64-bit password filter DLL for 64-bit computers, and then copy them to the appropriate location.

2.       To register the password filter, update the following system registry key:

3.  HKEY_LOCAL_MACHINE
4.     SYSTEM
5.        CurrentControlSet
6.           Control
            Lsa

If the Notification Packages subkey exists, add the name of your DLL to the existing value data. Do not overwrite the existing values, and do not include the .dll extension.

If the Notification Packages subkey does not exist, add it, and then specify the name of the DLL for the value data. Do not include the .dll extension.

The Notification Packages subkey can add multiple packages.

7.       Find the password complexity setting.

In Control Panel, click Performance and Maintenance, click Administrative Tools, double-click Local Security Policy, double-click Account Policies, and then double-click Password Policy.

8.       To enforce both the default Windows password filter and the custom password filter, ensure that the Passwords must meet complexity requirements policy setting is enabled. Otherwise, disable the Passwords must meet complexity requirements policy setting.

 

 

II.                Enforce Custom Password Policies in Windows

 

Most people take the easy way out and use the default filter in order to validate passwords. But did you know you can employ authentication modules to customize your password policies to reflect your organization’s unique security requirements? Find out how in this article.

by Yevgeny Menaker

Microsoft Windows allows you to define various password policy rules. Specifically, it allows you to enable the “Password must meet complexity requirements” setting using the Policy Editor. This validates user passwords against password filter(s) (system DLL(s)). Usually, people use the default filter. However, many admins say they’d prefer a Linux-style validation, which would allow them to install various pluggable authentication modules (Linux-PAM modules) to filter user passwords (authentication tokens). You can easily adapt these modules to reflect your organization’s security policy with help of Linux configuration text files. The ability to add-on such modules creates more flexibility in composing password policies. With help of such custom modules (of course, these modules should be developed by a Linux programmers), Linux administrators may even author a regular expression for matching user passwords. Go to www.kernel.org/pub/linux/libs/pam/ for more detailed information about Linux-PAM and the available modules.

 

The Linux model described above may be employed on Windows machines as well.

What You Need: Windows NT/2000/XP


In this article, learn how to create a
Custom Password Filter (DLL in C++) that validates passwords against a configurable regular expression. The RegEx functionality is implemented based on the Boost open source library because it has wide support for regular expressions.

Let’s start with an overview of the Windows Security system.

Windows Security
Windows Security is a policy-based system with a set of rules that compose security settings for a local machine or domain. The work of policy-based systems usually has three major stages:

  1. Creating rules to compose a policy.
  2. Searching for evidences.
  3. Enforcing policy based on the evidences.

There is a parallel between the above stages and real-life legal systems. Most countries have an authority (usually parliament or senate) that makes laws. This corresponds to the first stage—composing the policy). Police departments are the guards of the legal system, responsible for collecting evidence (e.g. measuring car speed on highways) and enforcing the existing laws based on evidences (e.g. canceling driving license in case of exceeding the speed limit). So, a police force corresponds to the second and third stages.

In Windows security, system administrators play the role of parliament. They dictate the policy for an organization domain. In some cases, regular users also design security policy (e.g. when choosing their own passwords). The police uniform is given to the local security authority (LSA) Windows sub-system. LSA collects evidences for decision-making and enforces the policies (laws). The LSA sub-system is represented by the lsass.exe Windows process and several system DLLs.

 

III.             Configuring Security Policy

System Administrators are usually responsible for configuring Security Policy. Since this article is about password filters, I’ll use configuring Password Policy as the example.

 

clip_image004

 

Figure 1. The “Local Security Policy” Management Console: This shows the list of security settings that compose your password policy on the local machine.

 

As mentioned previously, regular users are involved in composing security settings when they choose their own log-on passwords. However, because a weak password can create vulnerable system and compromise organization security, system administrators need more control over this issue and disallow the use of too simple, short and vulnerable to dictionary attacks passwords. In other words, you need to compose a password policy that meets your organization’s security requirements.

To edit security policies, you can use either the secedit.exe command line utility or the “Domain Security Policy” graphical console available from Control Panel -> Administrative Tools on the domain controller machine. With this tool, you will govern the security policy for all the computers in the Windows domain. Note that in case of workstation machine, only the “Local Security Policy” console is installed (shown in Figure 1). Local policy affects settings on the local machines and it doesn’t override domain policy. Thus, the security settings will be effective for local machine users, but not for domain users. This article uses the graphical tool to alter security settings on the local machine.

clip_image006

 

Figure 2. Editing Password Policy Rules: Double-click the “Minimum password length” item to display the dialog window.

 

The left pane of the management console contains an Explorer-like tree. Each node represents a different Security Policy. In this example, you’ll make modifications to the Password Policy to require users to choose long enough passwords (at least 10 characters). Here’s how to do it:

Expand the “Account Policies” node and select “Password Policy.” On the right pane of the management console, you should see a list of security settings (rules) that compose the password policy as shown in Figure 1. Double-click the “Minimum password length” item to display the dialog window (Figure 2). Edit the text field, setting the minimum password length to 10 characters, and click OK.

Congratulations! The new rule is ready. From now on, LSA will not allow your users to choose passwords shorter than 10 characters.

An interesting rule from the Password Policy set is “Password must meet complexity requirements.” This rule may be either Disabled or Enabled. In the Disabled state it has no effect. Enabling this rule instructs LSA to validate each password against Password Filters. If you don’t provide any filter, the default is used (which is considered relatively strong). However, the default allows simple passwords, such as Paris123. You definitely want more powerful filters and this is where Custom Password Filters can be helpful.

What Is a Password Filter?
A Password Filter plays a primary role in decision-making regarding user passwords. By definition, a Password Filter is a system DLL that exports three functions with the following prototypes (note the
__stdcall
calling convention):

BOOLEAN __stdcall InitializeChangeNotify(void);     // (1)

BOOLEAN __stdcall PasswordFilter( // (2)

PUNICODE_STRING AccountName,

PUNICODE_STRING FullName,

PUNICODE_STRING Password,

BOOLEAN SetOperation

);

NTSTATUS __stdcall PasswordChangeNotify(    // (3)

PUNICODE_STRING UserName,

ULONG RelativeId,

PUNICODE_STRING NewPassword

);

How does LSA interact with Custom Password Filters by means of the above interface? First, assume that the “Password must meet complexity requirements” rule is Enabled. On the system startup, LSA loads all the available Password Filters and calls the InitializeChangeNotify() function. When LSA receives TRUE as a return value, this means that the Password Filter loaded successfully and functions properly. Upon this call, LSA also builds a chain of available Password Filters (those that returned TRUE).

When you’re giving a password to a new user or modifying an existing user’s password, LSA assures that every link in Password Filters Chain is satisfied with a new password. LSA invokes the PasswordFilter() function of each filter in the chain. If one filter in a chain returned FALSE, LSA does NOT continue calling the next filter. Instead, it asks the user to provide another password. If every call to PasswordFilter on every filter returns a TRUE value, a new password is approved and each filter is notified about it through the PasswordChangeNotify() function.

As you can see, the Password Filter is a handy tool for LSA (or, the Windows Police), acting as a speed trap for highway patrol, helping to collect evidence from the “field.” These evidences are useful in the third stage, where policies are enforced.

Before You Implement…
Consider the following issues before you start coding your own Password Filters:

*       Treat sensitive data carefully. The PasswordFilter and PasswordChangeNotify functions receive passwords in clear-text format. These passwords should be processed fast and shouldn’t leave any trails in your memory for malicious applications to capture. Introduced in Windows 2003, the SecureZeroMemory Win32 API cleans specified memory. Traditional ZeroMemory may be not enough, since “smart” compilers will optimize your code and remove calls to this API. To make sure there are no such “useful” optimizations, read a random byte from a password string after it was filled with zeros.

*       Make your filters fast and efficient. When LSA calls into the Password Filter function, most Windows processing stops, so make sure you don’t perform any lengthy operations.

*       Expect the unexpected. Because LSA loads password filters during start-up, if something goes wrong, your system may become inoperable or go into deadlock. To avoid this, develop and test your DLLs on machines that have at least two operating systems installed. I have Linux and XP on my box and I found it highly useful when preparing this article. When I encountered problems, I booted from Linux and deleted the Password Filter DLL.

*       Log your actions. Password Filters run in the context of the lsass.exe process. I don’t recommend debugging this process, because after you close the debugger and end the process, your system will shutdown. The best way to debug your already-running filter is to write the log files to disk and follow them to fix the bugs.

*       Pre-debug your DLL. While lsass.exe debugging is not recommended, you may test your fresh Password Filter by writing a small unit-test program. In this program, load your DLL with a call to LoadLibrary Win32 API and invoke exported functions (after getting their addresses within GetProcAddress Win 32 API calls). This way, you may check that your filter doesn’t crash and functions properly.

 

IV.            The RegEx Password Filter Sample

Now that you’re aware of all the possible pitfalls, it’s high time for code action. This section will walk you through the sample provided with this article. I’ve created a VS7 solution with the PasswordFilterRegEx VC project.

As the Password Filter definition requires, you export three functions. Here’s the code for the DEF file included within the sample project:

LIBRARY PasswordFilterRegEx

EXPORTS

InitializeChangeNotify

PasswordChangeNotify

PasswordFilter

 

 
 

The PasswordFilterRegEx.cpp contains source code for the exported functions. The implementations of InitializeChangeNotify and PasswordChangeNotify are quite simple:

// Initialization of Password filter.

// This implementation just returns TRUE

// to let LSA know everything is fine

BOOLEAN __stdcall InitializeChangeNotify(void)

{

WriteToLog(“InitializeChangeNotify()”);

return TRUE;

}

// This function is called by LSA when password

// was successfully changed.

//

// This implementation just returns 0 (Success)

NTSTATUS __stdcall PasswordChangeNotify(

PUNICODE_STRING UserName,

ULONG RelativeId,

PUNICODE_STRING NewPassword

)

{

WriteToLog(“PasswordChangeNotify()”);

return 0;

}

The bulk of the work is done in the PasswordFilter function (shown in Listing 1). First, create a zero-terminating copy of a password string and assign it to an STL wstring object (STL is used in conjunction with the boost regex library):

wszPassword = new wchar_t[Password->Length + 1];

if (NULL == wszPassword)

{

throw E_OUTOFMEMORY;

}

wcsncpy(wszPassword, Password->Buffer, Password->Length);

wszPassword[Password->Length] = 0;

WriteToLog(“Going to check password”);

// Initialize STL string

wstrPassword = wszPassword;

Next, the regular expression is instantiated. The sample Password Filter reads the regular expression from the RegEx value of the following registry key:

HKEY_LOCAL_MACHINE\\Software\\DevX\\PasswordFilter

If the value is not found in registry, the dummy default regular expression (“^(A)$”) is used.

Finally, validate the password against the regular expression and return the results to the caller (LSA):

WriteToLog(“Going to run match”);

// Prepare iterators

wstring::const_iterator start = wstrPassword.begin();

wstring::const_iterator end = wstrPassword.end();

match_results<wstring::const_iterator> what;

unsigned int flags = match_default;

bMatch = regex_match(start, end, what, wrePassword);

if (bMatch)

{

WriteToLog(“Password matches specified RegEx”);

}

else

{

WriteToLog(“Password does NOT match specified RegEx”);

}

. . .

return bMatch;

Just before you return the results to LSA, perform memory clean-up:

// Erase all temporary password data

// for security reasons

wstrPassword.replace(0, wstrPassword.length(), wstrPassword.length(),

(wchar_t)’?’);

wstrPassword.erase();

if (NULL != wszPassword)

{

ZeroMemory(wszPassword, Password->Length);

// Assure that there is no compiler optimizations and read random byte

// from cleaned password string

srand(time(NULL));

wchar_t wch = wszPassword[rand() % Password->Length];

delete [] wszPassword;

wszPassword = NULL;

}

return bMatch;

 

V.              Installing the Password Filter

Note: In order to filter passwords for domain users, you should use the “Domain Security Policy” console on domain controller machine and install there your password filter. In this example, the entire configuration is done on the local machine. Hence, Password Filter will validate passwords for my local machine accounts. Follow this procedure to activate your fresh Password Filter (the same procedure is applicable for the domain controller):

*       Enable the “Password must meet complexity requirements” rule of the Password Policy.

*       Copy the Password Filter DLL to the %SystemRoot%\system32 folder on your machine.

*       Open the Registry Editor (regedit.exe) and locate the following registry key:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa

*       Modify the “Notification Packages” multi-string value of the above key and add your Password Filter file name without the “.dll” extension. Add the PasswordFilterRegEx string as shown in Figure 3.

clip_image007

 

Figure 3. Editing “Notification Packages”: Add the PasswordFilterRegEx string.

 

*       Close Registry Editor and restart your machine.

Your Password Filter in Action
After you’ve installed Password Filter and restarted your machine, you’re ready for testing. The source code includes a simple regular expression for testing purposes. Find it in the
RegEx value of the HKLM\Software\DevX\PasswordFilter key (the PasswordFilter.reg
file is provided with the code for your convenience):

^([a-zA-Z]+)(\d+)([a-zA-Z]+)$

In other words, start with letters, have some digits in the middle and end up with letters again. This regular expression is not recommended as a strong Password Regular expression, but it is useful for assessing whether your Password Filter does its job.

clip_image009

 

Figure 4. Creating a New User: Select Expand Local Users and Groups, right-click on the Users node, and choose the New User menu item.

 

Remember that this filter stands after the default Windows filter in the chain. So, in order to have any effect, you’ll need tougher requirements than the default. The Paris2003 password will validate against the default filter, but the test regular expression won’t match it. To check this, create a new user. If you use Domain Controller, create a user with Active Directory. On the stand-alone Workstation machine, right-click on My Computer and choose the Manage item from the context menu. Select Expand Local Users and Groups, right-click on the Users node, and choose the New User menu item as shown in Figure 4.

Fill-in the new user’s details and assign a password. Try a simple one (e.g.: Paris2003) and you will get an error message from LSA (Figure 5). Try a different, more complex password (e.g.: Paris2003A) and it will be accepted.

The Secret Is Out
While there are several commercial products that implement Password Filters, it isn’t really all that difficult. Now, that you understand how they work, you can provide your own, customized solution.

clip_image011

 

Figure 5. Error!: This password doesn’t meet the complexity requirements.

 

 

 

 

 

 

VI.            Source Code Compiler by VC++

 

       Download boots link: http://nchc.dl.sourceforge.net/project/boost/boost/1.50.0/boost_1_50_0.zip

 

       Error when Building:

I writed project which uses <boost/thread/locks.hpp>, i added include directory to Additional Include directories, and lib folder to linker. But when i try to build solution, error:

Error 1 error LNK1104: cannot open file ‘libboost_thread-vc100-mt-sgd-1_50.lib’

I searched this file in lib directory, but no file with this name in lib directory. I found file with similar name libboost_thread-vc100-mt-gd-1_50.

       Answer: i built them by guide boost.org/doc/libs/1_50_0/doc/html/bbv2/installation.html

       Installation

To install Boost.Build from an official release or a nightly build, as available on the official web site, follow these steps:

1.     Unpack the release. On the command line, go to the root of the unpacked tree.

2.     Run either .\bootstrap.bat (on Windows), or ./bootstrap.sh (on other operating systems).

3.     Run

./b2 install –prefix=PREFIX

where PREFIX is a directory where you want Boost.Build to be installed.

4.     Optionally, add PREFIX/bin to your PATH environment variable.

If you are not using a Boost.Build package, but rather the version bundled with the Boost C++ Libraries, the above commands should be run in the tools/build/v2 directory.

Now that Boost.Build is installed, you can try some of the examples. Copy PREFIX/share/boost-build/examples/hello to a different directory, then change to that directory and run:

PREFIX/bin/b2

A simple executable should be built.

1 cách can thiệp AD dễ dàng: Excel mẫu dữ liệu và Macro VB Code chạy tính năng Add bulk user Account trong Windows AD.


File Excel: user_new.xls

excel_ad_1

Dòng 3: Mầu vàng là phần sẽ nhập dữ liệu thay đổi.

Dòng 1, 2 là dòng tiêu đề của Fields và số thứ tự trong Code (không được thay đổi).

Đây là code chỉ dùng để nhập, tạo account mới. Không dùng để update cập nhật những thay đổi sau khi đã tạo account.

Sau khi nhập dữ liệu cho AD,

Bấm Macro để chạy : Ctrl + Shift + A hoặc để sửa:excel_ad_2

 

Để sửa code: hãy chọn tên Macro : AD , sau đó bấm Edit:

excel_ad_3

Hãy mở Macro VBA Chỉ nên sửa đoạn code sau:excel_ad_4

strSheet =”C:\PS\user_new.xls” ‘ vị trí thư mục và tên file excel dùng để lưu và tạo account AD

strContainer = “OU=student,” ‘có thể thay tên của OU gốc nếu máy chủ AD quan lý với tên khác

ví dụ: Trường K-12 dùng cấu trúc sau:

excel_ad_5

Có tới 4 cấp: nếu muốn đưa Account vào tận cấp thứ 4 thì phải thay OU như sau:

strContainer = “OU=staff,OU=ThaoDien,OU=Computers,OU=Laptop,”

Chúc các bạn thành công trong quản lý người dùng với Active Directory và Domain Controller.

ASP.NET authentication and authorization


ASP.NET authentication and authorization

Introduction

Authentication and Authorization

Detecting authentication and authorization: – The principal and identity objects

Types of authentication and authorization in ASP.NET

Windows Authentication

Forms Authentication

Passport Authentication

Source code

References

This video demonstrates single sign on using Forms authentication


Video on ASP.NET Basic authentication cracked


Introduction

This article will discuss how to implement ASP.NET authentication and authorization. This article initially starts with authentication and authorization concepts and later explains the three important ways of doing authentication and authorization i.e. windows, forms and passport. As the article moves ahead it explains basic, digest and integrated authentication in depth. This article also dives in depth on how forms authentication can be used to implement custom authentication and single-sign on authentication. One of the important concepts this article touch bases is ticket generation in cookies and how ASP.NET membership and role can help us to increase productivity.

This is a small Ebook for all my .NET friends which covers topics like WCF,WPF,WWF,Ajax,Core .NET,SQL etc you can download the same from here or else you can catch me on my daily free training @ from here

Authentication and Authorization

Before proceeding ahead we need to understand four important vocabularies which you will see in this article again and again: – authentication, authorization, principal and identity. Let’s first start with authentication and authorization. If you search in http://www.google.com for the dictionary meaning of authentication and authorization, you will land up with something below:-

Authentication: – prove genuineness

Authorization: – process of granting approval or permission on resources.

The same dictionary meaning applies to ASP.NET as well. In ASP.NET authentication means to identify the user or in other words its nothing but to validate that he exists in your database and he is the proper user.
Authorization means does he have access to a particular resource on the IIS website. A resource can be an ASP.NET web page, media files (MP4, GIF, JPEG etc), compressed file (ZIP, RAR) etc.
So the first process which happens is authentication and then authorization. Below is a simple graphical representation of authentication and authorization. So when the user enters ‘userid’ and ‘password’ he is first authenticated and identified by the user name.
Now when the user starts accessing resources like pages, ASPDOTNETauthentication, videos etc, he is checked whether he has the necessary access for the resources. The process of identifying the rights for resources is termed as ‘Authorization’.

To put it in simple words to identify “he is shiv” is authentication and to identify that “Shiv is admin” is authorization.

Detecting authentication and authorization: – The principal and identity objects

At any moment of time if you want to know who the user is and what kind of authentication type he using you can use the identity object. If you want to know what kind of roles it’s associated with then we need to use the principal object. In other words to get authentication details we need to the identity object and to know about authorization details of that identity we need the principal object.

For instance below is a simple sample code which shows how to use identity and principal object to display name and check roles.

Response.Write(User.Identity.Name +"<br>");
Response.Write(User.Identity.AuthenticationType + "<br>");
Response.Write(User.Identity.IsAuthenticated + "<br>");
Response.Write(User.IsInRole("Administrators") + "<br>"); 

Now if you run this code in IIS under anonymous mode it will display no details as shown below.

If you run the above code in IIS using some authentication mode like one shown below “Basic authentication” it will show all the details as shown below.

Types of authentication and authorization in ASP.NET

There are three ways of doing authentication and authorization in ASP.NET:-
Windows authentication: – In this methodology ASP.NET web pages will use local windows users and groups to authenticate and authorize resources.

Forms Authentication: – This is a cookie based authentication where username and password are stored on client machines as cookie files or they are sent through URL for every request. Form-based authentication presents the user with an HTML-based Web page that prompts the user for credentials.

• Passport authentication :- Passport authentication is based on the passport website provided
by the Microsoft .So when user logins with credentials it will be reached to the passport website ( i.e. hotmail,devhood,windows live etc) where authentication will happen. If Authentication is successful it will return a token to your website.

Anonymous access: – If you do not want any kind of authentication then you will go for Anonymous access.

GenericPrincipal and GenericIdentity objects represent users who have been authenticated using Forms authentication or other custom authentication mechanisms. With these objects, the role list is obtained in a custom manner, typically from a database.
FormsIdentity and PassportIdentity objects represent users who have been authenticated with Forms and Passport authentication respectively.

Windows Authentication

When you configure your ASP.NET application as windows authentication it will use local windows user and groups to do authentication and authorization for your ASP.NET pages. Below is a simple snap shot which shows my windows users and roles on my computer.

5 steps to enable authentication and authorization using Windows

We will do a small sample to get a grasp of how authentication and authorization works with windows. We will create 2 users one ‘Administrator’ and other a simple user with name ‘Shiv’. We will create two simple ASPX pages ‘User.aspx’ page and ‘Admin.aspx’ page. ‘Administrator’ user will have access to both ‘Admin.aspx’ and ‘User.aspx’ page , while user ‘Shiv’ will only have access to ‘User.aspx’ page.

Step 1:- Creation of web site.

The next step is to create a simple web site with 3 pages (User.aspx, Admin.aspx and Home.aspx) as shown below.

Step 2:- Create user in the windows directory

The next step is we go to the windows directory and create two users. You can see in my computer we have ‘Administrator’ and ‘Shiv’.

Step 3:- Setup the ‘web.config’ file

In ‘web.config’ file set the authentication mode to ‘Windows’ as shown in the below code snippets.

<authentication mode="Windows"/>

We also need to ensure that all users are denied except authorized users.

The below code snippet inside the authorization tag that all users are denied. ‘?’ indicates any

unknown user.
<authorization>
<deny users="?"/>
</authorization>

Step 4:- Setup authorization
We also need to specify the authorization part. We need to insert the below snippet in the ‘web.config’ file stating that only ‘Administrator’ users will have access to

‘Admin.aspx’ pages.
<location path="Admin.aspx">
<system.web>
<authorization>
<allow roles="questpon-srize2\Administrator"/>
<deny users="*"/>
</authorization>
</system.web>
</location>

Step 5:-Configure IIS settings
The next step is to compile the project and upload the same on an IIS virtual directory. On the IIS virtual directory we need to ensure to remove anonymous access and check the integrated windows authentication as shown in the below figure.


Now if you run the web application you will be popped with a userid and password box as shown below.

Once you enter credentials you should be able to see home.aspx as shown below.

In case you are not an administrator (i.e in this case its ‘shiv’) and you navigate to ‘Admin.aspx’ it will throw an error as shown in the below figure.

In case you want to read who the user is and with what authorization rights has he logged in you can use ‘WindowsPrincipal’ and ‘WindowsIdentity’. These two objects represent users who have been authenticated with Windows authentication. You can also get the roles these users have.

Different methods of collecting username and password

In the above step by step article you must have noticed the below options on IIS (Integrated, digest and basic). These three checkboxes decide how the windows username and password credentials are passed from the client desktop to the IIS.
There are three different way of passing the windows username and password to IIS:-
• Basic
• Digest
• Windows
In the coming session we will understand in depth what these 3 options are.

Basic Authentication

When basic authentication is selected the ‘userid’ and ‘password’ are passed by using Base64 encoded format . i.e. why the name is basic authentication. ‘Base64’ is a encoding and not encryption. So it’s very easy to crack. You can read more about ‘Base64’ encoding at http://en.wikipedia.org/wiki/Base64 . Its a very weak form of protection.

Below is a small demonstration how easy it is to crack a basic authentication. You can see in the below figure we have checked ‘Basicauthentication’ check and we ran the fiddler tool to see the data.

We then copied the ‘Authorization:Basic’ data and ran the below program. LOL, we can see our windows userid and password.

Below is the code snippet of how to decode ‘Base64’ encoding.

public static string DecodeFrom64(string encodedData)
{

byte[] encodedDataAsBytes = System.Convert.FromBase64String(encodedData);

string returnValue = System.Text.Encoding.ASCII.GetString(encodedDataAsBytes);

return returnValue;}

Base64 is an encoding mechanism and not encryption

Basic authentication in other words ‘Base64’ encoding is used to transmit binary data and convert them to text so that they can run over the network. Some protocols may interpret your binary data as control characters. For instance the FTP protocol for certain combination of binary characters can interpret the same as FTP line endings.

At the end of the days it’s not an encryption algorithm it’s an encoding mechanism. That’s why in our previous section we demonstrated how easy it was to decode basic authentication.

Digest Authentication

The problem associated with basic authentication is solved by using digest authentication. We saw in our previous section how easy it was to crack basic authentication. Digest authentication transfers data over wire as MD5 hash or message digest. This hash or digest is difficult to dechiper.
In other words digest authentication replaces the lame basic authentication.

Said and done there one of the big problems of digest authentication is it’s not supported on some browsers.

Integrated Authentication

Integrated Windows authentication (formerly called NTLM, and also known as Windows NT Challenge/Response authentication) uses either Kerberos v5 authentication or NTLM authentication, depending upon the client and server configuration.
(The above paragraph is ripped from
http://msdn.microsoft.com/en-us/library/ff647076.aspx ).
Let’s try to understand what NTLM and Kerberos authentication is all about and then we will try to understand other aspects of integrated authentication.
NTLM is a challenge response authentication protocol. Below is how the sequence of events happens:-
• Client sends the username and password to the server.
• Server sends a challenge.
• Client responds to the challenge with 24 byte result.
• Servers checks if the response is properly computed by contacting the domain controller.
• If everything is proper it grants the request.

Kerberos is a multi-hounded (3 heads) who guards the gates of hades. In the same way Kerberos security has 3 participants authenticating service, service server and ticket granting server. Let’s try to understand step by step how these 3 entities participate to ensure security.

Courtesy: – http://24-timepass.com/postimg/three-headed-dog.jpg
Kerberos uses symmetric key for authentication and authorization. Below is how the things work for Kerberos:-

• In step 1 client sends the username and password to AS (Authenticating service).
• AS authenticates the user and ensures that he is an authenticated user.
• AS then asks the TGT (Ticket granting service) to create a ticket for the user.
• This ticket will be used to verify if the user is authenticated or not. In other words in further client interaction no password will be sent during interaction.

Order of Precedence

One of the things which you must have noticed is that integrated, digest and basic authentication are check boxes. In other words we can check all the three at one moment of time. If you check all the 3 options at one moment of time depending on browser security support one of the above methods will take precedence.

Let’s understand how the security precedence works as per browser security.
• Browser makes a request; it sends the first request as Anonymous. In other words it does not send any credentials.

• If the server does not accept Anonymous IIS responds with an “Access Denied” error message and sends a list of the authentication types that are supported by the browser.

• If Windows NT Challenge/Response is the only one supported method then the browser must support this method to communicate with the server. Otherwise, it cannot negotiate with the server and the user receives an “Access Denied” error message.

• If Basic is the only supported method, then a dialog box appears in the browser to get the credentials, and then passes these credentials to the server. It attempts to send these credentials up to three times. If these all fail, the browser is not connected to the server.

• If both Basic and Windows NT Challenge/Response are supported, the browser determines which method is used. If the browser supports Windows NT Challenge/Response, it uses this method and does not fall back to Basic. If Windows NT Challenge/Response is not supported, the browser uses Basic.
You can read more about precedence from
http://support.microsoft.com/kb/264921.

In order words the precedence is:-

1. Windows NT challenge ( Integrated security)
2. Digest
3. Basic

Comparison of Basic, digest and windows authentication

Browse support Authentication mechanism
Basic Almost all browsers Weak uses Base64.
Digest IE 5 and later version Strong MD5
Integrated windows

• Kerberos

IE5 and above Ticket encryption using AD , TGT and KDC

• Challenge / response

IE5 and above Send a challenge

Forms Authentication

Forms authentication is a cookie/URL based authentication where username and password are stored on client machines as cookie files or they are sent encrypted on the URL for every request if cookies are not supported.
Below are the various steps which happen in forms authentication:-
• Step 1:- User enters “userid” and “password” through a custom login screen developed for authentication and authorization.

• Step 2:- A check is made to ensure that the user is valid. The user can be validated from ‘web.config’ files, SQL Server, customer database, windows active directory and various other kinds of data sources.

• Step 3:- If the user is valid then a cookie text file is generated on the client end. This cookie test file signifies that the user has been authenticated. Hence forth when the client computer browses other resources of your ASP.NET site the validation is not conducted again. The cookie file indicates that the user has logged in.

Forms authentication using ‘web.config’ as a data store

So let’s understand step by step how to configure forms authentication. As said in the previous sections you can store user in ‘web.config’ files. Definitely it’s not the best way to store user in “web.config” files but it will really help us to understand forms authentication. Once we understand the same we can then move ahead to better improvised versions of forms authentication.

Step 1:- The first thing we need to do is make an entry in to the web.config file with authentication mode as forms as shown below. We need to also provide the following things :-

• LoginUrl :- This property helps us to provide the start page of authentication and authorization.

• defaultUrl :- Once the user is validated he will be redirected to this value , currently its “Home.aspx”.

• Cookieless :- As said previously forms authentication uses cookies. There are four ways by which you can change this behavior :-

oAutoDetect: – Depending on your browser configuration it can either use cookies or pass the authentication information encrypted via browser URL.

o UseCookies: – You would like the forms authentication mechanism to create cookie when the authentication is successful.

o UseURI :- You would like to pass data encrypted via the browser URL query string.

o UseDeviceProfile :- This is the default value. When you set this value the forms authentication mechanism will do look up at
“C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\CONFIG\Browsers” to see if the browser support cookies and then decides whether it should use cookies or should not. In other words it does not check on actual runtime if the browser has cookies enabled.

• Credentials: – In the credentials tag we have also some users with name and password. As said previously we will first use forms authentication with username’s stored in web.config files.

<authentication mode="Forms">
<forms loginUrl="Login.aspx" timeout="30" defaultUrl="Home.aspx" 
cookieless="AutoDetect">
<credentials passwordFormat="Clear">
<user name="Shiv" password="pass@123"/>
<user name="Raju" password="pass@123"/>
</credentials>
</forms>
</authentication>

Different customization values for ‘cookieless’ property.

If you set the cookieless as ‘UseDeviceProfile” it will use the browser data from the below file. You can see how Ericsson browser does not support cookies. So if any one connects with ericsson browser and the value is ‘UseDeviceProfile” , forms authentication will pass data through query strings.

Step 2:- Once you have set the “forms” tag values , it’s time to ensure that anonymous users are not able to browse your site. You can set the same by using the authorization tag as shown in the below code snippet.

<authorization>
<deny users="?"/>
</authorization>

Step 3:- We also need to define which user have access to which page. In this project we have created two pages

“Admin.aspx” and “User.aspx”. “Admin.aspx” is accessible to only user “Shiv” while “Admin.aspx” and “User.aspx” is accessible to both the users.

Below web.config settings show how we can set the user to pages.

<location path="Admin.aspx">
<system.web>
<authorization>
<allow users="Shiv"/>
<deny users="*"/>
</authorization>
</system.web>
</location>
<location path="User.aspx">
<system.web>
<authorization>
<allow users="Shiv"/>
<allow users="Raju"/>
<deny users="*"/>
</authorization>
</system.web>
</location>

Step 4 :- We now create our custom page which will accept userid and password.

In the button click we provide the below code. The “FormsAuthentication.Authenticate” looks in the web.config the username and passwords. The “FormsAuthentication.RedirectFromLoginPage” creates cookies at the browser end.

If you run your application , enter proper credentials , you should be able to see a cookie txt file created as shown in the below figure.

If you disable cookies using the browser settings, credentials will be passed via query string as shown in the below figure.

Forms Authentication using SQL server as a data store

In order to do custom authentication you need to need to just replace “FormsAuthentication.Authenticate” statement with your validation. For instance in the below code we have used ‘clsUser’ class to do authentication but we have yet used the cookie creation mechanism provided by ‘FormAuthentication’ system.

clsUser objUser = new clsUser();
if (objUser.IsValid(txtUser.Text,txtPass.Text))
{
FormsAuthentication.RedirectFromLoginPage(txtUser.Text, true);
}

Forms authentication using ASP.NET Membership and role

We have used forms authentication mechanism to generate cookie which has minimized lot of our development effort. Many other tasks we are still performing like:-
• Creation of user and roles tables.
• Code level implementation for maintaining those tables.
• User interface for userid and password.

We are sure you must have done the above task for every project again and again. Good news!!! All the above things are now made simple with introduction of membership and roles. To implement ASP.NET membership and roles we need to do the following steps :-

• Run aspnet_regsql.exe from ‘C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727’ folder. Enter SQL Server credentials and run the exe. This will install all the necessary stored procedures and tables as shown in figure ‘Object created by aspnet_regsql.exe’

• Specify the connection string in the ‘web.config’ file where your ASP.NET roles tables and stored procedures are created.

<connectionStrings>
<remove name="LocalSqlServer1"/>
<add name="LocalSqlServer1" connectionString="Data Source=localhost;Initial 
Catalog=test;Integrated Security=True"/> 
</connectionStrings>

• Specify the ASP.NET membership provider and connect the same with the connection string provided in the previous step.

<membership>
<providers>
<remove name="AspNetSqlMembershipProvider"/>
<add name="AspNetSqlMembershipProvider" 
type="System.Web.Security.SqlMembershipProvider, System.Web, 
Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" 
connectionStringName="LocalSqlServer1" enablePasswordRetrieval="false" 
enablePasswordReset="true" applicationName="/" minRequiredPasswordLength="7"/>

</providers>
</membership>

• We also need to specify the role provider and connect the same with the connection string provided in the previous session.

<roleManager enabled="true">
<providers>
<clear/>
<add name="AspNetSqlRoleProvider" connectionStringName="LocalSqlServer1" 
applicationName="/" type="System.Web.Security.SqlRoleProvider, System.Web, 
Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"/>
</providers>
</roleManager>

Now you can use the “Membership” class to create users and roles as shown in the below 2 figures.

You can get a feel how easy it is to use develop authentication and authorization by using forms authentication
and ASP.NET membership and roles.

The dual combination

Authentication and authorization in any application needs 2 things:-
• Mechanism by which you can generate a cookie: – Provided by Forms authentication.

• Custom tables in SQL Server to store user and roles: – Provided by ASP.NET provider and roles.

In other words by using the combination of ticket generation via forms authentication and ASP.NET provider and roles we can come up with a neat and quick solution to implement authentication and authorization in ASP.NET applications.

Forms Authentication using Single Sign on

Many time we would like to implement single sign on across multiple sites. This can be done using forms authentication. You can implement forms authentication in both the websites with same machine key. Once the validation is done in one website a cookie text file will be created. When that user goes to the other website the same cookie file will used to ensure that the user is proper or not.
Please note you need to have same machine key in both the web.config files of your web application.

<machineKey 
validationKey="C50B3C89CB21F4F1422FF158A5B42D0E8DB8CB5CDA1742572A487D9401E340
0267682B202B746511891C1BAF47F8D25C07F6C39A104696DB51F17C529AD3CABE" 
decryptionKey="8A9BE8FD67AF6979E7D20198CFEA50DD3D3799C77AF2B72F" 
validation="SHA1" />

You can see a very detail article on Single sign at http://msdn.microsoft.com/en-us/library/ms972971.aspx .

You can also download the code from http://download.microsoft.com/download/B/7/8/B78D1CED-2275-4AEE-B0BE-0DEA1A2A9581/MSDNEnterpriseSecurity.msi
The above discusses how a internal intranet and internet application login through one single sign-on facility.

The above diagram is taken from http://msdn.microsoft.com/en-us/library/ms972971.aspx

Passport Authentication

Passport authentication is based on the passport website provided by the Microsoft .So when user logins with credentials it will be reached to the passport website ( i.e. hotmail,devhood,windows live etc) where authentication will happen. If Authentication is successful it will return a token to your website.
I am leaving this section for now, will update in more details soon

Source code

You can download source code for this tutorial from here

References

Single sign on in sub domain SingleSignon.aspx

Great reference on different authentication mechanism

http://msdn.microsoft.com/en-us/library/ee817643.aspx

MSDN article which explains how to do forms authentication http://support.microsoft.com/kb/301240

MSND article which explains identity and principal objects http://msdn.microsoft.com/en-us/library/ftx85f8x(v=VS.85).aspx

Patterns and practices page which provides a table that illustrate range of IIS authentication settings. http://msdn.microsoft.com/en-us/library/ff649264.aspx

Order of precedence for Windows authentication, basic authentication and digest authentication http://support.microsoft.com/kb/264921

Nice article on Forms authentication which goes in depth http://www.4guysfromrolla.com/webtech/110701-1.shtml

Forms authentication explained with nice sequence diagrams http://www.asp.net/security/tutorials/an-overview-of-forms-authentication-vb

Nice PDF of best practices for forms authentication http://www.foundstone.com/us/resources/whitepapers/aspnetformsauthentication.pdf

STRATEGIC PARTNERS OF NOVA DIGITAL


 

Technology partner

image

Microsoft Small Business Specialist
– Partners Office 365 service deployment for College, University and Enterprise
Partner specializing in the implementation and training of SharePoint Portal Solutions, BizTalk, SQL, Lync and
Office Online

 

image

 

Solution Service IT Professional
Partner specializing in deploying virtualization solutions vCenter & vCloud enterprise network for the College, University and
Enterprise

image

Solution Service NAS Professional

 Partner specializing in deploying intranet storage solutions and cloud computing to LAN NAS & vCloud for College, University and Enterprise.

image

Service Provider SERVER & SAN Professional

Partner specializing in deploying solutions for Server & SAN Servers for College, University and Enterprise

image

– Partner consulting and implementing software system solution services Customs declaration “E-Manifest Vietnam Customs “.

– Partner consulting and deploying Content Management System number Television Telecom Viettel Media

image

Partner consulting and deploying software products of Financial Management enterprise customers ERP.

image

Partner consulting and deploying Content number Television Management System news VTC Media 

Partner consulting and deploying virtualized infrastructure in IT Training VTC Labs Management.

image

Partner consulting and deploying System Management Services Virtualization Cloud Computing vCloud CMC IDC HCMC.

Vanguard enterprises in the IT Training

image

 

image

1.      ROBUSTA GLOBAL Technology & Training

www.robusta.vn

2.      IPMAC

3.      IT Academic Thang Long

4.      NetPro IT Academic.

5.      IT Center of Hanoi Business and Technology  University

6.      Institute of IT & Telecom training – Hanoi Open University.

7.      Technology Training Institute graduate – Hanoi University of Technology.

8.      IT Academy – National Economics.

9.      Hue Industrial College.

10.  Nhat Nghe

Business and Media Content Partner

 

 

image

VASEP

http://www.vasep.com.vn

For 14 years is Partner consulting and implementation support capacity building in ICT Business Association Vietnam seafood (VASEP)

 

 

image

VISTAS

http://www.vitas.org.vn

4 years is Partner consulting  and building deployment, training and professional management capability offices in Vietnam Tea Association (VITAS)

image

Vietfores

http://www.vietfores.org 

14 years as a consulting partner and technical support Enterprise IT in production and processing of wood furniture under the Vietnam Association of Wood

 

FUTURE DEVELOPMENT

Our commitment

          Quality of service is the guideline for all our activities so that we are always focused to satisfy customer requirements with the spirit of dedicated service and deep understanding of the needs outlined. Improve technology competencies and quality assurance for better products and services.

          Along with we constantly improving our technology capabilities and quality process improvement to provide products and services with the best quality.

          Sincerely, active in building partnerships for mutual development.

          Internal unity, striving for education career advancement.

          Reinvestment society through community education activities.

Development strategy

          Invest on new technology to keep moving forward with strategic technology partner.

          Improving partner relationship for better business opportunities.

          Build a trusted relationship with traditional customers.

          Enhance training activities, technology transfer with others corporate partners.

          Human development strategy based on profound humanity philosophy.

          Become a leading company in providing training service and technology solution in APAC.