Jack Couch looks at how to set up ADFS and when to use it; he then shows how to connect to an outside organization to offer single sign-on.
MSDN Magazine December 2007
View Complete Post
We've setup an intranet site using Windows Integrated Security. Its up and running and users can access it. However, they are being challenged with a login dialog for the server when they initially access the site.
Isn't is possible to configure the server so that the users aren't challenged AND are recognized as being already authenticated by Windows? We're trying to go with a seamless experience, whereby all they have to do is login to their machine like normal and then go from there.
In this article, Microsoft security expert Michael Howard discusses the cardinal rules of attack surface reduction. His rules - reduce the amount of code executing by default, reduce the volume of code that is accessible to untrusted users by default, and limit the damage if the code is exploited - are explained along with the techniques to apply the rules to your code.
MSDN Magazine November 2004
We have a web appliaction configured with FBA (sql and LDAP) and users are authenticated using their username. Now we have a requirement to authenticate users using email id instead of username. we have one solution also that requires to change entry
in web.config file for membership provider but it doesn't suffice as it works only for newly added users and not existing ones and site is already in production environment with large user base. Any suggestions to meet this requirement?
I am working on an app where users are only allowed access if they click through from certain URLs. I.e. I need to authenticate by using the referral url and I am using Request.UrlReferrer to achieve this.
I am guessing that the Request.UrlReferrer can be tampered with by malicious users to gain access...
Is there any way I can achieve the above scenario securely?
Look forward to your replies.
When using lists, it is easy to specify that users can only see lists that they created (through Advanced Settings)... Is there a similar way to do this with document libraries? Rather than doing item level security... Thanks.
Will it somehow be possible to show members of a AD group ?
We have some superusers, and they all have the ad-group: super_users.
Can i show all members somehow ?
Maybe by a search flag, so it is just a link to a search result ?
My asp.net page now gives a popup box titled "Security Warning" when the page loads. There are multiple pages in my app that do this. The content of the dialog box reads "Do you want to view only the webpage content that was delivered securely?"
Why is this happening all of a sudden? I think it's because the pages contain some http links to external site pages, but i don't remember seeing the message before, and those "nonsecure" links have been there from the beginning. I did add 30+ images though, sourced from in another directory of the project.
Is there some way i can make the images and links "secure"; delivered via https?
Is there some browser setting for users to set so they don't see this popup every time one of the many pages in this website loads?
All feedback and insight is appreciated!!!
I have the IIS webserver on Domain A. I have many users on Domain B, C, D, E.
I've set the NTFS security permission for each user and his/her domain to the webserver's security ntfs permission folder. But it is still not authenticating. So what do I need to do to enable this feature? I am using windows 2003 webserver.
I am frequenty getting this Event id 55555 on Moss servers. Users getting problem to authenticate. Please help how to fix this event on my sharepoint farm.
Error description: Error occured while retrieving customer details from Webservice. Thread was being aborted.
I have a sharepoint 2007 FBA site and in the web.config of this site I have 2 membership providers defined with the default provider as the first provider. However my FBA login form is authenticating only the default provider. How to make the login
form authenticate the non-default provider also.
Thanks for any help.
I am upgrading from 2005 to 2008 r2. I have the very same exact issue/scenario as described in
http://www.go4answers.com/Example/security-extension-report-manager-26934.aspx. I installed CU4 instead of CU3 as the link suggests.
When go to the Report Manager url, I get to the UILogon.aspx page just fine to log on with good credentials, but after I enter Username and Password, I get the following message on the form itself: "Value cannot be null. Parameter name: uriString". I
can get to Report Manager just fine if I logon to the Report Server first and leave it in IE, and then Invoke Report Manager. I think/hope I am missing a setting in a .config file somewhere, I just can't figure out which one.
At transport level clients can be authenticated ( depending on the binding ) via certificate, username/password or windows account. I know service can authenticate itself to clients via certificates, but can it also authenticate itself at transport
security level using username/password authentication or perhaps windows authentication?
For example, I thought we can set a username/password with which service authenticates itself via
ServiceCredentials.UsernameAuthentication property, but it appears this property is only used to configure how clients get authenticated ( via username/password ) by a service.
We want to authenticate our users on our main site (default port 80, default.aspx, login page) and once a user successfully authenticated, we go grab a list of possible urls for that user and present it as links.
Once the users clicks a link, we want to preserve the authentication context so that the app living on the chosen url does not have to re-authenticate the user.
Is something like that possible?
Is it recommended to do something like that?
Are there other ways to route users to their destination?
Thanks in advance, regards,