Website ASP.net security with NAV Web Services.

shepardassoc

I've been having trouble getting my website login authentication to pass through to NAV webservices. My form login user is replaced by a NTSservice Account when ASP.net attempts to connect through the Webservices. I've found I can use an Impersonate user in the webconfig file but I would like to be able to use the NAV users if possible.

alexpeck

It sounds like you currently use forms authentication, and configured your app to impersonate a fixed windows account once they have been authenticated & authorised in ASP.NET. This fixed account is a windows user in NAV, and all ASP.NET forms users map to the fixed account in NAV when accessing the NAV web services.

Instead of using this fixed windows account, you want each ASP.NET client user to map to an individual NAV windows login. Is that correct?

If all of this happens within a single windows domain, you are better off using windows authentication rather than forms auth. The hard part is configuring the ASP.NET host (presumably IIS) to present delegated credentials to the NAV web services.

If the users login from outside the host domain, but their forms credentials map to valid windows credentials inside the host domain, you may be able to exploit the technique described here http://visualstudiomagazine.com/articles/2004/05/01/activate-windows-impersonation-selectively.aspx to impersonate them.

Alex

JDVyska

I was tinkering with using Forms logins and NAV web services most of this morning.

This was only for experimentation, so you'll probably have to come up with something more clever for production, at least on the security management & storage side.

Now, first, in my web.config:

<connectionStrings>
    <add name="aspnetusers" connectionString="Data Source=.\SQLEXPRESS;AttachDbFilename=|DataDirectory|\ASPNETDB.MDF;Integrated Security=True;User Instance=True"   providerName="System.Data.SqlClient" />
  </connectionStrings>
	<system.web>
[...]
<authentication mode="Forms" />
    <membership>
      <providers>
      <clear/>
      <add connectionStringName="aspnetusers" enablePasswordRetrieval="true"
      enablePasswordReset="true" requiresQuestionAndAnswer="false"
      applicationName="[NAVTest2]" requiresUniqueEmail="true"
      passwordFormat="Clear" maxInvalidPasswordAttempts="5"
      passwordAttemptWindow="10" passwordStrengthRegularExpression=""
      minRequiredPasswordLength="6" minRequiredNonalphanumericCharacters="0"
      name="AspNetSqlMembershipProvider"
      type="System.Web.Security.SqlMembershipProvider"/></providers>
    </membership>

This stores the passwords in clear text, so I wouldn't suggest this is *the* way to go when you port to production. You'll probably have to come up with a clever system that allows you to populate your security system with Active Directory info or something.

Anyway, with Clear passwordFormat and enablePasswordRetrieval, you can call the Credential piece of the web service generation with the login information of your user.

Customer_Service CustServ = new Customer_Service();
        CustServ.UseDefaultCredentials = false;
        MembershipUser mu = Membership.GetUser(User.Identity.Name);
        CustServ.Credentials = new System.Net.NetworkCredential(User.Identity.Name, mu.GetPassword(), [domain]);

Not sure if this helps even in the slightest, but it did technically work for me.

shepardassoc

I need to use form authentication due to the web access will be from a mobile device not connected to the network/domain. My current strategy is to use the ASP.net user tables/schema in a SQL database and store the NAV windows login associated with the ASP user. Then try to pass the NAV windows user, retrieved when logging in using the ASP user, on through the web services so I can take advantage of the NAV security. We will see if this works or not. Might be a crazy idea.