ASP.NET Core Role Based Access Control Project Structure. The tutorial project is organised into the following folders: Controllers - define the end points / routes for the web api, controllers are the entry point into the web api from client applications via http requests. Services - contain business logic, validation and data access code. Entities - represent the application data.
Oracle® Business Intelligence Enterprise Edition Deployment Guide > Enabling Secure Communication in Oracle Business Intelligence > Creating Certificates and Keys >
Generating Server Certificate and Server Private Key
The following procedures generate the server certificate and server private key that BI components acting as servers must possess. The server certificate and private key is used by Oracle BI Cluster Controller, Oracle BI Server, Oracle BI Scheduler, Oracle BI Presentation Services and Oracle BI Presentation Services Plug-in (ISAPI) components.
Generating Server Certificate Request and Private key
Use the following procedure to generate the server certificate request and private key.
To generate the server certificate request and private key
- Dec 28, 2018 The token is signed using HMAC SHA256 Signature algorithm with the key stored in the configuration file. The key should be at least 64 bytes long. In our sample application you can generate a random key using the GenerateKey action in the KeyGenController.
- Otherwise you will have to generate a new private key file and certificate file to go with it. If you regenerate a new private key file and certificate file, any Bamboo servers using the old private key file and certificate file will no longer be able to access the Amazon EC2, as only one X.509 certificate can be associated with your AWS account.
- Run the following command: req -new -keyout $ServerKeyFilename -out $ServerRequestFilename -days $ValidityPeriod -config openssl.cnfFor example:OpenSSL> req -new -keyout server-key.pem -out server-req.pem -days 365 -config openssl.cnfThis example generates the following dialog:Loading 'screen' into random state - done
Generating a 1024 bit RSA private key
............................++++++
...........................................................++++++
writing new private key to 'server-key.pem'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----You are about to be asked to enter information that will be incorporated into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Some-Organization Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, YOUR name) []:
Email Address []:Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []: - Enter a Distinguished Name as prompted. The Distinguished Name identifies the server.
- Make a note of the passphrase that you entered. This passphrase is needed to decrypt the private key.
The command generates the server private key file called server-key.pem and the certificate request (unsigned server certificate) called server-req.pem.
Creating the Server Certificate
![Sso Generate Private Key Net Core2 Sso Generate Private Key Net Core2](/uploads/1/2/6/0/126088466/935322345.jpeg)
The certificate request created above can be submitted to a commercial CA to generate a server certificate. For testing purposes, the CA generated in the step Creating the Certificate Authority (CA) Certificate can be used to sign the request, as described in the following procedure.
To create the server certificate
- Run the following command: ca -policy policy_anything -out $ServerCertFilename -config openssl.cnf -infiles $ServerRequestFilenameFor example:Openssl>ca -policy policy_anything -out server-cert.pem -config openssl.cnf -infiles server-req.pemFor this example, the following dialog is received:Using configuration from openssl.cnf
Loading 'screen' into random state - done
Enter pass phrase for ./private/cakey.pem:
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName :PRINTABLE:'US'
stateOrProvinceName :PRINTABLE:'CA'
localityName :PRINTABLE:'Redwood Shores'
organizationName :PRINTABLE:'Oracle'
organizationalUnitName:PRINTABLE:'BI'
commonName :PRINTABLE:'Server Certificate'
Certificate is to be certified until Dec 29 07:06:45 2007 GMT (365 days)
Sign the certificate? [y/n]:y1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated - When prompted, enter the passphrase for the private key of the CA. This is the passphrase that was supplied when creating the private key cakey.pem in the topic Creating the Certificate Authority (CA) Certificate.
This command generates the server certificate named server-cert.pem. The private key of the CA was used to sign the request. The public key is generated and placed in $DIRnewcerts with a filename that reflects the serial number, for example, 01.pem.
The server certificate and private key is used by Oracle BI Cluster Controller, Oracle BI Server, Oracle BI Scheduler, Oracle BI Presentation Services and Oracle BI Presentation Services Plug-in (ISAPI) components.
-->By Scott Addie
Windows Authentication (also known as Negotiate, Kerberos, or NTLM authentication) can be configured for ASP.NET Core apps hosted with IIS, Kestrel, or HTTP.sys.
Windows Authentication (also known as Negotiate, Kerberos, or NTLM authentication) can be configured for ASP.NET Core apps hosted with IIS or HTTP.sys.
Windows Authentication relies on the operating system to authenticate users of ASP.NET Core apps. You can use Windows Authentication when your server runs on a corporate network using Active Directory domain identities or Windows accounts to identify users. Windows Authentication is best suited to intranet environments where users, client apps, and web servers belong to the same Windows domain.
Note
Windows Authentication isn't supported with HTTP/2. Authentication challenges can be sent on HTTP/2 responses, but the client must downgrade to HTTP/1.1 before authenticating.
Proxy and load balancer scenarios
Windows Authentication is a stateful scenario primarily used in an intranet, where a proxy or load balancer doesn't usually handle traffic between clients and servers. If a proxy or load balancer is used, Windows Authentication only works if the proxy or load balancer:
- Handles the authentication.
- Passes the user authentication information to the app (for example, in a request header), which acts on the authentication information.
An alternative to Windows Authentication in environments where proxies and load balancers are used is Active Directory Federated Services (ADFS) with OpenID Connect (OIDC).
IIS/IIS Express
Add authentication services by invoking AddAuthentication (Microsoft.AspNetCore.Server.IISIntegration namespace) in
Startup.ConfigureServices
:Launch settings (debugger)
Configuration for launch settings only affects the Properties/launchSettings.json file for IIS Express and doesn't configure IIS for Windows Authentication. Server configuration is explained in the IIS section.
The Web Application template available via Visual Studio or the .NET Core CLI can be configured to support Windows Authentication, which updates the Properties/launchSettings.json file automatically.
New project
- Create a new project.
- Select ASP.NET Core Web Application. Select Next.
- Provide a name in the Project name field. Confirm the Location entry is correct or provide a location for the project. Select Create.
- Select Change under Authentication.
- In the Change Authentication window, select Windows Authentication. Select OK.
- Select Web Application.
- Select Create.
Run the app. The username appears in the rendered app's user interface.
Existing project
The project's properties enable Windows Authentication and disable Anonymous Authentication:
- Right-click the project in Solution Explorer and select Properties.
- Select the Debug tab.
- Clear the check box for Enable Anonymous Authentication.
- Select the check box for Enable Windows Authentication.
- Save and close the property page.
Alternatively, the properties can be configured in the
iisSettings
node of the launchSettings.json file:New project
Execute the dotnet new command with the
webapp
argument (ASP.NET Core Web App) and --auth Windows
switch:Existing project
Update the
iisSettings
node of the launchSettings.json file:When modifying an existing project, confirm that the project file includes a package reference for the Microsoft.AspNetCore.App metapackageor the Microsoft.AspNetCore.Authentication NuGet package.
IIS
IIS uses the ASP.NET Core Module to host ASP.NET Core apps. Windows Authentication is configured for IIS via the web.config file. The following sections show how to:
- Provide a local web.config file that activates Windows Authentication on the server when the app is deployed.
- Use the IIS Manager to configure the web.config file of an ASP.NET Core app that has already been deployed to the server.
If you haven't already done so, enable IIS to host ASP.NET Core apps. For more information, see Host ASP.NET Core on Windows with IIS.
Enable the IIS Role Service for Windows Authentication. For more information, see Enable Windows Authentication in IIS Role Services (see Step 2).
IIS Integration Middleware is configured to automatically authenticate requests by default. For more information, see Host ASP.NET Core on Windows with IIS: IIS options (AutomaticAuthentication).
The ASP.NET Core Module is configured to forward the Windows Authentication token to the app by default. For more information, see ASP.NET Core Module configuration reference: Attributes of the aspNetCore element.
Use either of the following approaches:
- Before publishing and deploying the project, add the following web.config file to the project root:When the project is published by the .NET Core SDK (without the
<IsTransformWebConfigDisabled>
property set totrue
in the project file), the published web.config file includes the<location><system.webServer><security><authentication>
section. For more information on the<IsTransformWebConfigDisabled>
property, see Host ASP.NET Core on Windows with IIS. - After publishing and deploying the project, perform server-side configuration with the IIS Manager:
- In IIS Manager, select the IIS site under the Sites node of the Connections sidebar.
- Double-click Authentication in the IIS area.
- Select Anonymous Authentication. Select Disable in the Actions sidebar.
- Select Windows Authentication. Select Enable in the Actions sidebar.
When these actions are taken, IIS Manager modifies the app's web.config file. A<system.webServer><security><authentication>
node is added with updated settings foranonymousAuthentication
andwindowsAuthentication
:The<system.webServer>
section added to the web.config file by IIS Manager is outside of the app's<location>
section added by the .NET Core SDK when the app is published. Because the section is added outside of the<location>
node, the settings are inherited by any sub-apps to the current app. To prevent inheritance, move the added<security>
section inside of the<location><system.webServer>
section that the .NET Core SDK provided.When IIS Manager is used to add the IIS configuration, it only affects the app's web.config file on the server. A subsequent deployment of the app may overwrite the settings on the server if the server's copy of web.config is replaced by the project's web.config file. Use either of the following approaches to manage the settings:- Use IIS Manager to reset the settings in the web.config file after the file is overwritten on deployment.
- Add a web.config file to the app locally with the settings.
Kestrel
The Microsoft.AspNetCore.Authentication.Negotiate NuGet package can be used with Kestrel to support Windows Authentication using Negotiate and Kerberos on Windows, Linux, and macOS.
Warning
Credentials can be persisted across requests on a connection. Negotiate authentication must not be used with proxies unless the proxy maintains a 1:1 connection affinity (a persistent connection) with Kestrel.
Note
The Negotiate handler detects if the underlying server supports Windows Authentication natively and if it's enabled. If the server supports Windows Authentication but it's disabled, an error is thrown asking you to enable the server implementation. When Windows Authentication is enabled in the server, the Negotiate handler transparently forwards to it.
Add authentication services by invoking AddAuthentication and AddNegotiate in
Startup.ConfigureServices
:Add Authentication Middleware by calling UseAuthentication in
Startup.Configure
:For more information on middleware, see ASP.NET Core Middleware.
Anonymous requests are allowed. Use ASP.NET Core Authorization to challenge anonymous requests for authentication.
Windows environment configuration
The Microsoft.AspNetCore.Authentication.Negotiate component performs User Mode authentication. Service Principal Names (SPNs) must be added to the user account running the service, not the machine account. Execute
setspn -S HTTP/myservername.mydomain.com myuser
in an administrative command shell.Linux and macOS environment configuration
Instructions for joining a Linux or macOS machine to a Windows domain are available in the Connect Azure Data Studio to your SQL Server using Windows authentication - Kerberos article. The instructions create a machine account for the Linux machine on the domain. SPNs must be added to that machine account.
Note
When following the guidance in the Connect Azure Data Studio to your SQL Server using Windows authentication - Kerberos article, replace
python-software-properties
with python3-software-properties
if needed.Once the Linux or macOS machine is joined to the domain, additional steps are required to provide a keytab file with the SPNs:
- On the domain controller, add new web service SPNs to the machine account:
setspn -S HTTP/mywebservice.mydomain.com mymachine
setspn -S HTTP/[email protected] mymachine
- Use ktpass to generate a keytab file:
ktpass -princ HTTP/[email protected] -pass myKeyTabFilePassword -mapuser MYDOMAINmymachine$ -pType KRB5_NT_PRINCIPAL -out c:tempmymachine.HTTP.keytab -crypto AES256-SHA1
- Some fields must be specified in uppercase as indicated.
- Copy the keytab file to the Linux or macOS machine.
- Select the keytab file via an environment variable:
export KRB5_KTNAME=/tmp/mymachine.HTTP.keytab
- Invoke
klist
to show the SPNs currently available for use.
Note
A keytab file contains domain access credentials and must be protected accordingly.
HTTP.sys
HTTP.sys supports Kernel Mode Windows Authentication using Negotiate, NTLM, or Basic authentication.
Add authentication services by invoking AddAuthentication (Microsoft.AspNetCore.Server.HttpSys namespace) in
Startup.ConfigureServices
:Public Private Key Encryption
Configure the app's web host to use HTTP.sys with Windows Authentication (Program.cs). UseHttpSys is in the Microsoft.AspNetCore.Server.HttpSys namespace.
Note
HTTP.sys delegates to kernel mode authentication with the Kerberos authentication protocol. User mode authentication isn't supported with Kerberos and HTTP.sys. The machine account must be used to decrypt the Kerberos token/ticket that's obtained from Active Directory and forwarded by the client to the server to authenticate the user. Register the Service Principal Name (SPN) for the host, not the user of the app.
Note
HTTP.sys isn't supported on Nano Server version 1709 or later. To use Windows Authentication and HTTP.sys with Nano Server, use a Server Core (microsoft/windowsservercore) container. For more information on Server Core, see What is the Server Core installation option in Windows Server?.
Authorize users
The configuration state of anonymous access determines the way in which the
[Authorize]
and [AllowAnonymous]
attributes are used in the app. The following two sections explain how to handle the disallowed and allowed configuration states of anonymous access.Disallow anonymous access
When Windows Authentication is enabled and anonymous access is disabled, the
[Authorize]
and [AllowAnonymous]
attributes have no effect. If an IIS site is configured to disallow anonymous access, the request never reaches the app. For this reason, the [AllowAnonymous]
attribute isn't applicable.Allow anonymous access
When both Windows Authentication and anonymous access are enabled, use the
[Authorize]
and [AllowAnonymous]
attributes. The [Authorize]
attribute allows you to secure endpoints of the app which require authentication. The [AllowAnonymous]
attribute overrides the [Authorize]
attribute in apps that allow anonymous access. For attribute usage details, see Simple authorization in ASP.NET Core.Note
By default, users who lack authorization to access a page are presented with an empty HTTP 403 response. The StatusCodePages Middleware can be configured to provide users with a better 'Access Denied' experience.
Impersonation
ASP.NET Core doesn't implement impersonation. Apps run with the app's identity for all requests, using app pool or process identity. If the app should perform an action on behalf of a user, use WindowsIdentity.RunImpersonated in a terminal inline middleware in
Startup.Configure
. Run a single action in this context and then close the context.RunImpersonated
doesn't support asynchronous operations and shouldn't be used for complex scenarios. For example, wrapping entire requests or middleware chains isn't supported or recommended.While the Microsoft.AspNetCore.Authentication.Negotiate package enables authentication on Windows, Linux, and macOS, impersonation is only supported on Windows.
Private Key Definition
Claims transformations
When hosting with IIS, AuthenticateAsync isn't called internally to initialize a user. Therefore, an IClaimsTransformation implementation used to transform claims after every authentication isn't activated by default. For more information and a code example that activates claims transformations, see ASP.NET Core Module.
When hosting with IIS in-process mode, AuthenticateAsync isn't called internally to initialize a user. Therefore, an IClaimsTransformation implementation used to transform claims after every authentication isn't activated by default. For more information and a code example that activates claims transformations when hosting in-process, see ASP.NET Core Module.