0

I have scoured the web looking for bits and pieces of a more comprehensive solution. I have been unsuccessful in my efforts, so I send up a call for help.

The problem: I have a .Net/C# WebApp that uses windows integrated authentication. The application is a custom form application that allows users to submit requests. These requests are then routed to supervisors and other parties that will review and approve the requests.

For audit purposes, I must have each supervisor "Sign" the form. The easy solution - use the active browser session information. A user clicks the "approve" button and that information is logged into the database (ID and date/time). But the auditors don't like this solution. They view it as insecure. They want a separate challenge for credentials where users are forced to enter an ID and password (and very soon present a token/PIN combo in lieu of ID/password).

To satisfy this in an infopath version of this form, I used CredUIPromptForCredentials. That code (although written in C#) does not directly port to the new custom WebApplication. I did some digging and uncovered a number of resources on the newer CredUIPromptForWindowsCredentials:

How to show Windows Login Dialog?

Show Authentication dialog in C# for windows Vista/7

How to show authentication dialog in C# .Net 3.5 SP1 Windows Security Custom login validation

This is really in the spirit of what I'm trying to accomplish. With very few modifications to the code in the articles above (and borrowing from some code in my old InfoPath form), I was able to get a working system of prompting and testing.

I would be happy to share the existing code if anyone is interested, but it is VERY similar (nearly verbatim) to the existing code referenced above. The only difference is a separate isAuthenticated method that actually tests the credentials by instantiating a DirectoryEntry object and passing that object to a DirectorySearcher object to test if the credentials worked.

But no so fast. This code, as I said, works, but ONLY when I run in debug mode in Visual Studios 2012. If I visit the site by entering the address and click the button to "sign" the form, the site spins and never shows the security dialog. It's almost as if (and this is just my guess) the IIS settings that allow windows authentication are preventing the applications request to prompt for credentials. This is not the case when I run the site through the debugger.

Once I get past that barrier, I have to actually do some further testing to see if this code will support authentication with a PKI card. I am guessing it will since CredUI passes the prompting to windows to handle.

So here are the questions: 1) What could possibly be preventing the windows security window from popping up when the method is called through the IIS server VS running in Debug (localhost)?

2) Does anyone have any experience with implementing CredUIPromptForWindowsCredentials to work with PKI?

2a) If so, does CredUIPromptForWindowsCredentials actually support PKI without any additional code (assuming that the windows workstations are configured with all of the hardware, drivers, and middleware)?

Thanks in advance for any insight you can lend.

Phil S.

Community
  • 1
  • 1
Phil S.
  • 1

1 Answers1

0

Looking your problem and as an old Auditor, may I recommend an detour to satisfy your auditing team? PKI is not the most safe thing around...

1) Provide a normal LOGIN/PASSWORD form, without any special instruction or Credentials (that could be frauded or stolen "on the fly"). Preferable, utilize HTTPS in this page.

2) Once the guy inform the data, pass a 2-Factor Authentication using SMS (INstant Message). The cost is really irrelevant (see Twilio to get some idea). Obviously, each guy, beyond his login/password, must have his phone within database.

3) This way you can ensure that the Supervisor is really the guy who had approved/sign the page.

It´s the safer mode and, because of it, Facebook, Google Mail and others are utilizing this method.

Sorry, I know I not answered you as you need, but it´s safer than your proposal. Good luck!

David BS
  • 1,822
  • 1
  • 19
  • 35
  • The system is actually two-factor. There is a PKI card with certificates and a CA. The user presents the card and provides the PIN associated with the card. Something you have and something you know - two factors. The site is running over SSL, so it is encrypted and secure. – Phil S. Sep 21 '15 at 14:44
  • I understood. I think: 1) You cannot bypass the CredUIPromptForWindowsCredentials since one of its requirement is get an input from user. 2) Maybe the problem between Development (debug) and Production environments is about the credentials be not installed and avaiable in the Production server (had you checked it?). 3) Server must see also a Certification Authority and IIS must also be configured to see this (the same when we install SSL certificates). It´s not really my expertise, but if your code is a verbatim of other, the problem may be related to somehing outside it. – David BS Sep 21 '15 at 21:56