ASP.NET
Run/Execute a VFP 9 from ASP.NET without Process
Gravatar is a globally recognized avatar based on your email address. Run/Execute a VFP 9 from ASP.NET without Process
  Dmitry Litvak
  All
  Aug 9, 2020 @ 02:13pm

Hi,

I need to run/execute a small VFP 9 EXE program from a ASP.NET page (from code behind). But I don't want to use Process class. Process class executes the VFP 9 EXE in the same workspace (or whatever the term is) as the ASP.NET itself. I want the VFP 9 EXE program to run as if it was executed from a command line or somehow "outside" the ASP.NET. The VFP 9 program has just a couple of lines: it determines the username and stores it in a text file.

TIA

Gravatar is a globally recognized avatar based on your email address. re: Run/Execute a VFP 9 from ASP.NET without Process
  Rick Strahl
  Dmitry Litvak
  Aug 9, 2020 @ 04:37pm

You can create a COM object and invoke that from ASP.NET.

If you create an EXE COM server you can set DCOM permissions on it that allow you to set the identify of the process when it runs which can be different of the process that is invoking it.

That said this is a terrible idea - changing security context in an application's flow is fraught with problems as you are likely to forget that this is configured and potentially opens vulnerabilities.

It's better to run your Web process under the appropriate account that has exactly the rights that are needed - you can configure the Application Pool identity for your ASP.NET application as needed and I would add the permissions to that identity that are needed to execute your process which then allows you to use Process.Start().

+++ Rick ---

Gravatar is a globally recognized avatar based on your email address. re: Run/Execute a VFP 9 from ASP.NET without Process
  Dmitry Litvak
  Rick Strahl
  Aug 9, 2020 @ 05:42pm

Thank you.

If you don't mind, a follow up question.

I have Windows authentication set in the web.config as follows: <authentication mode="Windows" />

Why do I never get the value of HttpContext.Current.Request.IsAuthenticated to be True? Always, no matter where, I get False.

Gravatar is a globally recognized avatar based on your email address. re: Run/Execute a VFP 9 from ASP.NET without Process
  Rick Strahl
  Dmitry Litvak
  Aug 9, 2020 @ 11:13pm

Because you need to force authentication in order to get an authenticated user. It doesn't happen automatically. You can force authentication if you disable Anonymous Authentication for the site/virtual.

+++ Rick ---

Gravatar is a globally recognized avatar based on your email address. re: Run/Execute a VFP 9 from ASP.NET without Process
  Dmitry Litvak
  Rick Strahl
  Aug 10, 2020 @ 07:01am

You can force authentication if you disable Anonymous Authentication for the site/virtual.

When I disable Anonymous Authentication, I get error "HTTP Error 401.2 - Unauthorized"

Then I read in the web.config (standard language):

"Windows" IIS performs authentication (Basic, Digest, or Integrated Windows) according to its settings for the application.

My question, please, when IIS performs authentication, how do you set up Basic, Digest, or Integrated Windows? Where in IIS you set it up and how?

Thanks.

Gravatar is a globally recognized avatar based on your email address. re: Run/Execute a VFP 9 from ASP.NET without Process
  Rick Strahl
  Dmitry Litvak
  Aug 10, 2020 @ 12:19pm

You need to enable Windows and/or Basic authentication in IIS on the Web site in order for Windows authentication to work.

See here:

Then make sure you either:

  • Remove Anonymous Access (everybody will be authenticated always)
  • Remove users IUSR_ permissions from a specific folder

Both of those should automatically trigger authentication to fire with a login dialog.

+++ Rick ---

Gravatar is a globally recognized avatar based on your email address. re: Run/Execute a VFP 9 from ASP.NET without Process
  Dmitry Litvak
  Rick Strahl
  Aug 10, 2020 @ 03:44pm

Thank you very much.

I will follow your suggestions.

Gravatar is a globally recognized avatar based on your email address. re: Run/Execute a VFP 9 from ASP.NET without Process
  Dmitry Litvak
  Rick Strahl
  Aug 15, 2020 @ 11:16am

By setting the Anonymous Authentication to Disable and Windows Authentication to True, I - finally - get the User.Identity.IsAuthenticated as True.

But. It only works if I run the page under localhost. That is, this URL: http://localhost/test.aspx'/ Works. That is this page shows the folliwing: User.Identity.Name: DOMAINNAME/MyIserName (that is the username in AD). Correct. Request.LogonUserIdentity.Name: DOMAINNAME/MyIserName (that is the username in AD). Correct. Environment.UserName: ServerName$

But most important, if try to load the page from the server name, I am prompted to enter the Windows username and password. That is, this URL: http://servername/test.aspx/ Asks for the username and password.

Why it works in the localhost but not in the servername?

TIA

Gravatar is a globally recognized avatar based on your email address. re: Run/Execute a VFP 9 from ASP.NET without Process
  Rick Strahl
  Dmitry Litvak
  Aug 15, 2020 @ 03:27pm

That's the behavior you should see.

You don't have to log in on localhost because the local machine can authenticate you based on your Windows credentials. That's not the case with a remote machine.

Relying solely on Windows AUthentication is not a good idea anyway - too many issues with that, but even if you use Windows Auth, in an application it usually needs to be supplemented by an internal tracking mechanism for users and cookie based authentication. With Cookie Auth you can then cache authentication information - which is not possible with Windows Authentication.

+++ Rick ---

Gravatar is a globally recognized avatar based on your email address. re: Run/Execute a VFP 9 from ASP.NET without Process
  Dmitry Litvak
  Rick Strahl
  Aug 15, 2020 @ 04:06pm

Thank you for your prompt reply.

The reason I was looking for being able to have the asp.net page Windows authenticated is as follows: The clients wants to have my ASP.NET page - automatically - determine the person/client's Active Directory/Windows username. So far, I cannot figure how. And I thought that if I run the page in the Windows Authenticated mode (which works with the localhost) the page can "see" the user AD/Windows username.

And keep in mind that I am running this test.asp on the VM server. So, theoretically (and I may be wrong), localhost should have the same credentials that the server name does. But I am probably not seeing everything. I will keep trying.

Again, thank you for your help.

Gravatar is a globally recognized avatar based on your email address. re: Run/Execute a VFP 9 from ASP.NET without Process
  Rick Strahl
  Dmitry Litvak
  Aug 15, 2020 @ 04:09pm

You can do that with windows authentication, yes, but it won't set the global user that the application runs under. That will never change (unless you explicitly change it).

But you can retrieve the user's active login via the User Identity.

It'll be in (off the top of my head - so check exact location):

// This never changes - Application Pool Identity 
string applicationUsername = Environment.UserName;

// This is the authenticated user or an empty user (you can check .IsAuthenticated)
string loggedOnUsername = Context.User.Identity?.Username;

+++ Rick ---

Gravatar is a globally recognized avatar based on your email address. re: Run/Execute a VFP 9 from ASP.NET without Process
  Dmitry Litvak
  Rick Strahl
  Aug 15, 2020 @ 04:41pm

Yes, this is what my test.aspx shows.

The value of <User.Identity.Name/> and <HTTPContext.Current.User.Identity.Name/> returns the person's AD username who is logged in the PC.
But so far it only works when I run the page on the server with localhost. And when I run the page, on the same server, but with the servername (instead of the localhost), the page prompts me to log in.

I will need to figure out (if possible) how to make it work with the servername in the URL (and not localhost). Because when the client loads the page in their browser, localhost is not the same as the one on the server.

Gravatar is a globally recognized avatar based on your email address. re: Run/Execute a VFP 9 from ASP.NET without Process
  Dmitry Litvak
  Rick Strahl
  Aug 15, 2020 @ 04:54pm

Sorry, One more question, please (I have taken already a lot of your time).

I am running this test page on my computer (Windows 7). The ASP.NET is in my IIS.

But I can only bring up the page with localhost. Example, http://localhost/test.aspx

How do I replace the "localhost" with my computer name?

On the customer servers I can simply replace the "localhost" with the server name and it works. For example, http//servername/test.aspx

But on my computer when I replace the localhost with my computer name (example: http//dell2018:8080/test.aspx the error message: This page can't be displayed.

What I am trying to do is emulate how the page will behave on the customer VM.

Thank you.

Gravatar is a globally recognized avatar based on your email address. re: Run/Execute a VFP 9 from ASP.NET without Process
  Keith Trangmar
  Dmitry Litvak
  Sep 3, 2020 @ 01:46am

If I may jump in here...

Dmitry, I think you're pursuing a hopeless cause. A remote web client (i.e. one not running on localhost) would never have access to domain & username detail because this would be a huge security risk - it'd be giving away potentially very-sensitive detail to the server about a visitor to the site, without their permission. On a corporate domain, this could provide a big clue to the visitors email address.

Let's say they're logged into their local machine as MyDomainName.com\Forename.Surname - it's not a huge leap to assume that their email address may be Forename.Surname@MyDomainName.com. I believe this sort of detail may have been available in VERY early versions of browsers (15+ years ago) but then the browser development teams realised their mistake & switched it off. (From the looks of some of the named fields, it used to be possible to determine the machine name too...!)

Your best bet would probably be an approach which I've seen used by a site which one of my clients uses, which is to send an email to the "authorised" users with a unique hyperlink in it, back to the webserver in question, which in turn then creates a long-lived cookie. The cookie would preserve the unique identifier, that could subsequently be requested by the server as soon as the user tries to access the page, and the server could then look this up in a table, figure out which user it applied to, and then proceed from there. The cookies would be stored in the local user's private web cache so would be unique to that Windows login, so if someone else were to log in on that machine, they would need to be authorised separately.

Hope this helps.

Keith

Gravatar is a globally recognized avatar based on your email address. re: Run/Execute a VFP 9 from ASP.NET without Process
  Dmitry Litvak
  Keith Trangmar
  Sep 3, 2020 @ 06:11am

Keith,

Thank you very much for the detailed message. It all makes sense.

I actually changed the way this project works. Now a user has to enter his/her username and then the information is pulled from Active Directory.

Dmitry

Gravatar is a globally recognized avatar based on your email address. re: Run/Execute a VFP 9 from ASP.NET without Process
  Rick Strahl
  Dmitry Litvak
  Sep 3, 2020 @ 02:53pm

Yeah that's a much better way to do this because Windows auth is unreliable across browsers and has all sorts of security implications.

@Keith - For Windows Auth, the remote client doesn't have to have access to the domain in order to be able to authenticate against the Web server. You can authenticate just fine with Windows auth over the Internet from any computer.

What won't work is automatically logging you in if you're not on the same domain and not using the same account. For example, I notice I can log into my Web server with Windows auth without having to explicitly login. The user name is the same, but the Web Server is not directly network accessible from my local machine (except over TCP ports like 80/443). Not quite sure how that works, but somehow I suspect Edge is caching the Windows credentials. This doesn't work the same in Firefox (but also seems to work in Chrome) so likely this is browser specific.

Regardless though - I wholeheartedly agree that using Windows Authentication for application level code is a bad idea and robs you of control (and some level of security). It's always better to explicitly use Cookie based security. Even for federated security like Google/Microsoft/FB/Twitter login, the way that's usually handled is to log in using the oAuth provider and then managing the actual local login via cookie auth until it expires.

+++ Rick ---

© 1996-2020