Hi everyone,
So i have a dashboard on IIS with windows auth on a server. When i want to create an account for example I call an api that is on another server to execute the action.
For the moment I store the user sid in a variable in my dahsboard and I include it in the url to pass it to the API for processing to the authentication.
I am wondering if i can authenticate directly the user who call the api to authenticate him in the api without having to pass a variable from my dashboard to my API (I tried some things with $Rrequest or $Response …)
Thanks !
Lucas R
Hi,
Sorry but I think you need to be clearer with your description (dont take that the wrong way).
I tried re-reading your post again but just got lost, I’ll to try break down where I’m getting confused:
When i want to create an account for example
What account? are you creating an account in your UD dashboard? or something externally?
I call an api that is on another server to execute the action.
More details/context? Is this a UD API? what action?
For the moment I store the user sid in a variable in my dahsboard and I include it in the url to pass it to the API for processing to the authentication.
How are you storing the sid in a variable in your dashboard, where is the sid coming from? how’s it getting to your dashboard?
You also mentioned you include it in a url and pass it to an API for processing to the authentication. which API? are we talking about UD or your external system at this point?
if ext, what system/API are we talking about?
Also, ‘for processing to the authentication’, authentication in UD or your external system?
I am wondering if i can authenticate directly the user who call the api to authenticate him in the api without having to pass a variable from my dashboard to my API (I tried some things with $Rrequest or $Response …)
Hope you can understand my confusion but honestly, I’m completely lost here, you’re going to have to be more specific!
What exactly are you trying to acheive?
You’ve mentioned request and response, are you trying to get the information of the visiting user?
$user?
Hi @insomniacc !
Thanks for the answer and sorry if i was not clear, it’s a bit hard for me to explain this thing haha.
So to be clear, I have one Windows server that is used to host my dashboard. In this dashboard there are few forms where you can interact with the ActiveDirectory, create an account, change password, etc… (The users are Windows authenticated in this dashboard)
When you want to create an account and click on the submit button, that invoke an UD Rest API on another windows server that is used to host few UD API’s. Next the API manage to create the account on the Active Directory.
For the moment i found one way to authenticate and authorize the user to execute the API’s.
I store the SID in a variable with $getSid = $ClaimsPrincipal.identities.user.value and I pass the $getSid in the url of Invoke-RestMethod.
Then in my API I test if the user sid of $getSid contains the sid of an AD groups that is authorized to execute the action in the API.
There is the code of my Dashboard :
New-UDInput -Title Account -Content{
New-UDInputField -Type textbox -Name “givenName” -Placeholder “givenName”
New-UDInputField -Type textbox -Name “surName” -Placeholder “surName”
} -Endpoint {
param(
$givenName,
$surName
)
$getSid = $ClaimsPrincipal.identities.user.value
Invoke-RestMethod -Uri “http://192.X.X.X:8081/api/account/$getSid/$givenName/$surName” -Method POST
Then the code of my API :
$Endpoint = New-UDEndpoint -Url "/account/:getSid/:surName/:givenName" -Method POST -Endpoint {
param ($getSid, $givenName, $surName)
$GroupAuthorized = Get-ADGroup -Filter {name -eq "Admins du domaine"} | Get-ADGroupMember | select-object -ExpandProperty sid
if ($GroupAuthorized.value -contains $getSid) {
$name = $givenName + " " + $surName
New-ADUser -GivenName $givenName -Surname $surName -Name $name
}
}
Start-UDRestApi -Endpoint $Endpoint -Wait -Port 8081
Here I am wondering if i can authenticate the user using the API without having to pass the sid in the invoke RestMethod Uri in my dashboard.
I don’t know if i can get the user sid directly in the API code, thats why i used $Request and $Response, to see if i can’t authenticate the user by the Request he made from the dashboard.
Or can we windows authenticate the user directly in the api ?
Thanks a lot for your time !
Lucas R
I suppose my question here is, why are you proxying your connections through another server?
Why not just host dashboard and API on the same server?
For example, you could just get the dashboard code to do the work and not even require an API endpoint for these tasks. The trigger being the form on the dashboard itself when it’s submitted.
That way, the authentication is only required to the dashboard itself.
The app pool identity would have all the granular permissions to AD and then does the work when for example a form is filled or a button is clicked, it runs the code at that point, not needing to bounce through to another server/API to do the same.
The problem with bouncing through another server in this way, is that the ‘user’ in this context is not making the connection, it’s the app pool identity of your original dashboard, so if you still wanted to go about going through another server like this, then the app pool identity would need to authenticate against the API not the user. you can use -credential if you have windows auth enabled. Alternatively the latest video adam posted shows how to use tokens to auth with an API in Universal. You wouldnt be able to auth as the user since it’s not the user making the call, but you could still pass a variable of the username or sid in a similar way to what you are doing if you require that information.
Thanks for this !
I forgot to say something. The reason why I have 2 server it’s because my SI infrastructure is divided in zones with firewall between them. For security reasons my UD API server that execute the actions is in another zone.
Thanks for the tips i will make some tests !
No prob!
Personally, I would look at either opening the required ports so that I can create AD accounts from the UD server, or shifting my UD server to a location that has access to AD - just to make it easier.
But then again I’m sure you’ve already thought of that and have good reason for the way you have things setup. I would maybe look at not attempting to authenticate the visiting user, but just authenticate as the app pool, and then just make sure you have the necessary logging in place, weather it’s an sql table, log file, however you do it, so that you’ve got that audit trail and you’re pushing the relevant user identity along with the action thats been taken.
In my dashboard I’ve got application insights running (which was discussed in another thread), and I’ve also got a separate dashboard wide function which I call for whenever I want to push something into my audit table. I put this function on any button clicks or writable actions for example. By default it stores the username of the visiting user, the action taken, timestamp and page name the action happened on, but basically its just invoke-sqlcmd2 wrapped with a few parameters to insert a row into a table.