locked
SqlException: Cannot open database when using SignInManager RRS feed

  • Question

  • User-462241089 posted

    I am trying to create my own custom login screen to use instead of the windows authentication popup window. I have already gotten a lot of help from you guys (thanks, Bruce!), but I now have a strange error that confuses me.

    I was told that I should use PrincipleContext to validate my credentials and then create an identity for .net core security. I don't quite understand what that means, and there isn't any documentation on "creating" an identity. How do I do that?

    I tried to figure this out on my own, and figured I needed to use SignInManager to do that. However, when executing `_signInManager.PasswordSignInAsync` in my app, my app displays this error:

    Cannot open database "WebApp_Redesign" requested by the login. The login failed.
    Login failed for user 'domain\username'

    So does this error indicate that I cannot log into my windows account this way, or is there a step I need to do before I attempt to sign in? My full code is below. I simply post my form with the username and password to this controller class.

            private readonly UserManager<WebApp_RedesignUser> _userManager;
    
            . . .
    
            public async Task<ActionResult> UserLoginAsync(LoginModel user)
            {
                if (user != null)
                {
                    var result = await _signInManager.PasswordSignInAsync(user.username, user.password, isPersistent: false, lockoutOnFailure: false);
    
                    if (result.Succeeded)
                    {
                        return RedirectToAction("Index");
                    }
                }
             }

    Saturday, July 25, 2020 11:42 PM

Answers

  • User475983607 posted

    MarcusAtMars

    I thought about that, mgebhard. Is cookie authentication secure in .net core mvc? This is a production app and I don't want someone to be able to forge a cookie and break in.

    Come on man!  Identity uses the same cookie!  The cookie contains a token which is just an encrypted string that has claims related to the user.  the lined doc covers this...

    MarcusAtMars

    Also, will cookie auth allow the user's username to be access on a razor page via `UserManager.GetUserName(User)`? I have a view that looks like this:

    Well, no.  The UserManager is an Identity API.  You'll need to install Identity into you project is you wish to use Identity.  From my perspective, you do not need Identity because you are authenticating with Windows atypically.  You still need to persist authentication.  Cookie auth does not care about the authentication source.  That's why you can use it without Identity as the link explains, 

    Use Identity if you need to manage roles but you should uses Identity's external login feature if you go this route. 

    Anyway, the official docs cover everything you need.

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Monday, July 27, 2020 2:40 PM
  • User475983607 posted

    MarcusAtMars

    Or is there a way I can at least 'simulate' identity's UserManager? Like passing the user's name to the page with local storage or something better?

    The username is available on the next request after creating the authentication cookie; https://docs.microsoft.com/en-us/aspnet/core/security/authentication/cookie?view=aspnetcore-3.1

    User.Identity.Name

    The linked doc has sample code that you can download and run.  I recommend downloading the code and playing around.  You should be able to integrate the Windows auth code you have rather easily.  Anyway, at least this will give us a standard starting point of you have trouble. 

    The key point to understand is the authentication cookie middleware knows how to read the cookie on each request and build the Principal from the contents of the cookie.  All you have to do is authenticate the user then populate the cookie.

    You are in total control of what information goes into the cookie.  You can even add extra data about the user referred to as claims.  You'll see this in the example code.   

    Anyway, once you have created the auth cookie all the MVC/Razor Pages security features light up.  You are good to go.

    This is not to be confused with Identity.  Identity is a framework for managing user accounts.  It comes with sample pages, APIs for managing accounts like the UserManager, and a SQL database to persist user accounts. 

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Monday, July 27, 2020 6:03 PM

All replies

  • User1535942433 posted

    Hi MarcusAtMars,

    Accroding to your description,as far as  I think,you could do this:

    1.Create a Web app with authentication

    2.Apply migrations

    3.Test Register and Login

    4.View the Identity database

    5.Configure Identity services

    6.Examine Register

    7.Log in


    Cannot open database "WebApp_Redesign" requested by the login. The login failed.
    Login failed for user 'domain\username'

    Basically to resolve this we need to have some set up like

    1.Web App Running under ApplicationPoolIdentity
    2.Web Application connecting to databases through ADO.Net using Windows Authentication in the connection string.

    I think,you could do this:

    1.Click on Application Pools

    2.Select Name of your application

    3.Go to Advanced Setting

    4.Expand Process Model and click Identity. Click three dot on right end.

    5.Click Set... button and Provide your domain log in credentials

    More details,you could refer to below article:

    https://docs.microsoft.com/en-us/aspnet/core/security/authentication/identity?view=aspnetcore-3.1&tabs=visual-studio

    Best regards,

    Yijing Sun

    Monday, July 27, 2020 8:41 AM
  • User475983607 posted

    Implementing Cookie Authentication without Identity might be an option.

    https://docs.microsoft.com/en-us/aspnet/core/security/authentication/cookie?view=aspnetcore-3.1

    Pretty simple.  Create the cookie of the user authenticates.  This will get the [Authorize] attributes working.

    Monday, July 27, 2020 10:59 AM
  • User-462241089 posted

    I thought about that, mgebhard. Is cookie authentication secure in .net core mvc? This is a production app and I don't want someone to be able to forge a cookie and break in.

    Also, will cookie auth allow the user's username to be access on a razor page via `UserManager.GetUserName(User)`? I have a view that looks like this:

    @using Microsoft.AspNetCore.Identity
    
    @inject SignInManager<. . .> SignInManager
    @inject UserManager<. . .> UserManager
    
    <ul class="navbar-nav">
        @if (User.Identity.IsAuthenticated)
        {
            <li class="nav-item">
                <a id="manage" class="nav-link text-dark" title="Manage">Hello @UserManager.GetUserName(User)!</a>
            </li>
        }
    </ul>

    Monday, July 27, 2020 1:46 PM
  • User-462241089 posted

    yij sun, is this how windows authentication does it? With windows, all I need to do is turn on windows auth and when I run my app. I just give it my username and password. All the authentication works. I just want my own login screen, but the same authentication that windows auth gives me.

    Monday, July 27, 2020 1:57 PM
  • User475983607 posted

    MarcusAtMars

    I thought about that, mgebhard. Is cookie authentication secure in .net core mvc? This is a production app and I don't want someone to be able to forge a cookie and break in.

    Come on man!  Identity uses the same cookie!  The cookie contains a token which is just an encrypted string that has claims related to the user.  the lined doc covers this...

    MarcusAtMars

    Also, will cookie auth allow the user's username to be access on a razor page via `UserManager.GetUserName(User)`? I have a view that looks like this:

    Well, no.  The UserManager is an Identity API.  You'll need to install Identity into you project is you wish to use Identity.  From my perspective, you do not need Identity because you are authenticating with Windows atypically.  You still need to persist authentication.  Cookie auth does not care about the authentication source.  That's why you can use it without Identity as the link explains, 

    Use Identity if you need to manage roles but you should uses Identity's external login feature if you go this route. 

    Anyway, the official docs cover everything you need.

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Monday, July 27, 2020 2:40 PM
  • User-462241089 posted

    Haha, thanks, mgebhard! I'm still really new to .net so a lot of this is still foreign to me.

    mgebhard

    Well, no.  The UserManager is an Identity API.  You'll need to install Identity into you project is you wish to use Identity.  From my perspective, you do not need Identity because you are authenticating with Windows atypically.  You still need to persist authentication.  Cookie auth does not care about the authentication source.  That's why you can use it without Identity as the link explains, 

    Use Identity if you need to manage roles but you should uses Identity's external login feature if you go this route. 

    Anyway, the official docs cover everything you need.

    I've gone through the docs, and a lot of the the code in my post is from the docs, but it doesn't seem to work. Where in the docs do you recommend I can find the answers to my problem?

    Or is there a way I can at least 'simulate' identity's UserManager? Like passing the user's name to the page with local storage or something better?

    Monday, July 27, 2020 3:31 PM
  • User475983607 posted

    MarcusAtMars

    Or is there a way I can at least 'simulate' identity's UserManager? Like passing the user's name to the page with local storage or something better?

    The username is available on the next request after creating the authentication cookie; https://docs.microsoft.com/en-us/aspnet/core/security/authentication/cookie?view=aspnetcore-3.1

    User.Identity.Name

    The linked doc has sample code that you can download and run.  I recommend downloading the code and playing around.  You should be able to integrate the Windows auth code you have rather easily.  Anyway, at least this will give us a standard starting point of you have trouble. 

    The key point to understand is the authentication cookie middleware knows how to read the cookie on each request and build the Principal from the contents of the cookie.  All you have to do is authenticate the user then populate the cookie.

    You are in total control of what information goes into the cookie.  You can even add extra data about the user referred to as claims.  You'll see this in the example code.   

    Anyway, once you have created the auth cookie all the MVC/Razor Pages security features light up.  You are good to go.

    This is not to be confused with Identity.  Identity is a framework for managing user accounts.  It comes with sample pages, APIs for managing accounts like the UserManager, and a SQL database to persist user accounts. 

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Monday, July 27, 2020 6:03 PM
  • User-462241089 posted

    Thanks for you help, mgebhard. I got everything working, but security does still concern me. Doing it without identity creates a cookie, and you say that identity uses the same cookie (I also found in the docs where it states that, too). However, what is stopping someone from hijacking the session or spoofing the cookie? Can't the cookie also be copied and used again?

    Security has to be top-notch with this app, and I just want the absolute best security .net core offers.

    Tuesday, July 28, 2020 1:59 PM
  • User475983607 posted

    Thanks for you help, mgebhard. I got everything working, but security does still concern me. Doing it without identity creates a cookie, and you say that identity uses the same cookie (I also found in the docs where it states that, too).

    That's because it's true.  Keep in mind, the source code is open.

    However, what is stopping someone from hijacking the session or spoofing the cookie?

    Cookies are part of the HTTP header.  If a nefarious actor is able to hijack an auth cookie or Session, that's means the code or network has security vulnerabilities.  It has nothing to do with using cookies.  

    Security has to be top-notch with this app, and I just want the absolute best security .net core offers.

    And every developer's goal.  .NET Core does its best to protect applications and it has lots of security APIs but it is up to you to use the tools effectively.  It is also up to you to understand the many vulnerabilities in web applications so you can mitigate the vulnerabilities.  

    Tuesday, July 28, 2020 2:43 PM