1

Presented by: Adam Huffman McKendree University

May 21, 2013

TULIPThe UI Login Portal

2

Introduction - TULIP - The UI Login Portal

• TULIP is a website that adds additional security to any web resource

• Developed for UI 4.4 but can be used for any web resource

• Technologies Used: IIS 7+ with the IIS URL Rewrite, HTML 5, CSS 3, C# .NET 4.0, Microsoft Active Directory, and Microsoft SQL

3

Agenda – TULIP

1. The need for TULIP

2. High-level overview

3. Demonstrations– GitHub– How McKendree University uses TULIP

4. Code– GitHub– What customizations need to be made

4

The need for TULIP

How to allow for offsite access to UI 4 without giving student workers access

offsite or in their residence hall?

5

The need for TULIP

• Provide offsite access to UI 4.X• Prevent student workers from accessing

UI 4.X in their residence halls and off campus

• Prevent anonymous access to the UI 4.X login

6

High-level overview

How it works

7

High-level overview 1 of 4

default.aspx

windows_authentication.aspx

Cam

pus

Logi

n

Login

redirect.aspx

8

High-level overview 2 of 4

redirect.aspx

Insert into database to create a new GUID with username and timestamp

Retrieve the newly created GUID

Protected Page

Redirect to the protected page appending the GUID to the URL GET request as the ?key=

9

High-level overview 3 of 4

Protected Page

Parts of the Protected Page

Page to be protected (.asp)

begin_key_security.asp

end_key_security.asp

10

High-level overview 4 of 4

Protected Page

Retrieve the timestamp from the database that correlates to the GUID

Verify that the GUID is not older then ten seconds

The Protected Page’s Content

11

Demonstrations

Show and tell.

12

Demo – GitHub – default.aspx 1 of 3

default.aspx

windows_authentication.aspx

13

Demo – GitHub – Protected Page 2 of 3

/default.asp?key=9775826a-111e-4d25-98fc-fb6a434dd32a

Example of the GUID

The GUID was valid and less than 10 seconds old

The GUID was invalid or more than 10 seconds old

*Instead of Success! the page that is meant to be protected would be displayed.

14

Demo – GitHub – Demo 3 of 3

A temporary demo site will be available during the ellucianIL presentation.

GitHub Demo

15

Demo – McKendree – default.aspx 1 of 3

default.aspx

windows_authentication.aspx

This takes the place of index.asp page that is delivered with UI 4

16

Demo – McKendree – launch.asp 2 of 3

/live43/launch.asp?key=9775826a-111e-4d25-98fc-fb6a434dd32a

The Protected Page is now launch.asp which is in its own application live43

Example of the GUID

The GUID was valid and less than 10 seconds old

17

Demo – McKendree 3 of 3

The link will be available during the ellucianIL presentation.

McKendree Demo

18

The Code

Not as scary as it sounds.

19

The Code – Overview 1 of 8

• GitHub• Servers IIS 7+ and MS SQL• Files to modify (C#)

– web.config– tulip.cs– windows_authentication.aspx.cs– redirect.aspx.cs– begin_key_security.asp

20

The Code – GitHub 2 of 8

• Create an account• Go to github.com/adam-huffman/tulip• Download the zip file or use

GitHub for Windows• Setup IIS 7+ and Microsoft SQL Server• Open project in Microsoft Visual Studio• Tweak, Deploy, Repeat

21

The Code – IIS 7+ and SQL 3 of 8

• Microsoft IIS – 7+ (Server 2008+)– IIS URL Rewrite– AppPool with .Net 4 and Integrated Pipeline

• Microsoft SQL Server– SQL Server 2005

• Should be compatible with newer version of SQL as long as the uniqueidentifer is available

22

The Code – web.config 4 of 8

<connectionStrings>

<add name="tulip“ providerName="System.Data.SQLClient" connectionString=“”

</connectionStrings>

*Add in your connection string

<system.webServer><rewrite><rules> …

*Change subdomain domain and top level domain

to the apocopate values

23

The Code – tulip.cs 5 of 8

public tulip(){

ActiveDirectoryRoot = "LDAP://DC=domain,DC=topleveldomain";

ActiveDirectoryDomain = "domain.topleveldomain“;

ActiveDirectorySearcherUserName = "ActiveDirectorySearcher" + "@" +

ActiveDirectoryDomain;

ActiveDirectorySearcherPassword = "Password for Active Directory Search Account";

ActiveDirectoryGroupsGrantAccess.Add

("CN=GroupThatHasAccess,OU=SomeOU,DC=domain,DC=topleveldomain“);

ActiveDirectoryGroupsDenyAccess.Add

("CN=GroupThatDoesNotHasAccess,OU=SomeOU,DC=domain,DC=topleveldomain“);

}

24

The Code – windows_authentication.aspx.cs 6 of 8

// If the URL contains our main application web address then

// we can assume that we redirected the user to the page.

if ( this.Request.UrlReferrer.ToString().Contains

("https://subdomain.domain.topleveldomain"))

{ . . .

*Change subdomain domain and top level domain to the apocopate values

25

The Code – redirect.aspx 7 of 8

//Insert into the table

SqlCommand myCommand_INSERT = new SqlCommand("INSERT INTO database_table_name VALUES (NEWID(), '" + str_UserName + "', '" + datetime_NOW + "', 'dev');", conn);

//Select from the table

SqlCommand myCommand_SELECT = new SqlCommand("SELECT [uid] FROM database_table_name WHERE [username] = '" + str_UserName + "' AND [timestamp] = '" + datetime_NOW + "';", conn);

*Change Insert and Select statements where needed

str_Redirect_Path = "https://subdomain.domain.topleveldomain/protected/default.asp?key=" + reader["uid"].ToString();

*Change the redirect path, it can be outside of the application

26

The Code – begin_key_security.asp 8 of 8

Conn.Open "PROVIDER=SQLOLEDB;DATA SOURCE=database_server\database_server_instance;UID=database_user_name;PWD=database_user_password;DATABASE=database_name"

*Modify the connection string

sql = "SELECT [timestamp] FROM [database_table_name] WHERE [uid] = '" + strKey + '"

*Modify the select statement where needed

If strDifference < 10 Then

*Modify the number of seconds if needed

27

Questions & Answers

Thank You!

https://github.com/adam-huffman/tulip

Adam Huffman

athuffman@mckendree.edu