Announcements

SecurID® Discussions

Browse the SecurID discussion board to get product help and collaborate with other SecurID users.
emabac
Beginner
Beginner

vb.net - RSA login to web server

I developed a tool on vb.net to connect to one of our company webservices by parsing webpages and automating user mouse clicks.

Recently my company introduced a web authentication using RSA token key (username, password, pin+token) and now my tool don't work anymore.

Navigating with internet explorer, I can login to authentication webpage and from that moment I get access to all the company web pages (also on other servers) but if I close Internet Explorer and start a new Internet Explorer session, I am forced to perform a new authentication. So I understood that the authentication is saved within the Internet Explorer session.

 

How could I perform a RSA login to our webserver from my vb.net tool exactly how I do from internet explorer? If I could do this, then I can allow my tool to continue to work as it was in the past.

Actually the tool uses the system.net.httpClient to get the webpages content.

 

Any hint will be appreciated.

Labels (1)
0 Likes
9 Replies
PiersB
Trusted Contributor Trusted Contributor
Trusted Contributor

There are a few options and most of them require a change by your IT organization.

 

If your enterprise is using an RSA/Agent for IIS, you will need to contact your IT organization and see if your login ID can be added to a non-challenged group. This would allow you to authenticate with just a password. I would also see if they could provide the information you are attempting to access outside the pages for which authentication is required.

 

Another possibility would be for you to request a "Static Passcode" from your Authentication Manager administrator. This is a fixed value that can be used in place of a SecurID passcode. Many organizations will not permit this as it effectively defeats 2-factor authentication.

 

A final option would be possible if you had a software token on your laptop. There is an automation interface that can be used to retrieve the tokencode from a software token installed on your system. You may be able to use this to automate logging on as yourself. Take a look at the RSA SecurID Desktop Token 5.0.2 for Windows Administrator's Guide and look for "Internet Explorer Plug-In".

I can't change the security level of my company.

I would like to find a solution that don't force the network administrator to change the authentication method for my needs cause this will require formal authorization and it could be also denied.

 

Could I modify my vb.net client tool to simulate user clicks on the webpages and perform an automatic login (typing the token when requested)?

 

Does the suggested plugin for internet explorer integrates with vb.net?

I'm not sure about how authentication influences the communication of internet explorer.

anyway my tool depends from the .net httpclient and it just gets webpages content.

 

are you sure your suggestion fits my needs?

 

PS: we use hardware token, not software one.

thank you 

0 Likes

Well if you only use hardware tokens in your company then the software token plugin won't do for you.

The second option though can work for you. A fixed passcode is similar to a password, as there is no automation per say for hardware tokens  

0 Likes

You said that fixed passkey is usually avoid because with it you loose the double credentials security offered by username+password+pin+token

 

could I instead emulate on my tool what happens inside internet explorer?

0 Likes

Does the following .net library has something to do with rsa authentication with token? 

Classe RSACryptoServiceProvider (System.Security.Cryptography) 

0 Likes

Could this component help me with my problem? RSA SecurID for .NET - Browse Files at SourceForge.net 

0 Likes
PiersB
Trusted Contributor Trusted Contributor
Trusted Contributor

None of these have any relation to your problem. If the site has been changed to require SecurID authentication and none of the above recommendations are available to you, I am not aware of any solution that will allow you to automate the authentication process.

 

I still think your best option is to request a "guest" account (using a static passcode mentioned above) that could be used to automate this access. Depending on the application being protected, there may be other regulatory requirements that prohibit anonymous or "guest" access to the information.

0 Likes

The previous version of the website was protected by username and password, and now they introduced also the pin+token. Then I don't think they could allow a static passkey.

0 Likes
PiersB
Trusted Contributor Trusted Contributor
Trusted Contributor

At this point, I'm unsure how to proceed. I believe we have provided all the available options.

 

You will need to either have you IT department provide a static credential or find a different mechanism for your application.

0 Likes