Security and cryptography
Forms based authentication in .NET MVC4 and MVC5
- Introduction to Forms based authentication in .NET4.5 MVC4 with C# Part 1
- Introduction to Forms based authentication in .NET4.5 MVC4 with C# Part 2
- Introduction to forms based authentication in ASP.NET MVC5 Part 1
- Introduction to forms based authentication in ASP.NET MVC5 Part 2
- Introduction to forms based authentication in ASP.NET MVC5 Part 3
- Introduction to forms based authentication in ASP.NET MVC5 Part 4
- Introduction to forms based authentication in ASP.NET MVC5 Part 5: Claims
Claims based security
Course from the ground up
- Introduction to Claims based security in .NET4.5 with C# Part 1: the absolute basics
- Introduction to Claims based security in .NET4.5 with C# Part 2: the new inheritance model
- Introduction to Claims based security in .NET4.5 with C# Part 3: claims transformation
- Introduction to Claims based security in .NET4.5 with C# Part 4: authorisation with claims
- Claims-based authentication in MVC4 with .NET4.5 C# part 1: Claims transformation
- Claims-based authentication in MVC4 with .NET4.5 C# part 2: storing authentication data in an authentication session
- Claims-based authentication in MVC4 with .NET4.5 C# part 3: claims based authorisation
- Claims-based authentication in .NET4.5 MVC4 with C#: External authentication with WS-Federation Part 1
- Claims-based authentication in .NET4.5 MVC4 with C#: External authentication with WS-Federation Part 2 Testing a real STS
- Claims-based authentication in .NET4.5 MVC4 with C#: External authentication with WS-Federation Part 3 Various advanced topics
- External authentication with Claims and WS-Federation in MVC4 .NET4.5 Part 4: Single SignOut and Single SignOn
- External authentication with Claims and WS-Federation in MVC4 .NET4.5 Part 5: configuring multiple identity providers for federated log-in
Claims transformation posts
- Handling claims transformation in an OWIN middleware in .NET MVC part 1
- Handling claims transformation in an OWIN middleware in .NET MVC part 2
- Handling claims transformation in an OWIN middleware in .NET MVC part 3
- Handling claims transformation in an OWIN middleware in .NET MVC part 4
Security and cryptography
- Web security in .NET4.5 MVC4 with C#: Cross site request forgery
- Web security in MVC4 .NET4.5 with C#: mass assignment aka overposting
- Web security in .NET4.5: cookie stealing
- Hashing algorithms and their practical usage in .NET Part 1
- Hashing algorithms and their practical usage in .NET Part 2
- Symmetric encryption algorithms in .NET cryptography part 1
- Symmetric algorithms in .NET cryptography part 2
- Introduction to asymmetric encryption in .NET cryptography
- Introduction to digital signatures in .NET cryptography
- How to protect your config file in .NET with cryptography
- Key size and key storage in .NET cryptography
- An encrypted messaging project in .NET with C# part 1: foundations
- An encrypted messaging project in .NET with C# part 2: service and repository
- An encrypted messaging project in .NET with C# part 3: client proxy with web API
- An encrypted messaging project in .NET with C# part 4: encrypting and sending the message
- An encrypted messaging project in .NET with C# part 5: processing the encrypted message
- Encrypt and decrypt plain string with triple DES in C#
- Generate truly random cryptographic keys using a random number generator in .NET
- Hashing messages using various hash algorithms in .NET
- Using HMACs to authenticate a hash in .NET
- How to hash passwords with a salt in .NET
- Hashing passwords with a password based key derivation function in .NET
- Overview of symmetric encryption in .NET
- Overview of asymmetric encryption in .NET
- How to store the asymmetric keys in the Windows key store with C#
- Mixing asymmetric and symmetric encryption in .NET part I
- Mixing asymmetric and symmetric encryption in .NET part II
- Mixing asymmetric and symmetric encryption with HMAC hash verification .NET
- An overview of digital signatures in .NET
- Mixing asymmetric and symmetric encryption, HMAC hash verification and digital signatures in .NET
SSL Certificates
Server certificates
- HTTPS and X509 certificates in .NET Part 1: introduction
- HTTPS and X509 certificates in .NET Part 2: creating self-signed certificates
- HTTPS and X509 certificates in .NET Part 3: how to install certificates and use them with IIS
- HTTPS and X509 certificates in .NET Part 4: working with certificates in code
- HTTPS and X509 certificates in .NET Part 5: validating certificates in code
- How to enable SSL for a .NET project in Visual Studio
Client certificates
- Using client certificates in .NET part 1: introduction
- Using client certificates in .NET part 2: creating self signed client certificates
- Using client certificates in .NET part 3: installing the client certificate
- Using client certificates in .NET part 4: working with client certificates in code
- Using client certificates in .NET part 5: working with client certificates in a web project
- Using client certificates in .NET part 6: setting up client certificates for local test usage
- Using client certificates in .NET part 7: working with client certificates in OWIN/Katana
- Using client certificates in .NET part 8: working with client certificates in OWIN/Katana II
- Using client certificates in .NET part 9: working with client certificates in OWIN/Katana III
Web API 2
Security extensibility points
- Web API 2 security extensibility points part 1: starting point and HTTP request context
- Web API 2 security extensibility points part 2: custom authentication filter
- Web API 2 security extensibility points part 3: custom message handlers
- Web API 2 security extensibility points part 4: custom authorisation filters
- Web API 2 security extensibility points part 5: OWIN
Custom authentication mechanism
- Wiring up a custom authentication method with OWIN in Web API Part 1: preparation
- Wiring up a custom authentication method with OWIN in Web API Part 2: the headers
- Wiring up a custom authentication method with OWIN in Web API Part 3: the components
- Wiring up a custom authentication method with OWIN in Web API Part 4: putting the components to work
- Wiring up a custom authentication method with OWIN in Web API Part 5: abstracting away the auth logic
OAuth2
- Introduction to OAuth2: Json Web Tokens
- Introduction to OAuth2 part 2: foundations
- Introduction to OAuth2 part 3: the code flow
- Introduction to OAuth2 part 4: the implicit flow
- Introduction to OAuth2 part 5: the resource owner and client flow
- Introduction to OAuth2 part 6: issues
- Introduction to OAuth2 part 7: OpenID Connect basics
Exercises in .NET with Andras Nemes 
I have not come across any other article series that explained Claims based authentication so well. Excellent job in taking time and providing all this series.
This is an outstanding set of blogs for claims based authentication. Kudos! And thanks for doing this.
Nice one! I follow a couple of blogs, but this is very useful man! Thanks
I’ve started claims based auth. posts. Very good stuff, thank you.
You’re welcome and good luck! Andras
Hi,
I am using a Claims based Authentication in an App
I have this in the web.config file
On trying to run the application I get the following error.
‘Key not valid for use in specified state.’ with a stack trace
[InvalidOperationException: ID1073: A CryptographicException occurred when attempting to decrypt the cookie using the ProtectedData API (see inner exception for details). If you are using IIS 7.5, this could be due to the loadUserProfile setting on the Application Pool being set to false. ]
System.IdentityModel.ProtectedDataCookieTransform.Decode(Byte[] encoded) +165
System.IdentityModel.Tokens.SessionSecurityTokenHandler.ApplyTransforms(Byte[] cookie, Boolean outbound) +123
System.IdentityModel.Tokens.SessionSecurityTokenHandler.ReadToken(XmlReader reader, SecurityTokenResolver tokenResolver) +572
System.IdentityModel.Tokens.SessionSecurityTokenHandler.ReadToken(Byte[] token, SecurityTokenResolver tokenResolver) +75
System.IdentityModel.Services.SessionAuthenticationModule.ReadSessionTokenFromCookie(Byte[] sessionCookie) +414
System.IdentityModel.Services.SessionAuthenticationModule.TryReadSessionTokenFromCookie(SessionSecurityToken& sessionToken) +175
System.IdentityModel.Services.SessionAuthenticationModule.OnAuthenticateRequest(Object sender, EventArgs eventArgs) +114
System.Web.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() +136
System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously) +69
Would you please help me out on this one.
Thanks in advance
Hello,
“I have this in the web.config file”
I don’t see any XML in your comment. It might not be possible to paste XML in a WordPress comment field.
//Andras
Pingback: ClaimAuthorizeAttribute | KarlZ
Great posts. Your list is missing https://dotnetcodr.com/2013/02/14/introduction-to-claims-based-security-in-net4-5-with-c-part-2-the-new-inheritance-model/ and
Hi Tony,
Thanks for your comment, I’ve updated the page.
//Andras
I just came cross your blog around 3 months ago. it’s Very rich and useful by the way some articles even helped me to pass in one of the Microsoft’s exam.
Keep up.
Thanks for your comment. I’m glad you find this blog useful. //Andras
Pingback: Introduction to Forms based authentication in .NET4.5 MVC4 | tuandom's Blog
Pingback: Introduction to Forms based authentication in MVC4 & MVC5 | tuandom's Blog
Thank you Andras. Perfect articles, excellent work and clear explanation of such needed things in web development. Well done!
Detailed and comprehensive articles..
Most importantly, still relevant.
Hi Andras: Your sample on selfhosted OWIN/WebAPI with https Client Certificate Authentication is not working when deployed to webserver.
I am getting 401 UnAuthorized, The target principal name is incorrect error. The below link has some details of the issue. Please share some thoughts if you can.
https://stackoverflow.com/q/46100018/8538696?sem=2
Hi Andras,
Nice walkthrough regarding certificate loading/reading and validations. Could you add an article on how to connect to an URL/server as a client in C# to get information about the SSL certificate published on the remote server?
Best regards,
Adrian O
Thanls for sharing this for free, Andreas. I have learned a lot from your excellent articles.