ASP.Net MVC 3 Login and Windows Authentication

c# asp.net asp.net-mvc asp.net-mvc-3

13,626

Solution 1

This is not an easy task to accomplish. The Windows identity of your intranet user will only be available to you when Windows Authentication in IIS is enabled, an anonymous authentication disabled. When the user's browser hits the server, IIS will perform the NTLM challenge/response process to validate the user. Note that this challenge/response actually occurs on every individual HTTP request, not just once.

The problem with this mechanism is that your Forms authentication will no longer be used, as it kicks in after Windows authentication runs, and failing to authenticate just triggers an IIS access-denied - not fallback to Forms authentication.

To build a hybrid, you will need to:

Set up your main web application to authenticate users with Forms authentication. Set web.config like this. Generate your own machine key - this is key to ensure cookie sharing works

<authentication mode="Forms"><forms loginUrl="~/Account/LogOn" timeout="2880" path="/" enableCrossAppRedirects="true" name=".ASPXFORMSAUTH" protection="All"  />
</authentication>
<machineKey validationKey="C50B3C89CB21F4F1422FF158A5B42D0E8DB8CB5CDA1742572A487D9401E3400267682B202B746511891C1BAF47F8D25C07F6C39A104696DB51F17C529AD3CABE" decryptionKey="8A9BE8FD67AF6979E7D20198CFEA50DD3D3799C77AF2B72F" validation="SHA1" /> <system.webServer>
<security>
  <authentication>
    <anonymousAuthentication enabled="true"/>
    <windowsAuthentication enabled="false"/>
  </authentication>
</security></system.webServer>

Create a new, separate web app to use purely for the NTLM authentication. It will authorize then redirect to the main application. Sorry, the two apps can't be combined.
In NTLM web app, change web.config Authentication mode like below:

    <authentication mode="Windows">       
    </authentication>   
    <machineKey validationKey="C50B3C89CB21F4F1422FF158A5B42D0E8DB8CB5CDA1742572A487D9401E3400267682B202B746511891C1BAF47F8D25C07F6C39A104696DB51F17C529AD3CABE"
                decryptionKey="8A9BE8FD67AF6979E7D20198CFEA50DD3D3799C77AF2B72F" validation="SHA1" />
<system.webServer>
    ....
    <security>
      <authentication>
        <windowsAuthentication enabled="true"/>
        <anonymousAuthentication enabled="false"/>
      </authentication>
      <ipSecurity>
        <!-- put whatever here to restrict to your LAN
        <add ..../>
        -->
      </ipSecurity>
    </security>
  </system.webServer>

In NTLM webapp, the controller does one thing - extract username from (WindowsPrincipal)Thread.CurrentPrincipal(); and calls FormsAuthentication.SetAuthCookie(..). Then redirect to the main web app. Do not use WindowsIdentity.GetCurrent() as it will not be accurate without impersonation enabled [see msdn.microsoft.com/en-us/library/ff647076.aspx] which you don't want to be using
You cannot test any of this under Cassini or IIS Express; you must use IIS 7.5.
Goto IIS 7.5 and turn on Feature Delegation for "Authentication - Anonymous" and "Authentication - Windows".
Create IIS application for your Forms based app
Right click on your newly created Forms app and 'Add Application'. Set path to your NTLM authentication application, and the name to something like "IntranetAuthentication"
In browser access http://localhost/YourSite for forms authentication, and http://localhost/YourSite/IntranetAuthentication to see NTLM auth then passthru auth working back to main site

At your company, direct intranet users to use the intranet logon. Externally everyone uses regular forms authentication page.

Solution 2

if you're using a mixed authentication why don't you get AD User via context?

  context.Request.ServerVariables["LOGON_USER"]

13,626

IoC

Updated on June 04, 2022

Comments

IoC almost 2 years
I am working on an ASP.Net MVC 3 application and I am having a User table that stores usernames and their passwords. I have created an additional ADUsername (stores Active Directory's Domain/Username).

I am trying to do the following:
1. Users running the application from Intranet should not see login page. Their Domain/Username should be received automatically and compared against ADUsername field.
2. Users running the application from internet (out of the local network) or users with no ADUsername value: should see the login screen and they should use my custom Username and Password fields to login.
This was very easy using Visual Studio Development Server and very difficult using IIS :)

As I set my Web.Config to use forms, I am using WindowsIdentity.GetCurrent().Name to get the current ADUsername and then, I lookup my User table to find the user and FormsAuthentication.SetAuthCookie him.

Using IIS is always returning APPPOOL\ASP.NET v4.0 user which is not reflecting the domain/user I needed.

Any Help?
Stefano.net over 12 years

I belive there is something wrong with IIS configuration. Be sure to turn off anonymous authentication on your site and turn on Windows Authentication if you want to have AD auth.
IoC over 12 years

I need very small sample. Could you please help me?
geoffreys over 12 years

There is too much involved to post the solution here, I've committed a working example for you here bitbucket.org/geoffreys/so-dual-win-forms-auth
geoffreys over 12 years

Damn just noticed only half the solution committed. Sorry will commit rest tommorow - what's they're should get u on the right track anyway
Andranik Hovhannisyan over 11 years

Great answer! :) If you add this to a Intranet asp.net MVC web application. Remember to disable the roleManager, or the CurrentPrincipal will be a RolePrincipal, and not a WindowsPrincipal.