ASP.Net MVC 3 Login and Windows Authentication

Question

I am working on an ASP.Net MVC 3 application and I am having a User table that stores usernames and their passwords. I have created an additional ADUsername (stores Active Direc

Answer 1

This is not an easy task to accomplish. The Windows identity of your intranet user will only be available to you when Windows Authentication in IIS is enabled, an anonymous authentication disabled. When the user's browser hits the server, IIS will perform the NTLM challenge/response process to validate the user. Note that this challenge/response actually occurs on every individual HTTP request, not just once.

The problem with this mechanism is that your Forms authentication will no longer be used, as it kicks in after Windows authentication runs, and failing to authenticate just triggers an IIS access-denied - not fallback to Forms authentication.

To build a hybrid, you will need to:

1. Set up your main web application to authenticate users with Forms authentication. Set web.config like this. Generate your own machine key - this is key to ensure cookie sharing works

   <authentication mode="Forms"><forms loginUrl="~/Account/LogOn" timeout="2880" path="/" enableCrossAppRedirects="true" name=".ASPXFORMSAUTH" protection="All"  />
   </authentication>
   <machineKey validationKey="C50B3C89CB21F4F1422FF158A5B42D0E8DB8CB5CDA1742572A487D9401E3400267682B202B746511891C1BAF47F8D25C07F6C39A104696DB51F17C529AD3CABE" decryptionKey="8A9BE8FD67AF6979E7D20198CFEA50DD3D3799C77AF2B72F" validation="SHA1" /> <system.webServer>
   <security>
     <authentication>
       <anonymousAuthentication enabled="true"/>
       <windowsAuthentication enabled="false"/>
     </authentication>
   </security></system.webServer>
   

2. Create a new, separate web app to use purely for the NTLM authentication. It will authorize then redirect to the main application. Sorry, the two apps can't be combined.

3. In NTLM web app, change web.config Authentication mode like below:

    <authentication mode="Windows">       
    </authentication>   
    <machineKey validationKey="C50B3C89CB21F4F1422FF158A5B42D0E8DB8CB5CDA1742572A487D9401E3400267682B202B746511891C1BAF47F8D25C07F6C39A104696DB51F17C529AD3CABE"
                decryptionKey="8A9BE8FD67AF6979E7D20198CFEA50DD3D3799C77AF2B72F" validation="SHA1" />
<system.webServer>
    ....
    <security>
      <authentication>
        <windowsAuthentication enabled="true"/>
        <anonymousAuthentication enabled="false"/>
      </authentication>
      <ipSecurity>
        <!-- put whatever here to restrict to your LAN
        <add ..../>
        -->
      </ipSecurity>
    </security>
  </system.webServer>

4. In NTLM webapp, the controller does one thing - extract username from (WindowsPrincipal)Thread.CurrentPrincipal(); and calls FormsAuthentication.SetAuthCookie(..). Then redirect to the main web app. Do not use WindowsIdentity.GetCurrent() as it will not be accurate without impersonation enabled [see msdn.microsoft.com/en-us/library/ff647076.aspx] which you don't want to be using

5. You cannot test any of this under Cassini or IIS Express; you must use IIS 7.5.

6. Goto IIS 7.5 and turn on Feature Delegation for "Authentication - Anonymous" and "Authentication - Windows".

7. Create IIS application for your Forms based app

8. Right click on your newly created Forms app and 'Add Application'. Set path to your NTLM authentication application, and the name to something like "IntranetAuthentication"

9. In browser access http://localhost/YourSite for forms authentication, and http://localhost/YourSite/IntranetAuthentication to see NTLM auth then passthru auth working back to main site

At your company, direct intranet users to use the intranet logon. Externally everyone uses regular forms authentication page.

Answer 2

if you're using a mixed authentication why don't you get AD User via context?

  context.Request.ServerVariables["LOGON_USER"]