Mixing windows & forms authentication
I came across a situation today where I needed to mix two different authentication types on ASP.net MVC 4 application. The reason for this being that the client requirements, that although they use Active Directory they did not want to manage roles and responisbilities in an application through Active Directory. They still wanted the ability for administrators defined in an application to manage roles and access.
I experimented a little on how to achieve this, and the following is a solution I came up with.
I created an ASP.net MVC 4 application and enabled it with Windows Authentication . I then created a class within the application to inherit from the WindowsPrincipal .
I also created a Principal Serializable model class, which we will use to serialise the data to JavaScript
I created an interface for a basic security service that will be used to get the role data from the database.
The concrete implementation of the class, is a really simple class that just gets some values from the database. I used the repository pattern for this.
We’ll be using Unity as IOC container, so just some simple Set up ocde to set up our dependencies i.e. Security Service and Repositories, so we’ll just wire up unity
In the Global asax I implemented the code within the WindowsAuthentication_OnAutenticate method
I also implemented a Security Attribute
This code is not entirely production ready at this point, and I still need to put it through some more tests.
Gary is Technical Director at Denizon, an independent software vendor specialising in IoT, Field Service and associated managed services,enabling customers to be efficient, productive, secure and scalable in a way which helps them address and reduce their ecological impact.
Denizon’s product line successfully integrate IoT, Artificial Intelligence and Blockchain technology to enable efficient, productive, secure and scalable solutions to help organisations address increasing energy demands, ecological impact and Health & Safety concerns of their staff.
Mixing Windows and Forms authentication in .NET 4.5: how to keep Request.IsAuthenticated = false until after forms authentication ticket is created?
UPDATE:
I solved this problem with just a few fairly simple changes, see my self-answer below.
ORIGINAL QUESTION:
I have an ASP.NET web app that uses both Windows authentication and Forms authentication. Forms authentication is defined as the authentication mode in Web.config (see below for excerpt). In IIS 7, at the web app (AKA virtual directory) level, anonymous authentication is disabled, and windows authentication is enabled.
In .NET 1.1 to .NET 4.0 and IIS6/7/7.5 after successfully authenticating via Windows auth, but before authenticating via Forms auth (creating the forms authentication ticket / cookie), Global.Application_AuthenticateRequest() sees that Request.IsAuthenticated is false . And once Request.IsAuthenticated becomes true the System.Web.HttpContext.Current.User is of type System.Security.Principal.GenericPrincipal (and User.Identity is System.Web.Security.FormsIdentity )
This behavior changed after .NET 4.5 was installed on the IIS7 server. No changes were made to the Web.config file, and no changes were manually made to IIS. The only change I made was to install .NET 4.5. The behavior reverted back to ‘normal’ after uninstalling 4.5 and reinstalling 4.0.
The different behavior I noticed is that after successfully authenticating via Windows, but before authenticating via forms (the forms authentication ticket has not yet been created), Application_AuthenticateRequest now shows that Request.IsAuthenticated is true . Also, the System.Web.HttpContext.Current.User.Identity is now System.Security.Principal.WindowsIdentity (instead of FormsIdentity ).
- Can somebody please explain why this is different?
- Is there a configuration option (like web.config change or IIS setting) that I can use to force it to work the 4.0 way? (so that windows auth does not trump forms auth with respect to setting Request.IsAuthenticated = true ?)
I have been searching Msft docs for hours.. all their info about mixing Windows and Forms auth seems to be years out of date (2004-ish), and the details on changes to .NET 4.5 are rather sparse in this particular area.
MVC3 mixed forms and Windows authentication
I currently have an intranet site that is accessed by external customers. I therefore set this up using Forms Authentication. However the powers that be (my bosses) want all our domain users to not have to enter their username and password to access the site.
I’ve done a bit or reading and everything seems to point to setting up a WinLogin.aspx page that you alter to use WindowAuthenthication and then redirect from there.
I have a problem with this as I don’t like the idea of putting an aspx form in my mvc application.
Can anyone tell me how to achieve mixed authentication using a strictly MVC Controller/Action setup without a second application?
NOTES: running MVC 3 on an IIS 7 box.
1 Answer 1
Forms Authentication is not related to the URL or physical structure of your files. What matters is that a URL should ultimately map to a physical (or virtual) resource on the server, and be processed, and be returned back to the user.
Thus, somewhere in between for each incoming call (each HTTP request, even those for CSS and JavaScript files), you have to see if the current user has enough permission to access it or not. If no, then you might redirect him to the login page.
If you want, you can have a URL like /user/windowslogin where user is the name of the controller, and windowslogin is the name of your action method. Then you can create a custom authentication attribute (something like [WindowsAuthentication] ) on your windowslogin action, and in that attribute (which is an MVC filter in essence), you can see if the current request comes from within your domain, and if so, talk to Active Directory for authentication or stuff like that, and on case of successful authentication, create an authentication cookie using FormsAuthentication class, and the rest of the story.
However, I don’t think this would be an easy task. Others might introduce better solutions.