9

I am working on an ASP.Net MVC 3 application and I am having a User table that stores usernames and their passwords. I have created an additional ADUsername (stores Active Directory's Domain/Username).

I am trying to do the following:

  1. Users running the application from Intranet should not see login page. Their Domain/Username should be received automatically and compared against ADUsername field.

  2. Users running the application from internet (out of the local network) or users with no ADUsername value: should see the login screen and they should use my custom Username and Password fields to login.

This was very easy using Visual Studio Development Server and very difficult using IIS :)

As I set my Web.Config to use forms, I am using WindowsIdentity.GetCurrent().Name to get the current ADUsername and then, I lookup my User table to find the user and FormsAuthentication.SetAuthCookie him.

Using IIS is always returning APPPOOL\ASP.NET v4.0 user which is not reflecting the domain/user I needed.

Any Help?

Improve this question
1
  • still waiting some help. I need Forms and Windows Authentication to work together as described. Commented Dec 6, 2011 at 17:17

2 Answers 2

Reset to default
15

This is not an easy task to accomplish. The Windows identity of your intranet user will only be available to you when Windows Authentication in IIS is enabled, an anonymous authentication disabled. When the user's browser hits the server, IIS will perform the NTLM challenge/response process to validate the user. Note that this challenge/response actually occurs on every individual HTTP request, not just once.

The problem with this mechanism is that your Forms authentication will no longer be used, as it kicks in after Windows authentication runs, and failing to authenticate just triggers an IIS access-denied - not fallback to Forms authentication.

To build a hybrid, you will need to:

  1. Set up your main web application to authenticate users with Forms authentication. Set web.config like this. Generate your own machine key - this is key to ensure cookie sharing works

    <authentication mode="Forms"><forms loginUrl="~/Account/LogOn" timeout="2880" path="/" enableCrossAppRedirects="true" name=".ASPXFORMSAUTH" protection="All"  />
</authentication>
<machineKey validationKey="C50B3C89CB21F4F1422FF158A5B42D0E8DB8CB5CDA1742572A487D9401E3400267682B202B746511891C1BAF47F8D25C07F6C39A104696DB51F17C529AD3CABE" decryptionKey="8A9BE8FD67AF6979E7D20198CFEA50DD3D3799C77AF2B72F" validation="SHA1" /> <system.webServer>
<security>
  <authentication>
    <anonymousAuthentication enabled="true"/>
    <windowsAuthentication enabled="false"/>
  </authentication>
</security></system.webServer>

  2. Create a new, separate web app to use purely for the NTLM authentication. It will authorize then redirect to the main application. Sorry, the two apps can't be combined.

  3. In NTLM web app, change web.config Authentication mode like below:

    <authentication mode="Windows">       
    </authentication>   
    <machineKey validationKey="C50B3C89CB21F4F1422FF158A5B42D0E8DB8CB5CDA1742572A487D9401E3400267682B202B746511891C1BAF47F8D25C07F6C39A104696DB51F17C529AD3CABE"
                decryptionKey="8A9BE8FD67AF6979E7D20198CFEA50DD3D3799C77AF2B72F" validation="SHA1" />
<system.webServer>
    ....
    <security>
      <authentication>
        <windowsAuthentication enabled="true"/>
        <anonymousAuthentication enabled="false"/>
      </authentication>
      <ipSecurity>
        <!-- put whatever here to restrict to your LAN
        <add ..../>
        -->
      </ipSecurity>
    </security>
  </system.webServer>

  1. In NTLM webapp, the controller does one thing - extract username from (WindowsPrincipal)Thread.CurrentPrincipal(); and calls FormsAuthentication.SetAuthCookie(..). Then redirect to the main web app. Do not use WindowsIdentity.GetCurrent() as it will not be accurate without impersonation enabled [see msdn.microsoft.com/en-us/library/ff647076.aspx] which you don't want to be using

  2. You cannot test any of this under Cassini or IIS Express; you must use IIS 7.5.

  3. Goto IIS 7.5 and turn on Feature Delegation for "Authentication - Anonymous" and "Authentication - Windows".

  4. Create IIS application for your Forms based app

  5. Right click on your newly created Forms app and 'Add Application'. Set path to your NTLM authentication application, and the name to something like "IntranetAuthentication"

  6. In browser access http://localhost/YourSite for forms authentication, and http://localhost/YourSite/IntranetAuthentication to see NTLM auth then passthru auth working back to main site

At your company, direct intranet users to use the intranet logon. Externally everyone uses regular forms authentication page.

Improve this answer
Sign up to request clarification or add additional context in comments.

4 Comments

I need very small sample. Could you please help me?
There is too much involved to post the solution here, I've committed a working example for you here bitbucket.org/geoffreys/so-dual-win-forms-auth
Damn just noticed only half the solution committed. Sorry will commit rest tommorow - what's they're should get u on the right track anyway
Great answer! :) If you add this to a Intranet asp.net MVC web application. Remember to disable the roleManager, or the CurrentPrincipal will be a RolePrincipal, and not a WindowsPrincipal.
3

if you're using a mixed authentication why don't you get AD User via context?

  context.Request.ServerVariables["LOGON_USER"]
Improve this answer

1 Comment

I belive there is something wrong with IIS configuration. Be sure to turn off anonymous authentication on your site and turn on Windows Authentication if you want to have AD auth.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.