I am developing an MVC3 application for a customer service team.
I am using default login and registration controls in my application.
I have to use both Form Authentication and Windows Authentication.
For the customers who come online to insert their comments, it will be Form Authentication for them.
For the customer service staff, the system has to use their Windows Authentication to login them (if they they have logged into the
their windows account the website should recognize their login details and authenticate them.)
How can I make my MVC3 application to authenticate both Windows Authentication for the staff and Forms Authentication for others?
Thanks
i think you must create your own authentication on top of FormsAuthentication .
check this maybe helpful
http://www.khalidabuhakmeh.com/asp-net-mvc-5-authentication-breakdown-part-deux
Related
The Problem
I am going to develop a web application using MVC .NET6. The requirement is that I need to use Asp.net core identity to authenticate users in the local database and from Azure Active Directory at the same time. The authorization part is simple there is no policy, role, or claim is required at the moment. I only need to use the [Authorize] attribute once the authentication is succeeded.
The UI login page would have a username/password and a login button to authenticate the user from the database. There will be another button like Azure Sign In for authentication from azure and redirects to the Microsoft page for credentials.
I've tried to find sample code or similar examples but couldn't find any.
Please help me to achieve this.
Thanks.
I am developing an asp.net MVC web application that will be deployed in the cloud and should support the following authentication scenarios:
Transparent authentication for domain users on an intranet. These users should be able to access the application without signing in.
Forms login for arbitrary non-domain users on the internet. These users should be presented with a login page using Forms authentication, and membership is managed internally by the application.
Forms login for domain users on the public internet. They should be able to use the same login form as non-domain users, but sign in with their domain credentials instead.
Active Directory Federation Services (ADFS) with passive authentication can cover cases #1 and #3. Since it redirects to the federation provider's login page, it doesn't cover the #2 case. I understand active authentication by my application could possibly support all three cases, however there is not much documentation around on how this would be implemented.
Ideally there should be a way for my application to authenticate a domain username and password with the ADFS federation provider.
Does anyone know whether this is possible, and if so, how?
The standard pattern for this is ADFS with a split DNS - IWA for intranet and Forms for internet.
However, ADFS can ONLY authenticate against AD so option 2 can't be achieved.
I would suggest using IdentityServer for option 2 - you may have to customise it depending on your "flavour" of membership - and then federate ADFS and IdentityServer.
IdentityServer is free / open source.
To expand on nzpcmad's answer, you can set up Claims Provider trusts other than Active Directory in the ADFS Management console under Trust Relationships > Claims Provider Trusts, they effectively chain ADFS with custom STS services.
The entries you add will be added to the Home Realm discovery page within the ADFS web site, such that authenticating users will be presented with a drop-down list to essentially choose the Claims Provider they wish to be authenticated against.
Automatic sign-in will still work for internal users who choose your Active Directory (ADFS provider), whilst members of other Providers will be redirected to their chosen Claims Provider's web site, which will typically present a Forms login page and authenticate against a back-end membership database, all external users (who are not able to present an NTLM or Kerberos token will be required to enter their details - for AD users this will mean they have to enter their domain\user string (or user#domain) and internal password.
Of course, you have to create these providers yourself, in the old WIF days this meant using the fairly clunky Custom STS template, however you can now streamline the procedure with a simple OWIN-based MVC5 site. Alternatively, as nzpcmad suggests, you could look at using IdentityServer.
We have two existing legacy web applications, one for the intranet using windows authentication within the domain, and one internet application, performing a custom web forms username + password based authentication. Now a new web applications is developed and will be available in the internet to both internet and intranet users, handling both authentication models. Therefore we decided to use WIF. We're going for ASP.NET 4.5 MVC 4 on Windows Server 2012.
The intranet authentication shouldn't be a problem as we can use ADFS 2.0 here.
But we currently have no clue how to solve the username + password authentication. It looks like we need to develop a custom UserNameSecurityTokenHandler to authenticate users which provide username + password information which is verified against our custom membership provider. But I need some assistance with the whole workflow...
Assume that we have a custom login page for internet users; and assume that we managed to route internet users to this login page (in ASP.NET MVC), what's the missing part from here to a valid token? How would the form or the MVC controller action which received the provided username + password proceed to trigger the configured WIF identity provider?
The most elegant solution would be to create another STS for the external users and have ADFS trust this as an identity provider:
External users will be redirected to the IdP STS that would use the usr/pwd database. Internal users will authenticate through ADFS directly (against AD).
In this scenario, ADFS is acting both as an IdP and a Federation Provider.
For this to work you need both ADFS and the IdP (and the app) exposed to the internet. An STS you can use that leverages membership is IdentityServer, which is open source and you can of course customize for your needs.
With this architecture you don't need any special customizations/extensions in the app. You will need to handle "home realm discovery" though. Which is the process of knowing where to authenticate users on (e.g. intranet vs. extranet). Presumably, you might have different URLs, etc.
I'm building a small web application using ASP.NET MVC3, in which I'm using the default ASP.NET Membership API to create and authenticate users.
There's also a small desktop client which updates the web application. My question is what would be the best way to authenticate the desktop client. Considering that users would register using their username and password via the website, I don't really want to store any user credentials on the desktop.
I was thinking about implementing an OAuth provider in my web application, and associating the token with the authenticated username. That way I would authenticate my desktop client like most twitter clients do now.
So basically my question, should I do OAuth, or maybe there's another popular option?
Why not expose a login action method that returns a token? This would avoid the added complexity of an oauth service. As long as your mvc app is decoupled and using services, your client can consume these same services.
Is there any way to have a custom form for Windows authentication so that the device used when authentication doesn't need to support NTLM in order to work? Also, is there a way to keep the automatic login for intranet users so that they do not need to login if they are already on their computer?
Is there any way to have a custom form
for Windows authentication so that the
device used when authentication
doesn't need to support NTLM in order
to work?
I guess you want to be able to authenticate users coming from outside the intranet.
In that case, Windows Authentication is not the right choice since it uses Windows user's credentials for the authentication and therefore more applicable for intranet applications.
If you really want to have Windows Authentication, your client requires NTLM or Kerberos authentication support.
Also, is there a way to keep the
automatic login for intranet users so
that they do not need to login if they
are already on their computer?
For this you can use Windows Authentication.