I'm currently trying to set up a website that uses both windows authentication and forms authentication. I am using ASP.NET MVC and both IIS6 and 7 need to be supported. How would I go about letting known AD users into the app (their AD id is stored against their user record in the application database) and directing everyone else to a standard username/password page.
It seems the answer is no. We've had to set up 2 sites, the main application with forms authentication and a separate windows authenticated site which redirects to the forms site with a token which expires quickly telling the forms site that an authenticated user is incomming.
What about the option using custom 401 redirect at IIS level outlined in this article
Related
On IIS I have a login website which is used to get credentials from user and authenticate him. Authentication is done through:
FormsAuthentication.SetAuthCookie
Login application is written in asp.net webapplication.
Now there is another .NET CORE mvc web application which will sit as a child web application to this login website and needs to authenticate through login application.
By default child web application does not comes under login page.
How I can put this web application to use login from parent website?
HttpContext.User.Identity.IsAuthenticated in mvc core child application returns false and can't read logged in user.
You cannot. Traditional web-based auth and specifically FormsAuth utilizes cookies to persist the login state. Cookies are domain-bound, and auth cookies are also encrypted. You can only access the cookie in the first place if both apps are on the same domain, and even then, one can only read it if they can both encrypt and decrypt in the same way. The method of encryption has changed between ASP.NET and ASP.NET Core, so that's out of the window off the bat. ASP.NET used machine keys whereas ASP.NET Core utilizes the Data Protection API.
There's one minor exception, in an ASP.NET MVC 5 site, you can utilize the Data Protection API, through its support of OWIN. The two apps, then, can be made to encrypt/decrypt in the same way. However, by the very fact that you're using FormsAuth means that you cannot achieve this. FormsAuth can only use machine keys, so you'd have to migrate the legacy app to using ASP.NET Identity at the very least, first.
I have read all the stack overflow posts and other blogs regarding mixed-mode authentication. I could not find a step by step implementation anywhere.
So here is my scenario. I have developed asp.net MVC 4.5 and asp.net identity 2.0 for individual user accounts. Some of our clients use active directory to authenticate their users whereas others use individual user accounts. Also, those that use active Directory can also remotely access the web portal and in that case authentication would be from database(Form Authentication/individual user account authentication).
My findings so far
create another web application. If this client does not use "active Directory", then redirect to login screen, else, authenticate from active directory (but how?)
Some of the links show that there is no need to create another web application like
Mixed mode authentication with OWIN
ASP.NET Identity + Windows Authentication (Mix mode - Forms + Windows)
ASP.NET MVC and mixed mode authentication
Truly confused as to what to do and how to do..most solutions seem vague and general
There's no need to create a second web application.
Owin is designed to let you use all available providers (such as, Windows authentication and form-based authentication) given that you enable them in IIS.
Briefly, you have to
Enable Anonymous and Windows authentication on IIS - Authentication
(with server or site scope as it best fits to you)
Anonymous authentication - Edit - Use Application Pool Identity
I recently implemented just this kind of authentication on an MVC project and it works like a charm. I suggest you to read this post https://github.com/MohammadYounes/MVC5-MixedAuth it's been really helpful to me.
I have the following architecture:-
Active directory server
IIS which will host asp.net MVC
Both the Active directory and the MVC web application are inside our company intranet.
I set the Asp.net MVC authentication type to be windows based.
But I have these questions:-
If our company employees tries to access the asp.net MVC web application from their home using their personal PC; will windows authentication work?
If the above answer is Yes; then how they will be typing their usernames, Something similar to username# domain.com ?
According to my above requirements, should I consider having form based authentication that is connected to AD? Instead of using windows based authentication?
Thanks for any help and advice
Best Regards
Assuming your website in IIS is visible to the outside through the firewall, then yes it will be accessible from home
depending on the browser, you should get a pop up asking for username and password, and the username should be typed
MYDOMAIN\JOEBLOGGS
This setup may well work fine but it depends on your needs - is your network admin happy to open this server up to the outside world
There can be a quirk if using Internet explorer externally, where IE does not display a pop up box, and instead tries to authenticate with the local windows username, which may not match AD username if it is a personal PC (to get around this on the client, go to Internet Options > Security > Custom Level then scroll down to User Authentication and select 'Prompt for username and password'
I developed a web system using ASP.NET MVC 4 and I must perform an integration using .NET Web API and Windows Forms Application.
So far everything has been fine, but now I need to authenticate the users using Windows Forms Application and this application will be open on the internet.
My application already contains users that are registered in the database and currently are authenticated using the component 'Authorize' of ASP.NET MVC.
For data consumption through the client (Windows Forms Application) currently I use the library Microsoft ASP.NET Web Client API.
How can I accomplish this task safely?
Does anyone have any suggestions?
You can extend the HttpClient to add authentication. One example can be found here. It shows how to add a HttpMessageHandler into your pipeline for authentication using OAuth.
Here is the complete List of ASP.NET Web API and HttpClient Samples
Take a look at this Q&A which describes creating a custom AuthorizeAttribute for Web API that also authenticates the user using http basic security and grabbing the credentials from the HTTP header. Note that there is a different AuthorizeAttribute for ASP.NET Web API (System.Web.Http.AuthorizeAttribute) as opposed to the one for an MVC controller (System.Web.Mvc.AuthroizeAttribute). They have different behaviors. You do not want a call to a Web API being redirected to a logon page.
When you create a new MVC project in Visual Studio, you get an AccountController that supports user self-registration and self-help changing passwords. This is great as a basic first step for a public internet site. But for an intranet site where an admin is responsible for creating users and assign them roles, is there any equivalent pre-existing template to start from?
To clarify, I am looking for a template that continues to use basic auth and that continues to use the ASP.Net membership and role services, as does the internet template, but provides UIs for user and role management that are intended for use by an administrator. The site is going to be on the internet but is not going to be "public" per se. There will be one or more sys-admin accounts that will have the ability to provision other users. The site will hosted by a yet-to-be-selected hosting provider.
Yes, it's called the Intranet Application. I know, who would think an Intranet application was an Intranet application?
MVC3 has 3 templates, Empty, Internet Application and Intranet Application.