I am working on an ASP.Net MVC 3 application and I am having a User table that stores usernames and their passwords. I have created an additional ADUsername (stores Active Directory’s Domain/Username).
I am trying to do the following:
-
Users running the application from Intranet should not see login page. Their Domain/Username should be received automatically and compared against ADUsername field.
-
Users running the application from internet (out of the local network) or users with no ADUsername value: should see the login screen and they should use my custom Username and Password fields to login.
This was very easy using Visual Studio Development Server and very difficult using IIS 🙂
As I set my Web.Config to use forms, I am using WindowsIdentity.GetCurrent().Name to get the current ADUsername and then, I lookup my User table to find the user and FormsAuthentication.SetAuthCookie him.
Using IIS is always returning APPPOOL\ASP.NET v4.0 user which is not reflecting the domain/user I needed.
Any Help?
This is not an easy task to accomplish. The Windows identity of your intranet user will only be available to you when Windows Authentication in IIS is enabled, an anonymous authentication disabled. When the user’s browser hits the server, IIS will perform the NTLM challenge/response process to validate the user. Note that this challenge/response actually occurs on every individual HTTP request, not just once.
The problem with this mechanism is that your Forms authentication will no longer be used, as it kicks in after Windows authentication runs, and failing to authenticate just triggers an IIS access-denied – not fallback to Forms authentication.
To build a hybrid, you will need to:
Set up your main web application to authenticate users with Forms authentication. Set web.config like this. Generate your own machine key – this is key to ensure cookie sharing works
Create a new, separate web app to use purely for the NTLM authentication. It will authorize then redirect to the main application. Sorry, the two apps can’t be combined.
In NTLM web app, change web.config Authentication mode like below:
In NTLM webapp, the controller does one thing – extract username from (WindowsPrincipal)Thread.CurrentPrincipal(); and calls FormsAuthentication.SetAuthCookie(..). Then redirect to the main web app. Do not use WindowsIdentity.GetCurrent() as it will not be accurate without impersonation enabled [see msdn.microsoft.com/en-us/library/ff647076.aspx] which you don’t want to be using
You cannot test any of this under Cassini or IIS Express; you must use IIS 7.5.
Goto IIS 7.5 and turn on Feature Delegation for “Authentication – Anonymous” and “Authentication – Windows”.
Create IIS application for your Forms based app
Right click on your newly created Forms app and ‘Add Application’. Set path to your NTLM authentication application, and the name to something like “IntranetAuthentication”
In browser access http://localhost/YourSite for forms authentication, and http://localhost/YourSite/IntranetAuthentication to see NTLM auth then passthru auth working back to main site
At your company, direct intranet users to use the intranet logon. Externally everyone uses regular forms authentication page.