I have a custom role provider, built on a Role entity, and a many to many relationship called RoleUser, between my forms auth User entities and the Roles. I would like to switch this roles provider into using Windows auth as well now. It seems convenient for me piggy back of the forms Users, and create ‘shadows’ of AD users in my Users entities.
Is this feasible or frowned upon, and are there any good papers etc. on this kind of setup?
I’m using EF Code First against SQL 2005, and am not using a custom membership provider, as my User controller and repository handle all I need quite fine; just a role provider.
Notice that we have 5 types of authentication:
1- Anonymous Authentication
2- Asp.net Impersonation
3- Basic Authentication HTTP 401 Challenge
4- Forms Authentication HTTP 302 Login/Redirect
5- Windows Authentication HTTP 401 Challenge
The Philosophy of MVC authentication refers to this fact that, MVC doesn’t use ViewState to authenticate users.It does not use view state or server-based forms. This makes the MVC framework ideal for developers who want full control over the behavior of an application.
According to MVC standards, windows authentication is suitable for intranet applications, and forms authentication for internet application, because of security issues and so more.
It’s not common to use both windows and forms authentication together. But you can use hybrid of them like this codeproject article. Unless you want to do an action like forms authentication and at the backend store windows account information via your programmability to store to DB or etc. Only make sure there is no challenge among types of authentications.
There is another important thing, that is diffrences between Authentication and Authorization that you can config them at web.config like bellow:
or
This MSDN Article might be helpful too.