41

I have never used Windows Authentication for ASP.NET MVC web applications before, but Forms Authentication. Recently, I have had an ASP.NET MVC 4 web application that requires a Windows Authentication implementation for users who are granted to log in my company web server. So, I have some questions regarding Windows Authentication. I am using Visual Studio 2012.

  • How does Windows Authentication work?

  • How do I implement Windows Authentication correctly in the web.config file?

  • How do I test if the Windows Authentication really works for my ASP.NET MVC 4 web site? In other words, how do I test it on my local development PC with local IIS (version 8), and on my company real web server with IIS version 7?

Peter Mortensen
  • 30,738
  • 21
  • 105
  • 131
Thomas.Benz
  • 8,381
  • 9
  • 38
  • 65
  • This shouldn't be any different than testing it in a web forms application. – Jacob Jun 20 '13 at 21:34
  • @jacob, thanks for your reply. Can you give me some more details? – Thomas.Benz Jun 20 '13 at 22:14
  • 1
    If you are using IIS Express to run locally you'll probably need to check out this post as well. http://stackoverflow.com/questions/4762538/iis-express-windows-authentication – thinklarge Jun 24 '15 at 15:20

3 Answers3

34

For IIS 8.5 and MVC 4:

How does Windows Authentication work?

In this mode, User.Identity (as in HttpContext.Current.User.Identity) is populated by the underlying web server. This might be IIS Express in the link from @R Kumar demonstrated, or full blown IIS as in the video by @Thomas Benz.

Specifically, User.Identity is a WindowsIdentity object. E.g. the following cast will work:

WindowsIdentity clientId = (WindowsIdentity)HttpContext.Current.User.Identity;

How do I implement Windows Authentication correctly in the web.config file?

  <system.web>
    <authentication mode="Windows" />
  ...

How do I test if the Windows Authentication really works for my ASP.NET MVC 4 web site? In other words, how do I test it on my local development PC with local IIS (version 8), and on my company real web server with IIS version 7?

First, change the ASP.NET authorization to exclude the current user. E.g. 

  <system.web>
    <authentication mode="Windows" />
    <authorization>
      <allow users="yourdomain\someotheruser" />
      <deny users="*" />
    </authorization>

Second, enable Windows Authentication for your site using IIS Manager. It's under the 'Authentication' feature. And disable anonymous authentication.

Note that older explanation will suggest you make changes under element of your site's web.config. However, recent IIS implementations prevent this for security reasons.

Three, point your browser at the webpage. The browser should ask you to provide credentials, because the current user is not allowed access to the website. Provide the ones that are authorized for the site, and your MVC code should run.

Four, check the user identity. E.g. 

WindowsIdentity clientId = (WindowsIdentity)HttpContext.Current.User.Identity;
Donal Lafferty
  • 5,807
  • 7
  • 43
  • 60
  • 14
    For anyone reading this, please don't use the `` tag for production security, [lock down paths correctly](http://stackoverflow.com/questions/11765030/how-to-lock-down-paths-in-asp-net-mvc). – Erik Philips Mar 16 '15 at 22:27
  • Liiiiiitle late but are you able to summarize how it actually works? How does the target server know the account that my local computer is running? I dont see it in the request headers. – Marie Apr 15 '19 at 16:04
  • 2
    @Marie IIRC, you can only login on to an account that the WebServer machine knows about. That machine will have access to a list of users local to the WebServer or a list of users for a domain via ActiveDirectory. – Donal Lafferty Apr 16 '19 at 10:20
10

I have done this with ASP.NET MVC 1.0. That was a relatively long time ago. I remember the IIS settings being confusing. I just did some checking, and it does not look like things have changed much to ASP.NET MVC 4.0 as far as attributes on the controllers.

For your questions:

  1. How does it work? The following references pretty much sum things up pretty well. Authenticating Users with Windows Authentication (C#) is NOT exactly right for ASP.NET MVC 4.0, but it has some background.

    How to Create an Intranet Site Using ASP.NET MVC is for ASP.NET MVC 3.0.

    I am too new to post more than two links, so you will have to search MSDN for "AuthorizeAttribute Class" for .NET Framework 4.

  2. What settings for web.config? - I just remember changing one element, "authentication mode".

  3. As far as testing, my Windows OS versions matched better, and my development machine was on the same Windows domain. But if I remember correctly, this just worked. YMMV, but one thing I do remember considering was implementing my own authorization. Maybe that is an avenue for your case, to roll your own, and then switch to Windows authentication in production. But I would suggest a couple of test iterations with a test server if you can set one up on the company domain.

Peter Mortensen
  • 30,738
  • 21
  • 105
  • 131
BillH
  • 421
  • 3
  • 7
  • thank you very much for your very kind words and helps. I found out an online video (see below) that is helpful to me, and his video works for me. So, I close this thread. – Thomas.Benz Jun 21 '13 at 21:34
9

I found out a helpful video that was very useful to me by showing step by step to implement and test Windows authentication for an ASP.NET MVC web site. So, I close this question.

Video from a very kind poster:

How to implement windows authentication in ASP.NET MVC 3 ( Model view controller) application?

Peter Mortensen
  • 30,738
  • 21
  • 105
  • 131
Thomas.Benz
  • 8,381
  • 9
  • 38
  • 65