3

When I use OWIN authentication out-of-the-box the Request.LogonUserIdentity on the AccountController are always the IIS user the site is deployed to instead of the user who actually made the request. This is with both Anonymous and Windows auth enabled on the server. If I turn Anonymous access off the Request.LogonUserIdentity is the one I expect.

What I want to do, based on a database setting, is perform a Windows login against a third-party system on that same server, which means that I need to impersonate the user making the HTTP Request, but I also need the option to allow Anonymous login. But because that user is ALWAYS the IIS user this doesn't work. Is there some way I can access the actual user making the request at this point in the authentication process? Or do I need to implement some type of handler to preprocess the raw requests?

I have no idea where to begin. Any help pushing in the right direction would be very helpful.

Andrew
  • 815
  • 8
  • 17

1 Answers1

1

I was able to cobble together a pretty decent implementation using the techniques found in this project https://github.com/MohammadYounes/MVC5-MixedAuth.

Andrew
  • 815
  • 8
  • 17
  • Is there a way to do this without the use of Session? I'm trying to implement this on WebAPI. – Yashvit Aug 07 '14 at 07:45
  • @Yash Yes! check out the new OWIN mixed auth https://github.com/MohammadYounes/OWIN-MixedAuth – MK. Oct 21 '14 at 12:21
  • Great. Looks like you have an update. Just to be sure, Will this work if i'm not using ASP.NET Identity (Identity DbContext etc). The User data persistence is handled by own BL and I use the Owin IAuthenticationManager to set the cookies. – Yashvit Oct 23 '14 at 06:45
  • @Yash Its supposed to! it behaves the same as any other provider, you can test and if you face any trouble! feel free to open a new issue at the repo. – MK. Oct 26 '14 at 08:00
  • 1
    @CiaranGallagher Unfortunately, no. Proprietary code I wrote years ago that I no longer have access to. Have you taken a look at this? https://stackoverflow.com/a/30125516/816182 From what I recall it seems pretty similar to what I did. – Andrew Apr 27 '18 at 11:35