5

I have a web-portal for employees to update their details. People login there with their Active Directory credentials and I set OWIN cookie for authentication. This is all done through a MVC login page, nothing to do with Windows Authentication on IIS.

Now company browser is Internet Explorer and is configured to login automatically into other Windows Authentication sites, without prompting for password. That is happening when people are using company PC and logged into their domain accounts. And if they are working from home, Basic Authentication prompt is asking for credentials on these systems.

Now I would like to implement an automatic authentication when users are logged-in into their Windows Domain accounts, from work PCs, and present with login-page if they are working from home.

I know about 401 challenge and authentication negotiation, but never initiated with this through ASP.Net. I've seen solutions where user is redirected to a page where IIS is configured to be Windows Authentication, but I want this done without IIS configuration. Also I remember I have seen somebody mentioning a solution where a page is loaded into <iframe> where basic authentication is checked and if authentication through that is successful, then redirect already authenticated user to a landing page.

So my question comes down to: Is there a way to initiate (and complete) 401 challenge for basic authentication on a specific action of a controller? And then hook into Controller.User.Identity property to set OWIN cookie?

UPD: As per comments: I want Kerberos (Windows Authentication) to work when users are on domain network, so they are automatically logged-in. But I don't want Windows Authentication to take place when users are not on domain network, instead I want custom login page with options for password reset and register (given employee validation).

trailmax
  • 34,305
  • 22
  • 140
  • 234
  • Use VPN and have the users enter the corporate network. They will find the KDCs and authenticate via Kerberos. – Michael-O May 02 '16 at 11:17
  • 1
    @Michael-O VPN is out of question. Users are already using Terminal Server (RDP) to login to their domain. – trailmax May 02 '16 at 11:22
  • if they are already in the network, you have a network setup problem. Consider that native Micrsoft solutions never uses LDAP bind but Kerberos/NTLM, etc. – Michael-O May 02 '16 at 11:47
  • @Michael-O Network is fine. I want to log them in automatically when they are on the domain network. Or I want to present nice login page when they are not on the network. And none of the horrible windows authentication credentials prompt when automatic login is not possible. – trailmax May 02 '16 at 11:50
  • again if Kerberos does not work, you *do* have a network problem. You should run wireshark on the client's machine when the autologin does not work. – Michael-O May 02 '16 at 12:00
  • @Michael-O Kerberos works. I only want kerberos when users are on domain network. And when they are not, use custom made authentication page. I don't want Kerberos when they are not on the network because: interface is blocking and ugly; not possible to provide users with options like password reset or register. – trailmax May 02 '16 at 13:06
  • 1
    Clear now, your description wan't obvious enough about this. – Michael-O May 02 '16 at 13:35

1 Answers1

1

If i read your question properly, you might want to do something like the following...

1) Create 2 Authorization filters: one that use AD and one that use BasicAuthentication

2) Put them in order you want. In your case, if i understood correctly, you want to check AD first. If AD authentication fails you failover to Basic one (that's where you implement 401 challenge). To make sure filters are executed in order you want, pay attention to Order property on filters: https://msdn.microsoft.com/en-us/library/gg401854%28v=vs.98%29.aspx

3) Whatever filter you end up in (AD or BasicAuth) you can set your OWIN cookie from there

Hope that helps.

dee zg
  • 13,793
  • 10
  • 42
  • 82
  • Problem is with implementation of BasicAuthentication filter. How do you do it? – trailmax May 03 '16 at 09:14
  • Can you be a bit more specific, please? What exactly is the problem with it? You don't have a general idea how to do it or something particular about it? – dee zg May 03 '16 at 09:20
  • Here is one example how it can be done: http://www.ryadel.com/en/http-basic-authentication-asp-net-mvc-using-custom-actionfilter/ – dee zg May 03 '16 at 09:22
  • I did not know the general idea of how to do it. But given your link - looks very simple. – trailmax May 03 '16 at 09:30
  • Yes, its pretty straightforward. You just hook up a filter into request pipeline and check whatever you need to (in this case, its Basic authentication headers) and serve back results based on the check. – dee zg May 03 '16 at 09:32