1

Window Authentication Enabled, Anonymous Disabled. When a user comes into the site, I check to see if they are a user of the site. If they are not, I want to handle them as Unauthorized. However, Chrome keeps re-prompting them for username and password rather than sending them to an error page. The user should never be prompted for username/password because automatic Windows Auth is on and anonymous is off.

Controller:

public async Task<IActionResult> Login()
        {

            if (await IsValidUser())
            { 
                return RedirectToAction("Index");
            }
            else
            {
                return new UnauthorizedResult();
            }
        }

Startup

app.UseStatusCodePages(async context =>
            {
                var response = context.HttpContext.Response;

                await context.HttpContext.Response.WriteAsync(
                    "Status code page, status code: " +
                    context.HttpContext.Response.StatusCode);

                response.Redirect("~/Account/AccessDenied");

            });
ArunPratap
  • 4,816
  • 7
  • 25
  • 43
Kevin D
  • 11
  • 2

2 Answers2

0

Even though you are targeting chrome, internet security settings are still in effect. There doesn't seem to be any problem with your code in regards to your question (Was there a question, btw?) Please review this link and understand it doesn't tell you what the consequences of that change may be. This is better suited for SuperUser, not stack overflow.

Oxymoron
  • 1,380
  • 2
  • 19
  • 47
  • Sorry. My question was how do I gracefully reject my intranet users who have access to this site (anyone with Windows Authentication can get in), but are not authorized to use it? I will check out SuperUser, thanks. – Kevin D Mar 14 '19 at 10:29
0

The first question is whether user is authenticated with AD in .net core application . If not authenticated(wrong credential) , IMO the prompt is a browser behavior , when Window Authentication Enabled, Anonymous Disabled, this authentication happens by the web server before your application code is ever reached , so that IIS takes care of the authentication before the request is passed to ASP.NET, so the request will never reach the error page.

The workaround maybe is using Forms Authentication with AD Membership Providers . Below thread provides the code samples but i haven't test that :

.net Core Authentication

If user is authenticated and you want to do authorize , you could can click here for code sample and of course you can redirect user to error page if authorization failed .

Nan Yu
  • 26,101
  • 9
  • 68
  • 148
  • My question/post was unclear. But I should have been using Claims all along. I was using Roles, but that added unnecessary overhead. Everything I needed to do could be accomplished simpler by assigning claims to the users. (AD Roles were not an option in my organization) – Kevin D Mar 14 '19 at 14:06
  • @KevinD , so use roles,what is the problem ? – Nan Yu Mar 15 '19 at 01:33