0

I have a project where Windows Authentication and Forms login are required. I came across OWIN Mixed Authentication which seems to meet my requirements.

Before implementing into my own project I tried running the sample solution from the source link.

I debugged the solution using IIS Express and when I entered my credentials into the windows authentication dialog my correct credentials where found in the logonUserIdentity variable.

But when I set up a local IIS site add set the following feature delegation property as stated in the readme file:

Authentication - Windows to Read/Write

When I entered my credentials into the windows authentication dialog NT AUTHORITY\IUSR is coming through in the logonUserIdentity variable instead of the username I entered in the dialog.

I feel this happening because AllowAnonymous is enabled on the IIS site but its needed to stop a login loop that occurs because of the CookieAuthentication within the Startup.Auth class.

How should I be setting up my IIS site so that the windows credential dialog passes through the entered credentials and not NT AUTHORITY\IUSR.

Bad Dub
  • 1,503
  • 2
  • 22
  • 52

2 Answers2

0

I debugged the solution using IIS Express and when I entered my credentials into the windows authentication dialog my correct credentials where found in the logonUserIdentity variable.

As far as I know, the IIS express use current computer login account as the Anonymous login account. So you will find the logonUserIdentity is right. You could try to login the application with different domain account. You will find it still use current computer login account not changed to the login user account.

Since the mix auth allow multiple ways to login,you should always enable anonymous login to let the person who doesn't have the domain account.

The mix own auth use asp.net identity external login to achieve login with windows.The asp.net identity external login will firstly go to the mixauth provider to check the windows auth result.

If success, it will go back to the account controller's ExternalLoginCallback method with the windows info and use this info the identity will generate an identity user.

In my opinion, if you want to get the current login in user, I suggest you could try to use session to store the windows login in user's account in ExternalLoginCallback method.

More details, you could refer to below codes:

    [AllowAnonymous]
    public async Task<ActionResult> ExternalLoginCallback(string returnUrl)
    {

        var loginInfo = await AuthenticationManager.GetExternalLoginInfoAsync();

        Session["LoginonUsername"] = loginInfo.DefaultUserName;
        if (loginInfo == null)
        {
            return RedirectToAction("Login");
        }

        // Sign in the user with this external login provider if the user already has a login
        var result = await SignInManager.ExternalSignInAsync(loginInfo, isPersistent: false);
        switch (result)
        {
            case SignInStatus.Success:
                return RedirectToLocal(returnUrl);
            case SignInStatus.LockedOut:
                return View("Lockout");
            case SignInStatus.RequiresVerification:
                return RedirectToAction("SendCode", new { ReturnUrl = returnUrl, RememberMe = false });
            case SignInStatus.Failure:
            default:
                // If the user does not have an account, then prompt the user to create an account
                ViewBag.ReturnUrl = returnUrl;
                ViewBag.LoginProvider = loginInfo.Login.LoginProvider;
                return View("ExternalLoginConfirmation", new ExternalLoginConfirmationViewModel { Email = loginInfo.Email });
        }
    }

Result:

enter image description here

Brando Zhang
  • 22,586
  • 6
  • 37
  • 65
0

My IIS site binding was set to http://projectname

When I changed the binding on the IIS site to http://localhost or http://pcname it was allowing me to pass through the correct windows credentials.

Bad Dub
  • 1,503
  • 2
  • 22
  • 52