ASP.NET MVC5 Prompt Windows Auth ignoring authentication mode

Question

I gave up implementing Windows and Forms Authentication mode in the same project, I've encountered infinite login loops, authorization errors and nightmare-ish spaghetti code.

I'm keeping Forms authentication / RoleProvider just as-is but my idea it's triggering Windows authentication inside the HttpPost for the ActionResult Login, so the user would enter their domain username, press login button, then compare the text input against HttpContext identity, if true prompt Windows Authentication and if the login is successfull then redirect to admin/user corresponding webpages (getting the role from a SQL table).

This is a vague idea i pseudo coded.

[HttpPost]
public ActionResult Login (usuario u, string retornaUrl) {
    string userDomWin = System.Web.HttpContext.Current.Request.LogonUserIdentity.Name.ToString ().Substring ((HttpContext.User.Identity.Name.ToString ().IndexOf ("\\")) + 1);
    string userWin = userDomWin.Replace ("DOMAIN\\", "");

    var usuarioSys = (from d in db.usuario where d.usuarioDom == userWin select d.usuarioDom).FirstOrDefault ();

    if (usuarioSys != null) {
        //TRIGGER WINDOWS AUTH

        if (WINDOWSAUTH == true) {

            Session["uname"] = usuarioSys.ToString ();

            if (usuarioSys != null) {
                return Redirect ("~/Home/Index");
            } else {
                TempData["Message"] = "FINISHED.";
                return Redirect ("~/Account/Login");
            }
        } else {
            TempData["Message"] = "UNAUTOHRIZED.";
            return Redirect ("~/Account/Login");
        }

    }

    return View ();
}

Can you implement something equivalent?

Damien Chaudois · Answer 1 · 2020-03-05T14:57:38.247

your problem might be more complex than that, but from what you posted, it is normal that your users are redirected to the login page even after validating all your login (SQL & windows), as you did not add the form cookie to the response. If that is the source of the problem, here is my code for the return of the form cookie (encrypted)

            FormsAuthenticationTicket ticket = new FormsAuthenticationTicket(
                   2,
                   userName,
                   DateTime.Now,
                   DateTime.Now.AddMinutes(480),
                   true,
                   role,
                   FormsAuthentication.FormsCookiePath);

            string encTicket = FormsAuthentication.Encrypt(ticket);
            var response = System.Web.HttpContext.Current.Response;
            response.Cookies.Add(new HttpCookie(FormsAuthentication.FormsCookieName, encTicket));
            return RedirectToAction("Index", "Home");

hope it helps

As Form mode I had no problem, its directly related to the windows authentication mode as I implement as first security layer — Rayén, Mar 05 '20 at 15:12

score 0 · Answer 2 · answered Mar 05 '20 at 14:58

0

I'm not sure how your project's web config is set up, but be sure to check if you have the authentication mode set to forms

<system.web>
    <authentication mode="Forms">  
       <forms loginUrl="Home/Login"></forms>  
    </authentication>

As for why MVC authentication/authorization is difficult to set up / often has issues, there was a very useful thread that clarified that for me.

Personally, at least for internal applications, I prefer to use windows authentication via setting up my own function to check against Active Directory groups on the Domain where the app is deployed. The reason for this is, for internal apps, usually the "current user" is identified by whatever unique employee ID they are logged in as, so it is easier for the app to check against authorized active directory groups to see if they should / shouldn't access it.

answered Mar 05 '20 at 14:58

C Murphy

47
1
13

1

I'd would love to manage users though AD but due to security policies I can't manage any form of group. Also the management it's complicated because "allowed users" rotate on a monthly basis, doing the group it's more manual labor rather than updating data on a SQL table. – Rayén Mar 05 '20 at 15:29
So is your intention to have a SQL table with allowed users, then? Because if so, you would just need to check who the end user is, via (System.Web.HttpContext.Current.Request.LogonUserIdentity.Name) and call a stored proc to see if they are in that table or not. Applying that same logic of a function call at the beginning of every ActionResult to ensure only authorized people can access your app. If you would like to see some sample code, let me know and I can edit my original answer. – C Murphy Mar 05 '20 at 15:32
Yes, thats why I get the name using `string userDomWin = System.Web.HttpContext.Current.Request.LogonUserIdentity.Name.ToString ().Substring ((HttpContext.User.Identity.Name.ToString ().IndexOf ("\\")) + 1);}` and then compare it in the allowed users table BUT I also need to validate them with their windows password. In the case that other userX it's using userY computer. If you have a workaround I'd be so thankful. – Rayén Mar 05 '20 at 15:50
If you are concerned about another user using someone else's computer, then you shouldn't be using windows authentication, as the whole point of windows authentication is using the Windows user account of whoever is logged on the computer accessing your app in the first place (although that's more of an escalation of privs security concern). As mentioned in my answer, be sure you have the authentication method set to forms. – C Murphy Mar 05 '20 at 16:42

ASP.NET MVC5 Prompt Windows Auth ignoring authentication mode

2 Answers2