5

I have developed a web app in ASP.NET MVC which we are using internally. Now we want to make it available through our server on the internet -- to make life easier when we're doing jobs on site.

Ideally I'd like to just stick Windows authentication infront of it, so that anyone with a domain account can log in.

The problem is that I'm already using forms authentication in the app.

We don't have any password restrictions for the app, you simply select the user you wish to log in as and then submit the form. On the server side it just does this -

    FormsAuthentication.SetAuthCookie(viewModel.Username, true);

This makes the user's name available throughout all controllers and views using the User object (user.identity.name).

However... when I enable Windows authentication in IIS, the web app starts thinking that user.identity.name is "ourdomain\domainuser".

What I'd like is to use forms authentication in conjunction with windows authentication, but not have them integrate in any way.

Is there a simple way to achieve this?

NoPyGod
  • 4,905
  • 3
  • 44
  • 72

2 Answers2

6

The ASP.NET team doesn’t officially support using mixed-mode authentication in an application. If you search the web, you’ll find blog posts on how to do this, but please note that they’re discouraged by the ASP.NET team. The reason this is discouraged is that it is very difficult to reason about from a correctness point of view, and there are trivial attacks against such a setup that can allow malicious clients to masquerade as an authenticated user.

RickAndMSFT
  • 20,912
  • 8
  • 60
  • 78
1

You cannot use forms authentication and Windows authentication at the same time in IIS 7 and higher under Integrated Mode. Therefore, I would highly discourage that approach. You can however, use the built-in ActiveDirectoryMembershipProvider Class to authenticate Windows user accounts through a form and tie your login to that.

JamieSee
  • 12,696
  • 2
  • 31
  • 47
  • Actually, you can use Windows Authentication and Forms Authentication in IIS7+. You can either use classic mode, or with integrated mode. You just have to do a little tweaking in the background for integrated. See http://mvolo.com/blogs/serverside/archive/2008/02/11/IIS-7.0-Two_2D00_Level-Authentication-with-Forms-Authentication-and-Windows-Authentication.aspx – Erik Funkenbusch Mar 03 '12 at 01:49
  • @MystereMan Actually, your tweaking link still doesn't use both at the same time although it gives that apearance to a user. You are, however, correct that you can still do two stage authentication using Classic Mode. I don't view either one as a particularly good solution though. For the mvolo.com solution you're introducing a lot of additional complexity that can be avoided. For Classic Mode you're following a model which will likely disappear eventually. My opinion is that it's better to architect things properly in the first place. – JamieSee Mar 06 '12 at 21:53
  • @MystereMan That article doesn't discuss mixed authentication in the context of MVC. – Paul George Jul 03 '12 at 10:12
  • @PaulGeorge - authentication works the same in MVC and WebForms. How you handle the request based on authentication is different between the two, but the actual authentication method itself is identical. – Erik Funkenbusch Jul 03 '12 at 16:06