ASP.NET MVC Windows authentication on top of forms authentication

Question

I have developed a web app in ASP.NET MVC which we are using internally. Now we want to make it available through our server on the internet -- to make life easier when we're doing jobs on site.

Ideally I'd like to just stick Windows authentication infront of it, so that anyone with a domain account can log in.

The problem is that I'm already using forms authentication in the app.

We don't have any password restrictions for the app, you simply select the user you wish to log in as and then submit the form. On the server side it just does this -

    FormsAuthentication.SetAuthCookie(viewModel.Username, true);

This makes the user's name available throughout all controllers and views using the User object (user.identity.name).

However... when I enable Windows authentication in IIS, the web app starts thinking that user.identity.name is "ourdomain\domainuser".

What I'd like is to use forms authentication in conjunction with windows authentication, but not have them integrate in any way.

Is there a simple way to achieve this?

Answer 1

The ASP.NET team doesn’t officially support using mixed-mode authentication in an application. If you search the web, you’ll find blog posts on how to do this, but please note that they’re discouraged by the ASP.NET team. The reason this is discouraged is that it is very difficult to reason about from a correctness point of view, and there are trivial attacks against such a setup that can allow malicious clients to masquerade as an authenticated user.