Hooking into Windows Authentication for credentials when Authenticating against LDAP

Question

I have a web-portal for employees to update their details. People login there with their Active Directory credentials and I set OWIN cookie for authentication. This is all done through a MVC login page, nothing to do with Windows Authentication on IIS.

Now company browser is Internet Explorer and is configured to login automatically into other Windows Authentication sites, without prompting for password. That is happening when people are using company PC and logged into their domain accounts. And if they are working from home, Basic Authentication prompt is asking for credentials on these systems.

Now I would like to implement an automatic authentication when users are logged-in into their Windows Domain accounts, from work PCs, and present with login-page if they are working from home.

I know about 401 challenge and authentication negotiation, but never initiated with this through ASP.Net. I've seen solutions where user is redirected to a page where IIS is configured to be Windows Authentication, but I want this done without IIS configuration. Also I remember I have seen somebody mentioning a solution where a page is loaded into <iframe> where basic authentication is checked and if authentication through that is successful, then redirect already authenticated user to a landing page.

So my question comes down to: Is there a way to initiate (and complete) 401 challenge for basic authentication on a specific action of a controller? And then hook into Controller.User.Identity property to set OWIN cookie?

UPD: As per comments: I want Kerberos (Windows Authentication) to work when users are on domain network, so they are automatically logged-in. But I don't want Windows Authentication to take place when users are not on domain network, instead I want custom login page with options for password reset and register (given employee validation).

Answer 1

If i read your question properly, you might want to do something like the following...

1) Create 2 Authorization filters: one that use AD and one that use BasicAuthentication

2) Put them in order you want. In your case, if i understood correctly, you want to check AD first. If AD authentication fails you failover to Basic one (that's where you implement 401 challenge). To make sure filters are executed in order you want, pay attention to Order property on filters: https://msdn.microsoft.com/en-us/library/gg401854%28v=vs.98%29.aspx

3) Whatever filter you end up in (AD or BasicAuth) you can set your OWIN cookie from there

Hope that helps.