It's easy to create an ASP.NET MVC application that authenticates based on windows domain user. It's also easy to create one that uses individual accounts stored using Entity Framework. In fact, there are project templates for both.
But I want to utilize BOTH kinds of authentication in the same application. I tried to combine the code from both project templates. I have a problem in Startup.Auth.cs.
// from "Individual Accounts" template app.UseCookieAuthentication(new CookieAuthenticationOptions { AuthenticationType = DefaultAuthenticationTypes.ApplicationCookie, LoginPath = new PathString("/Account/Login"), Provider = new CookieAuthenticationProvider { OnValidateIdentity = SecurityStampValidator.OnValidateIdentity<ApplicationUserManager, ApplicationUser>( validateInterval: TimeSpan.FromMinutes(30), regenerateIdentity: (manager, user) => user.GenerateUserIdentityAsync(manager)) } });
The existence of cookie authentication owin middleware seems to cause domain identities to become un-authenticated. If I take this line out, the domain authentication works. But without it, I can't seem to support individual user accounts.
I've downloaded the katana project source code and examined CookieAuthenticationHandler.cs, but I don't quite understand how it works in the context of an OWIN pipeline.
How can I use the ASP.net identity framework to allow my application to authenticate users from the windows domain OR an application-specific user store?
Managed Service Accounts are more secure then ordinary service accounts. Ordinary service accounts are normal user accounts with complex passwords used for running various server services. Managed Service Accounts are different. They can only created with PowerShell.
The gMSA was introduced with Windows Server 2012. Unlike an MSA, a gMSA can be associated with multiple computers. Otherwise, it behaves very similarly i.e, the password is complex and – for the gMSA – automatically managed by the Active Directory subsystem and stored as a new AD attribute.
On computers running Windows Server 2012 or Windows 8, a group MSA can be created and managed through the Service Control Manager so that numerous instances of the service, such as deployed over a server farm, can be managed from one server.
The simplest approach is to have 2 different presentation Projects only for Authentication/Authorization.
This has the advantage of leaning on existing framework and standard configuration.
From there, you decide to either
Creating an Identity user for each AD user is easier to implement further. Then the same cookies and filters can exist in the entire app.
In that case you can either
Alternatively, If you want a truly Unified Solution, use MohammadYounes/Owin-MixedAuth
MohammadYounes/Owin-MixedAuth
Install-Package OWIN-MixedAuth
In Web.config
<location path="MixedAuth"> <system.webServer> <security> <authentication> <windowsAuthentication enabled="true" /> </authentication> </security> </system.webServer> </location>
In in Startup.Auth.cs
app.UseMixedAuth(cookieOptions);
:
:
The handler uses ApplyResponseChallengeAsync
to confirm the request is a 401 challenge. If so, it redirects to the callback path to request authentication from IIS which is configured to query the AD.
AuthenticationResponseChallenge challenge = Helper.LookupChallenge( Options.AuthenticationType, Options.AuthenticationMode);
A 401 challenge is caused by an unauthorized users attempting to use a resource that requires Authentication
The handler uses InvokeAsync
to check if a request is coming from a callback path (IIS) and then calls AuthenticateCoreAsync
protected async override System.Threading.Tasks.Task<AuthenticationTicket> AuthenticateCoreAsync() { AuthenticationProperties properties = UnpackStateParameter(Request.Query); if (properties != null) { var logonUserIdentity = Options.Provider.GetLogonUserIdentity(Context); if (logonUserIdentity.AuthenticationType != Options.CookieOptions.AuthenticationType && logonUserIdentity.IsAuthenticated) { AddCookieBackIfExists(); ClaimsIdentity claimsIdentity = new ClaimsIdentity( logonUserIdentity.Claims, Options.SignInAsAuthenticationType); // ExternalLoginInfo GetExternalLoginInfo(AuthenticateResult result) claimsIdentity.AddClaim(new Claim(ClaimTypes.NameIdentifier, logonUserIdentity.User.Value, null, Options.AuthenticationType)); //could grab email from AD and add it to the claims list. var ticket = new AuthenticationTicket(claimsIdentity, properties); var context = new MixedAuthAuthenticatedContext( Context, claimsIdentity, properties, Options.AccessTokenFormat.Protect(ticket)); await Options.Provider.Authenticated(context); return ticket; } } return new AuthenticationTicket(null, properties); }
AuthenticateCoreAsync
uses AddCookieBackIfExists
to read the claims cookie created by AD and creates it's own Claims based.
AD users are provided a Claims based Cookie identical to Web Users. AD is now like any other 3rd party authenticator (Google, FB, LinkedIN)
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With