locked
Net 5 Windows Authentication: Disable automatic login to avoid custom LDAP code RRS feed

  • Question

  • User-1868926312 posted

    'm using VS2019. I've created a new "ASP.NET Core Web App (MVC)", with Target Framework ".NET 5.0 (Current)". I am running it on a machine which is already joined to the targed Active Directory Domain.

    Vs created the default project, and when I start it, it's automatically logged in as the current AD User logged in in this machine.

    I want the opposite. I want to make a form and login to the ad, set authentication to the controller and make the auth expire after X minutes.

    As I can read here

    You can try to use windows authentication. However, that will only work if the server you run this on is joined to the domain (or a trusted domain).

    If not, then you will have to use Forms Authentication, where the user enters their username and password, and you authenticate against AD in your code via LDAP. There are two ways to do this in .NET Core: 1.If you will only run this on a Windows server, then you can install and use the Microsoft.Windows.Compatibility NuGet package.

    2.Use the third-party Novell.Directory.Ldap.NETStandard.

    I already knew that it was possible to make a form, post the credentials to a controller and make up a lot of code to fiddle with AD/LDAP and login the user (and found a github repo called aspnetcore.ldap which already does that).

    But... net 5 default project already gives you windows auth ready to use. It isn't just possible for it to ask you user and password and authenticate you in the app? Why I have to use a bunch of extra code?

    It's possible to use the default windows auth and configure it through some options to ask for user and password or even better, use it throught a form in the page, and make it work like a "token" with expiration?

    Friday, March 26, 2021 4:40 PM

All replies

  • User475983607 posted

    It's possible to use the default windows auth and configure it through some options to ask for user and password or even better, use it throught a form in the page, and make it work like a "token" with expiration?

    A central token server like IdentityServer4 can provide this type of functionality. 

    https://docs.identityserver.io/en/latest/topics/windows.html

    Friday, March 26, 2021 4:59 PM
  • User-1868926312 posted

    mgebhard

    Wassup

    It's possible to use the default windows auth and configure it through some options to ask for user and password or even better, use it throught a form in the page, and make it work like a "token" with expiration?

    A central token server like IdentityServer4 can provide this type of functionality. 

    https://docs.identityserver.io/en/latest/topics/windows.html

    Errrrr.... So I have to put up a separate server to do this thing?
    I think it's inappropriate. It would require far more code and would add a ton of complexity than the just write a few linex which authenticate on active directory.....

    I've checked the documentation a bit and it looks like a nightmare translated into code. Why would anyone use such a solution, at least when you  have direct access to the Active Directory server? I could understand it if the Active Directory was on a separate server which you can't allow people outside to reach, and the Identity Server would be the middleman between you and the AD, but I have direct access to the AD (I thought it was clear, since my default .NET 5 APP promptly connected to the AD and showed the user as I said before)

    Putting up a server to do a whole new level of abstraction over active directory authentication.... when instead, creating a new project in Visual studio from scratch with windows authentication on just logs on AD fine....

    It's ridiculous. There should be a configuration options which should allow you to ask user password without the need of putting up a separate server with all the code inside to do that.... and to set a token validity duration....

    Absurd, there must be another solution

    Sunday, March 28, 2021 12:26 PM
  • User475983607 posted

    Wassup

    It's ridiculous. There should be a configuration options which should allow you to ask user password without the need of putting up a separate server with all the code inside to do that.... and to set a token validity duration....

    Absurd, there must be another solution

    It is not absurd if you understand how Windows authentication works. 

    Anyway, this question has been asked many many times over the years.  I recommend Identity server because it centralizes authentication.  Centralized authentication is very common these days rather than persisting authentication in every application.  Plus it is very simple to configure Identity server and Identity server can co-exist with your other hosted applications. 

    Honestly you could do the same with by writing a small Windows Auth application with clever redirects.  You can even write the "challenge' code yourself to drive the browser.  

    Sunday, March 28, 2021 2:54 PM
  • User1535942433 posted

    Hi Wassup,

    As far as I think, Identity Server meets your requirements. Identity Server is intended to serve as an Identity Provider, if you need to talk with your AD you should see the Federation Gateway architecture they propose using the IAuthenticationSchemeProvider.

    You have the control to programmatically reach your AD and pass the correct credentials to get the authentication. That step should be done in your Identity Server. After you get authenticated you should get redirected to your application again.

    More details,you could refer to below article:

    https://stackoverflow.com/questions/56552430/authentication-against-local-ad-in-the-angular-application

    Best regards,

    Yijing Sun

    Monday, March 29, 2021 4:43 AM