locked
Forms authentication with AD? RRS feed

  • Question

  • User-462241089 posted

    I am very new to .net mvc, so please forgive me if the answer is obvious!

    I'm trying to create a login screen for my asp.net mvc web app, but I need to validate the user credentials against windows AD. I've been googling for days now, and I can't find a straight answer. Lots people a decade ago say to use Form authentication instead of windows ad, but then check the credentials against ad..

    Times have really changed since then and I want to make sure I know what I'm doing before I break anything. I already tried to implement some of their code (like FormsAuthentication.SetAuthCookie(user.Username, false); in the HomeController when credentials match), but I get error (VS says that 'FormsAuthentication does not exists in the current project').

    I think I already have windows authentication working, as the toolbar at the top of the page is displaying my user account. The code for it is this:

    @using Microsoft.AspNetCore.Identity
    @using project.Identity.Data
    
    @inject SignInManager<CRC_WebApp_RedesignUser> SignInManager
    @inject UserManager<CRC_WebApp_RedesignUser> UserManager
    
    <ul class="navbar-nav">
    @if (User.Identity.IsAuthenticated)
    {
        <li class="nav-item">
            <a id="manage" class="nav-link text-dark" asp-area="Identity" asp-page="/Account/Manage/Index" title="Manage">Hello @UserManager.GetUserName(User)!</a>
        </li>
        <li class="nav-item">
            <form id="logoutForm" class="form-inline" asp-area="Identity" asp-page="/Account/Logout" asp-route-returnUrl="@Url.Action("Index", "Home", new { area = "" })">
                <button id="logout" type="submit" class="nav-link btn btn-link text-dark">Logout</button>
            </form>
        </li>
    }
    

    An old coworker added this to the project, and from what I can tell, there is no other login code.

    Again, I'm super new to this. My understanding is to just let the user enter their credentials into a login screen and then somehow check their input against the windows AD with 'User.Identity' or something like that in the HomeController, and then direct grant the user access to the rest of the app with FormsAuthentication.SetAuthCookie(user.Username, false). Is this understanding correct? I've never done this before.

    Wednesday, July 15, 2020 4:54 PM

Answers

  • User1686398519 posted

    Hi MarcusAtMars,

    • This login seems to be happening automatically on startup
      • If you want to implement login authentication yourself, using Windows authentication is not a good method. When using Windows authentication, there is no authentication process. This authentication is done by IIS. It first accepts the user's credentials from the domain login "domain\username and password". If this process fails, IIS will display an error and ask to re-enter the login information.
    • Forms authentication with AD in ASP .NET MVC
      • To achieve this verification, you need to set it in web.config. You can refer to these two links:link1,link2 for details.
      • <system.web>
              <authentication mode="Forms">
                  <forms name=".ADAuthCookie" loginUrl="~/Account/Login" timeout="45" slidingExpiration="false" protection="All" />
              </authentication>
              <membership defaultProvider="ADMembershipProvider">
                  <providers>
                      <clear />
                      <add name="ADMembershipProvider" type="System.Web.Security.ActiveDirectoryMembershipProvider" connectionStringName="ADConnectionString" attributeMapUsername="sAMAccountName" />
                  </providers>
              </membership>
          </system.web>
          <connectionStrings>
              <add name="ADConnectionString" connectionString="LDAP://primary.mydomain.local:389/DC=MyDomain,DC=Local" />
          </connectionStrings>
    • @using Microsoft.AspNetCore.Identity
      @using project.Identity.Data
      @inject SignInManager<CRC_WebApp_RedesignUser> SignInManager
      @inject UserManager<CRC_WebApp_RedesignUser> UserManager
      • In addition, I am still confused about the code you provided before, because "inject", "asp-page", etc. are written in ASP.NET Core.

    Best Regards,

    YihuiSun

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Friday, July 17, 2020 5:33 AM
  • User-474980206 posted

    Hello again, Bruce!

    I just got word from our team lead that our authentication server isn't configured yet for ldap, so all we really need to do is use windows basic authentication. Basically, the login screen  is a demo, and I just need to let the user manually enter their user credentials instead of IIS automatically logging them in. 

    Is there a way to do this?

    basic authentication is handled by the browser and iis.  If you want use a form, you switch to cookie authentication. If it’s just a demo. Switch to to windows, so no browser login appears. Then use on begin request to check for a cookie value. If missing, redirect to demo login page, the login post should set the cookie (it will not validate the password).

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Friday, July 17, 2020 2:25 PM

All replies

  • User1686398519 posted

    Hi MarcusAtMars,

    • I want to confirm with you.Is your project ASP.NET MVC or ASP.NET Core MVC?
      • If it is ASP.NET MVC, you need to set it in web.config.
        • Please refer to this link for details.
        • If you want to use forms authentication to store data, such as user information, please refer to this link.
      • If it is ASP.NET Core MVC,I think you should need cookie authentication.Refer to this link or this link for how to use.
    • For a detailed introduction to forms authentication, you can refer to this link.

    Best Regards,

    YihuiSun

    Thursday, July 16, 2020 6:52 AM
  • User-462241089 posted

    Thanks, YihuiSun. I am making a MVC app, so I'll try the first few links. I did a lot of research and tried to figure out what I need to do exactly, and I think I need to prompt the user for their windows login instead of IIS automatically logging them in. I don't know how it is doing it, but all I know is that if I use 

    @UserManager.GetUserName(User)

    in a view, it displays their domain and username. This login seems to be happening automatically on startup, so how do I instead prompt the user?

    Thursday, July 16, 2020 12:44 PM
  • User-474980206 posted

    you are currently using windows authentication.  

    If you want form authentication with AD, then you will need AD provider for the user manager. There is no builtin one, you will need a third party or code your own.

    You could also setup an oauth server or use azure ad (if you have one). Then you would use openid authentication.

    Thursday, July 16, 2020 9:05 PM
  • User1686398519 posted

    Hi MarcusAtMars,

    • This login seems to be happening automatically on startup
      • If you want to implement login authentication yourself, using Windows authentication is not a good method. When using Windows authentication, there is no authentication process. This authentication is done by IIS. It first accepts the user's credentials from the domain login "domain\username and password". If this process fails, IIS will display an error and ask to re-enter the login information.
    • Forms authentication with AD in ASP .NET MVC
      • To achieve this verification, you need to set it in web.config. You can refer to these two links:link1,link2 for details.
      • <system.web>
              <authentication mode="Forms">
                  <forms name=".ADAuthCookie" loginUrl="~/Account/Login" timeout="45" slidingExpiration="false" protection="All" />
              </authentication>
              <membership defaultProvider="ADMembershipProvider">
                  <providers>
                      <clear />
                      <add name="ADMembershipProvider" type="System.Web.Security.ActiveDirectoryMembershipProvider" connectionStringName="ADConnectionString" attributeMapUsername="sAMAccountName" />
                  </providers>
              </membership>
          </system.web>
          <connectionStrings>
              <add name="ADConnectionString" connectionString="LDAP://primary.mydomain.local:389/DC=MyDomain,DC=Local" />
          </connectionStrings>
    • @using Microsoft.AspNetCore.Identity
      @using project.Identity.Data
      @inject SignInManager<CRC_WebApp_RedesignUser> SignInManager
      @inject UserManager<CRC_WebApp_RedesignUser> UserManager
      • In addition, I am still confused about the code you provided before, because "inject", "asp-page", etc. are written in ASP.NET Core.

    Best Regards,

    YihuiSun

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Friday, July 17, 2020 5:33 AM
  • User-462241089 posted

    Hello again, Bruce!

    I just got word from our team lead that our authentication server isn't configured yet for ldap, so all we really need to do is use windows basic authentication. Basically, the login screen  is a demo, and I just need to let the user manually enter their user credentials instead of IIS automatically logging them in. 

    Is there a way to do this?

    Friday, July 17, 2020 2:06 PM
  • User-462241089 posted

    Thanks, YihuiSun!

    You are correct, I am actually using .net core mvc. You are also correct that windows auth is not completely secure, but that seems to be fine for now. The login screen is just a demo and needs to authorize the user with their credentials. Right now, the credentials seem to be given automatically by IIS. Is there any way to stop this, and to allow the user to manually input their credentials in a form on the webpage?

    Friday, July 17, 2020 2:09 PM
  • User-474980206 posted

    Hello again, Bruce!

    I just got word from our team lead that our authentication server isn't configured yet for ldap, so all we really need to do is use windows basic authentication. Basically, the login screen  is a demo, and I just need to let the user manually enter their user credentials instead of IIS automatically logging them in. 

    Is there a way to do this?

    basic authentication is handled by the browser and iis.  If you want use a form, you switch to cookie authentication. If it’s just a demo. Switch to to windows, so no browser login appears. Then use on begin request to check for a cookie value. If missing, redirect to demo login page, the login post should set the cookie (it will not validate the password).

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Friday, July 17, 2020 2:25 PM
  • User-462241089 posted

    That is awesome, thanks Bruce!

    As an aside, do you know how to return a view without the layout? All my views are rendered inside a layout page (with the top toolbar), and I just want to return the login page (without the toolbar). How do I do this?

    Friday, July 17, 2020 3:14 PM
  • User-462241089 posted

    Oh yea, and with the cookie stuff, how do I verify the user credentials? In the links above, it is all hard coded in e.g. [authenticat(User = "username")]

    Friday, July 17, 2020 3:17 PM
  • User409696431 posted

    You can have more than one layout file.  Create a separate layout file with only the parts you want, and have the login view reference that new layout file.  Or, if you want to create the entire login view with no layout file, that's another option: a view is not required to use a layout file.

    Saturday, July 18, 2020 2:43 AM
  • User-462241089 posted

    Thanks, Kathy! I went ahead and did that, and things are looking great! Now all I need to do is get this authentication working...

    Sunday, July 19, 2020 12:10 AM