locked
Is there a way I can set it so the user does not have to prefix his username with the corporate domain name (cn) for authentication when using VPN? RRS feed

  • Question

  • User1577749731 posted

    I've setup an MVC C# web application with Windows Authentication using MS Visual Studio 2013 authentication mode="Windows"

    It works as expected when the user is on the corporate network (CN). The authentication is automatic, seamless and totally transparent when the user goes to the web app in IE or Chrome. If the user uses Firefox, a popup requests the user's network credentials, which is fine... as long I don't have to manage usernames and passwords anymore. By the way the popup is an integrated part of the browser reacting to the response from the web app, I do not control this.

    My problem happens when the user tries to connect to the web app from home, through the use of a secure VPN. Once authenticated on our network, when the user opens up IE to go the web app, the authentication is not "automatic and seamless" anymore...a popup requests the user's network credentials...but that is not all, the user must prefix his username with the corporate network (CN) else the active directory will not recognize him (cn\jorion) because the user's domain name is different from the corporate network (CN).

    I do not have control of the LDAP/Active Directory but I do have control of the web server (IIS) and the web apps.

    I've done a bit of research trying to find a parameter I could set in the web.config to pre-set the [domain name] in the popup or force it to be the value I want it to be for authentication with the LDAP but to no avail. I found that I could do exactly that only if I switch from authentication mode="Windows" to authentication mode="Form" but then every user on the corporate network would have to login as well where right now they do not have to.

    Is there a way I can set it so the user does not have to prefix his username with the corporate domain name (cn) for authentication when using VPN?

    Wednesday, April 10, 2019 2:32 PM

All replies

  • User475983607 posted

    I'm not a networking expert but I believe this is a networking issue with how the VPN is configured.  The browser is unable to negotiate the user credentials so it asks the user.  I use the following command to when connecting to another notwork.

    runas /netonly /user:Domain\username "C:\path\to\the\applicaiton.exe"

    Wednesday, April 10, 2019 3:38 PM
  • User1577749731 posted

    Thanks sharing your thoughts with me.  In another forum, I got : "the issue is that the home computer is the one that needs the domain name information. The home computer is first going to try and get a Kerberos ticket based on the domain (by finding a DC over VPN)."

    So after googling "Kerberos ticket based on the domain" I find that it's way out of my control...I guess setting up a different web app for the VPN users IS my only hope...help me Obiwan Kenobi...  :)

    Thursday, April 11, 2019 3:56 PM
  • User475983607 posted

    Thanks sharing your thoughts with me.  In another forum, I got : "the issue is that the home computer is the one that needs the domain name information. The home computer is first going to try and get a Kerberos ticket based on the domain (by finding a DC over VPN)."

    So after googling "Kerberos ticket based on the domain" I find that it's way out of my control...I guess setting up a different web app for the VPN users IS my only hope...help me Obiwan Kenobi...  :)

    I'm not sure about the other forum's comments.  I do know that I have an account in two domains.  If I want to use the other domain, not the domain that I signed into originally, I have to runas the other account while connected to VPN.

    Otherwise contact your sys admin and see if they can help.

    Thursday, April 11, 2019 5:48 PM