locked
How to integrate a windows authentication in a .NET Core MVC application RRS feed

  • Question

  • User-462241089 posted

    Hey, sorry, its me again. I asked this question and this one too, but I just had a code review with my team and it seems like I was doing to all wrong.

    What I actually need to do is integrate a windows authentication in my .NET Core MVC application. I was referred to this article for help in implementing this, but it doesn't quite make any sense.

    All this needs to do is use windows authentication (the basic one, I believe), but instead of the popup window, it uses the input fields I have on a webpage. The problem is, I have no idea where to even begin, and everything with .net core is really vague.

    Does anyone know how to do this? My team says it is possible...

    Wednesday, July 22, 2020 4:27 PM

Answers

All replies

  • User753101303 posted

    Hi,

    Seems there is perhaps some confusion between the "Windows Authentication" option found in IIS and having the app to handle the "Windows authentication" itself (on the IIS side you'll use "Anonymous authentication" to basically tell IIS to not care at all about authentication as it is your app which is then handling that).

    See for example https://support.microsoft.com/en-us/help/324276/how-to-configure-internet-information-services-web-authentication-in-w

    "Annoymous authentication" is either a true public site or covers any other form of authentication which is fully controlled by the application rather than by the IIS web server.

    For now my understanding is that you want to use "Annoymous authentication" (ie IIS does nothing and authentication is handled by your app). AFAiK this is not a popular option for an intranet site as the user needs to enter again the user/password he used already to open its client side OS session.

    Edit: unlike what is said in this old article you do have proxy servers being able to handle this "Windows (Integrated into IIS) Authentication" option.

    Wednesday, July 22, 2020 10:51 PM
  • User-462241089 posted

    Thanks for the reply, PatriceSc! I know it is not common, but this is what the boss wants, so this is what I need to do.

    I was refereed this article to point me in the right direction. Basic Authentication is what we want, and it seems to be the basic authentication in your article. I'm trying to follow yours right now, since the article I linked here isn't working at all, but I am having trouble at step 5 in How to Configure IIS Web Site Authentication.

    Wednesday, July 22, 2020 11:43 PM
  • User-474980206 posted

    Windows authentication takes place between the browser and IIS. You can use basic, Kerberos or ntlm. This is all configured with iis. You write no code to implement. You don’t have a form, the browser manages the login.

    https://docs.microsoft.com/en-us/iis/configuration/system.webserver/security/authentication/windowsauthentication/
         

    once it’s configured, you app want to know the user name. With asp.net core, this is handled by iis integration. you configure asp.net core to create an identity based on the token iis passes to asp.net core.

    https://docs.microsoft.com/en-us/aspnet/core/security/authentication/windowsauth?view=aspnetcore-3.1&tabs=visual-studio

    if you want to use your own login form, with windows accounts, then that’s AD authentication, not windows. In this case you need an AD provider for asp.net identity.

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Thursday, July 23, 2020 1:49 AM
  • User-462241089 posted

    Bruce, that is an awesome explanation! So you say there is no way to replace the initial popup prompting for username and password with my own form? That explains why everyone said I would be logging in twice... Is it possible to at least allow the user to land on the login screen and then let the browser do the windows authentication prompt?

    I'm selecting your post as the answer, as it really explains things well!

    Also, as an aside, I has thought that I needed to use azure ad, but the team said we didn't need that to do this. Is azure ad the same thing as windows ad?

    Thursday, July 23, 2020 3:52 AM
  • User753101303 posted

    If you want to show your own form you don't "change something" for "Windows Integrated Authentication", you'll use "Anonymous authentication" and then your app handles authentication as you want without IIS intervening in that.

    Azure AD is a web based identity provider. Depending on how it is configured it could be used to authenticate both on-premise AD users as well as users external to your company (and if they have Azure AD by using still their own internal accounts). On the IIS side it is still using "Anonymous authentication" and the app handles this on its own using something similar to https://docs.microsoft.com/en-us/azure/active-directory/develop/quickstart-v2-aspnet-core-webapp.

    "Windows Integrated Security" is if you want to have authentication being handled for you (either automatically or once again with an input dialog shown by the browser and on which you don't have control).

    Maybe it still needs to be discussed and in particular if those points are still unclear:
    - are all user accounts accessing this app in the same on-premise AD ?
    -  is the app accessed only from the same internal network (or through a VPN) or needs to be reachable from any location over internet ?

    Thursday, July 23, 2020 6:21 AM
  • User-462241089 posted

    All user accounts should be in the same AD (I believe), and the app can only be accessed through a VPN. This will be used by employees, not just random people.

    Thursday, July 23, 2020 1:23 PM
  • User753101303 posted

    Seems to me using "Windows Integrated Authentication" would just work (and the proper NTFS permissions if not everybody inside the company).

    If you want to provide your own custom input form for providing the user name and password, as pointed numerous times, you HAVE to use "Anonymous authentication" and then add the needed code so that your app handles itself the user authentication.

    I often like to understand the expected benefits for a design decision especially when I don't agree. Sometimes I'm convinced. Sometimes it turns out the decision was not based on a real need but rather on an old and possibly now less optimal habit or whatever...

    So for now I believe you DON'T want to use "Windows Integrated Authentication" (that once again doesn't allow the use of a custom credential input form).

    Edit: for example your app could likely use https://docs.microsoft.com/en-us/dotnet/api/system.directoryservices.accountmanagement.principalcontext.validatecredentials?view=dotnet-plat-ext-3.1 to authenticate explicitly against Active Directory.

    Or you have done something that works already. For now I believe you always tried with "Windows Integrated Authentication" being left enabled which really doesn't seems what you want.

    Thursday, July 23, 2020 2:46 PM
  • User-462241089 posted

    You know, I think that is actually the problem I had several days ago that sent me down this confusing spiral. I tried AD like 2 weeks ago but it was always authenticating. It must have been because I wasn't using anonymous auth in IIS.

    I'm setting up anonymous auth right now, but do you guys know of any good tutorials on setting up AD in .net core mvc? The one's I find are just for .net core.

    Thursday, July 23, 2020 3:09 PM
  • User-474980206 posted

    Bruce, that is an awesome explanation! So you say there is no way to replace the initial popup prompting for username and password with my own form? That explains why everyone said I would be logging in twice... Is it possible to at least allow the user to land on the login screen and then let the browser do the windows authentication prompt?

    Also, as an aside, I has thought that I needed to use azure ad, but the team said we didn't need that to do this. Is azure ad the same thing as windows ad?

    Correct, when you use windows authentication you can not replace the browsers login form with your own.

    If you want your own login form, then you are using forms authentication. the default implementation of form authentication uses a database to store users and passwords rather than AD. This is perfectly code-able via a custom Identity provider.  The only AD provider Microsoft supplies is the Azure AD via the oauth identity provider. Thus you need to code your own.

    to implement an AD provider see the System.DirectoryServices.AccountManagement namespace. Note, it only works on windows.

      

    Thursday, July 23, 2020 3:59 PM
  • User-462241089 posted

    Aaaaand we're right back to square one lol. Well, I'l return to forms authentication then. I as initially told that I couldn't use LDAP for it, so I'll see if I can us AD instead.

    By the way, now some team members are throwing around "ADFS auth". They said that if you enable ADFS auth with Windows auth, you will get the ADFS login screen instead of the windows login prompt. Is it correct to assume that ADFS is not the same as AD? I thought I had to set windows authentication to "anonymous" so I could get AD working in the app itself...

    Thursday, July 23, 2020 5:18 PM
  • User-462241089 posted

    So, I found this article on how to use AD in .net, ans it seems like he is using UserPrinciple, just as you guys suggested. I'll be using this article as a reference ans will let you guys know if it works.

    Thanks for all your help, guys!

    Thursday, July 23, 2020 8:33 PM
  • User-462241089 posted

    Bruce, can you go into more detail on what a custom Identity provider is? I am able to validate my credentials, but I'm not authorized to view any pages. I think this is because I don't have a user registered with identity (if that is how I should word it).

    Sunday, July 26, 2020 7:59 PM