locked
Good tutorial for MVC active directory authentication? RRS feed

  • Question

  • User-1581198721 posted

    Can anyone point me in the way towards an excellent book and/or online resource that allows me to do the following? 

    1. Log into a .NET 4.5.1 C# MVC 5 application using active directory. Allow me the option to log out? 

    2. Have different roles depending on the user logging in. 

    I have looked online and I see snippets of code here and there, but nothing has offered me. I set up an active directory MVC5 default application, but it automatically logged me in and there was no way to log out. It has been really frustrating trying to find something that would let me accomplish #1 in a simple code complete MVC format. 

    Thank you all for your patience and I look forward to your replies. 

    Friday, October 10, 2014 11:22 PM

Answers

  • User1508394307 posted

    Authorization is authorization but you can call it "filtering" if you want. You (your sysadmin) could define all roles in AD if required and you could get these roles when user is accessing your application. This way is good e.g. if the app admin should not have an access to the user management. Another way is to create custom role management in the application. You can have a table of users-roles where you can point user DOMAIN\john to the role of "Admin", etc. This might be less secure than the other one but good for small applications.

    The user will not be logged off if he closed browser. He will be logged off when he logged off his user account in Windows. Are you talking about shared (kiosk) computers?

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Sunday, October 12, 2014 5:09 PM

All replies

  • User197322208 posted

    Log into a .NET 4.5.1 C# MVC 5 application using active directory. Allow me the option to log out? 

    What it means logout? What you try to achieve?

    Have different roles depending on the user logging in. 

    You can find the groups tha users are in AD.

    Saturday, October 11, 2014 2:24 AM
  • User-1581198721 posted

    I would like to mimic windows forms authentication, but use active directory. In other words, I want to authenticate using active directory, but have my own custom log in page. Does this make sense? There is very little, or no documentation that I can find on how to do this. Since I am learning MVC, I am finding this almost impossible. Please help. 

    As for your second answer, yes. I suppose we can determine what role they have based on what group they are in the active directory. Yes? 

    PS - We were told to use Active Directory, but I want to give the user the option to log in and then log out. It is an intranet application, but many different users might use the laptop or tablets and thus the need for the functionality we are asking for. Basically the interface that MVC gives me, I think, when I would select Individual User Accounts

    Saturday, October 11, 2014 8:12 PM
  • User197322208 posted

    would like to mimic windows forms authentication, but use active directory.

    What is the meaning of "but" in this context? Windpws Forms authentication use Active Directory

    I want to authenticate using active directory, but have my own custom log in page.

    If the user is authenticated ( and AD gives you the user) , why have a secondary login page?!

    It is an intranet application, but many different users might use the laptop or tablets and thus the need for the functionality we are asking for.

    No. Ask again . If this is an intranet, the users will be atuhenticated by the browser. They will enter their AD credentials.

    Sunday, October 12, 2014 1:04 AM
  • User1508394307 posted

    What you asked is already exist as a built-in functionality of IIS. You configure the application to require Windows (Active Directory) authentication. That can be done at IIS or in the web.config <authentication mode="Windows" />. Intranet users are typically authenticated on their own systems and when they would access your application their browser will send an authentication ticket and IIS will perform authentication automatically without sending the user's login/password across to the server. Read more here. This is not only secure, it's also user friendly as it does not require to enter any login data twice. You could also use built-in authorization (read about <authorization> tag in the web.config) which can be used to allow/block certain groups/users.

    So I don't think your idea makes sense unless there is no good reason. 

    If you definitely need something special. read dedicated forum for LDAP and Active Directory and read similar topics like

    http://forums.asp.net/t/1859835.aspx?ASP+NET+MVC+4+using+Active+Directory+for+Forms+Authentication 

    or on the internet http://www.schiffhauer.com/mvc-5-and-active-directory-authentication/ 

    Sunday, October 12, 2014 8:30 AM
  • User-1581198721 posted

    hlyates

    would like to mimic windows forms authentication, but use active directory.

    What is the meaning of "but" in this context? Windpws Forms authentication use Active Directory

    I want the functionality that I can get with AD authentication, but I do not want to use the authentication interface that is provided out of the box. I want mine to be custom.  I do not want a popup window because this will also be on a tablet as well, and not just a PC. Consequently, I have no plans to have this authentication login duplicated anywhere else. So simply put, I want to authenticate with AD but with a custom login page. The reason why is that I do not like how AD is implemented. There is a popup window and then once you log in, no option to log out. I say  this because in the out of the box demo I made with windows authentication with AD using .NET 4.5.1 with MVC5 does not have a logout option? This seems to imply a 1 user to 1 device. Which is not true in my organization. 

    So again, there is no duplication. I want a custom login interface that authenticates by using AD. Period. What I am taking away from this conversation is that a custom login interface is not possible with AD using .NET 4.5 MVC5. 

    Sunday, October 12, 2014 2:37 PM
  • User-1581198721 posted

    First, thank you for this detailed reply. I am a learner, but I am very motivated. You reply has given me careful pause. Please respond if you can. 

    smirnov

    Intranet users are typically authenticated on their own systems and when they would access your application their browser will send an authentication ticket and IIS will perform authentication automatically without sending the user's login/password across to the server.  You could also use built-in authorization (read about <authorization> tag in the web.config) which can be used to allow/block certain groups/users.

    You say built-in authorization. Is this filtering? I have 3 types of users in the same group on AD. However, there are really three types of users: 

    1. admin 

    2. management 

    3. regular user 

    Depending on the user, they will have access to things others wont. For example, the admin has access to admin type data stuff, but won't have access to things that managers can for legal reasons. Regular users are pretty limited in what they can do and that is standard. For AD, how do you recommend I do filtering here or roles for AD? I'm pretty new so I'm not sure what literature I should be looking at? 

    smirnov

    Intranet users are typically authenticated on their own systems and when they would access your application their browser will send an authentication ticket and IIS will perform authentication automatically without sending the user's login/password across to the server.

    When they close the browser, is this like logging off? I want to be sure that when they close the browser, that closes the session. It's important to me that someone can't just log in once, then some random individual shows up later and the browser is in management role when someone might be a regular user. 

    smirnov

    So I don't think your idea makes sense unless there is no good reason. 

    Okay, I want all the things you mostly described. However, when I made a .NET MVC 5 demo, it has a popup for logging in (or not at all, you just authenticate). I also have tablets and was told by management that they hated it. Thus, I was wondering if there is a way to have a custom log-in screen (like forms) but use AD? 

    smirnov

    If you definitely need something special. read dedicated forum for LDAP and Active Directory and read similar topics like

    http://forums.asp.net/t/1859835.aspx?ASP+NET+MVC+4+using+Active+Directory+for+Forms+Authentication 

    or on the internet http://www.schiffhauer.com/mvc-5-and-active-directory-authentication/ 

    As for the first link, it won't work for me, I am MVC5 and authentication is now using something called identity. Right? However, for the second solution, is that doing windows forms for MVC5 but for AD? If so, this might be what I need to do. If the blog only had the view included too. Sigh. The problem as a new learner for this is to make sense of the official documentation, it's pretty scant on example code. I appreciate your sympathy on that note. 

    Any further comments and/or assistance you could render would be appreciated. Thanks. 

    Sunday, October 12, 2014 3:52 PM
  • User1508394307 posted

    Authorization is authorization but you can call it "filtering" if you want. You (your sysadmin) could define all roles in AD if required and you could get these roles when user is accessing your application. This way is good e.g. if the app admin should not have an access to the user management. Another way is to create custom role management in the application. You can have a table of users-roles where you can point user DOMAIN\john to the role of "Admin", etc. This might be less secure than the other one but good for small applications.

    The user will not be logged off if he closed browser. He will be logged off when he logged off his user account in Windows. Are you talking about shared (kiosk) computers?

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Sunday, October 12, 2014 5:09 PM