2

Trying to implement subject in a test environment.

.UseWebListener(options=>
{
    options.ListenerSettings.Authentication.Schemes = AuthenticationSchemes.NTLM |
                                                      AuthenticationSchemes.Negotiate;
    options.ListenerSettings.Authentication.AllowAnonymous = true;
})

And

app.UseWhen(context => context.Request.Path.StartsWithSegments("/ntlm"),
            builder => builder.UseCookieAuthentication(new CookieAuthenticationOptions()
            {
                AutomaticAuthenticate = true,
                AutomaticChallenge = true,
                LoginPath = "/Main/Login",
                LogoutPath = "/Main/Logout",
                AuthenticationScheme = "NTLM", AccessDeniedPath = "/Main/Deny"
            }
            ));

app.UseWhen(context => !context.Request.Path.StartsWithSegments("/ntlm"),
            builder => builder.UseCookieAuthentication(new CookieAuthenticationOptions()
            {
                AutomaticAuthenticate = false,
                AutomaticChallenge = false,
                LoginPath = "/Main/Login",
                LogoutPath = "/Main/Logout",
                AuthenticationScheme = "Cookies"
            }
            ));

But it seems there`s no difference, whether request path starts with "/ntlm" or not.

I tried running two WebListeners, but I think there`s much more overhead.

What I want to achieve: User gets on start page with login form and there`s a "Windows auth" button on it. He can enter credentials or press the button and go in with his OS identity.

spottedmahn
  • 14,823
  • 13
  • 108
  • 178
Danil
  • 33
  • 1
  • 5

1 Answers1

3

I'm doing something very similar using IIS, not WebListener, but maybe I can tell you a few things that can help.

You have configured WebListener as I did for my IIS to allow anonymous access but also to be able to negotiate authentification, that part should be fine.

But on the "/ntlm" url path, you have installed a CookieAuthentication middleware that will try to find a cookie in the incoming request to authenticate the user, and I don't think that's what you want. On the contrary, on the "/ntlm" path, you want to reuse the identity that would be coming from NTLM or Kerberos packet detected by WebListener. In my case, when properly setup, it's an IIS Middleware that is in charge of setting the identity. I would suggest:

  • remove this UseCookieAuthentication when on "ntlm" path
  • create a controller and an action with an "[Authorize]" attribute to trigger the authentication
  • display the HttpContext.User.Identity.Name;
  • hopefully you'll get the Windows user properly authenticated here
Daboul
  • 2,635
  • 1
  • 16
  • 29
  • Cool. And for the action you want to protect via a cookie, you'll be able to specify [Authorize(ActiveAuthenticationSchemes = "Cookies")] to make sure this is the middleware used to set up your user identity. – Daboul Mar 03 '17 at 15:33