2

I have been looking over examples of using Asp.Net Identity and various providers to supply authentication using facebook, twitter, etc.

I have an MVC 6 solution, currently being developed using VS2015 RC. It will be deployed to an organisational IIS. AD is primarily used to authenticate users, the majority of whom are authenticated via the domain, either within the local network or remotely.

However there is the possibility that some users will want access to the system over the internet, without having a domain account. or these users, the user will register, an admin will approve the account and assign roles and permissions locally within the application database.

The project team are requesting that users on the local network or otherwise authenticated on the domain do not need to logon.

AD is in use, but not ADFS to the best of my knowledge.

Is this even possible? I believe what I need is an OWIN provider for AD, but the Microsoft one seems to work with either ADFS or AAD.

Thanks.

LJNielsenDk
  • 1,414
  • 1
  • 16
  • 32
user1654348
  • 283
  • 4
  • 12

1 Answers1

3

You can definitely use Asp.Net Identity for the users that are registering over the internet.

You can also use Asp.Net Identity to sign-in the AD users using the below nuget package, but the windows users information (just the username, email) will need to be stored in your application database.

https://github.com/MohammadYounes/OWIN-MixedAuth

After you implement this nuget package, just do this to authenticate the windows user.

Add this method in ApplicationSignInManager class in IdentityConfig file and call this method if the windows user is logging in.

public async Task<SignInStatus> WindowsLoginAsync(string userName, string password, bool isPersistent)
    {
        var signInStatus = SignInStatus.Failure;
        using (var context = new PrincipalContext(ContextType.Domain, <your_domain_name>))
        {
        var valid = context.ValidateCredentials(userName, password);
        if (valid)
        {
            UserPrincipal userPrincipal = UserPrincipal.FindByIdentity(context, userName);

            if (userPrincipal != null)
            {
                var loginInfo = new ExternalLoginInfo
                {
                    Login = new UserLoginInfo("Windows", userPrincipal.Sid.ToString())
                };
                signInStatus = await ExternalSignInAsync(loginInfo, isPersistent);

                return signInStatus;
            }
            }
        }
        return signInStatus;
    }

This will basically use cookie authentication for windows and web users alike. After the user is authenticated you will need to add the windows user in the database and also add a record in IdentityUserLogin table with LoginProvider as "Windows" and ProviderKey as the userPrincipal.Sid and then call SignInManager.SignInAsync to login the user.

Using this approach I believe the windows user can also login over the internet, which your organization might not like.

Hope this helps!

saquib adil
  • 146
  • 10
  • Thank you very much. I found Mohammad's solution earlier this week, and with a few tweaks, I have produced a solution which logs in AD users in this manner and is decoupled from the AspNet Identity Data structures using repository pattern. It works quite well. Thanks for replying. – user1654348 May 21 '15 at 21:43