ASP.NET 5 / MVC 6 On-Premises Active Directory

Question

For earlier versions of .NET application templates i.e. 4.5.2 you can create a new Web Application, Change the Authentication to 'Work and School Accounts' and choose 'On-Premises'. In .NET 5 Web Application templates the 'Work and School Accounts' option does not have an 'On-Premises' option.

How do you go about authenticating via an on-premises Active Directory (LDAP) in .NET 5 using ASP.NET Identity. To be clear, I am not looking for Windows Authentication, I want to have users enter their credentials and process the authentication against the on-premises AD. IOW, users don't need to be logged into a windows machine, they can access from their mobile devices etc.

I've searched for hours to no avail but I wouldn't be surprised if the answer is out there somewhere. Any help is appreciated!

@Ovi This might help: http://tech.trailmax.info/2016/03/using-owin-and-active-directory-to-authenticate-users-in-asp-net-mvc-5-application/ This is for MVC 5, not the newer stuff. But I believe most of it will be applicable just the same. — trailmax, Mar 18 '16 at 00:35
I ended up using a heavily modified version posed here: [link](http://stackoverflow.com/questions/28888006/how-to-use-windows-active-directory-authentication-and-identity-based-claims) Code: [github](https://github.com/jesblit/ASPNET5-FormAuthenticationLDAP) — Ovi, Mar 23 '16 at 14:26

Luca Ghersi · Accepted Answer · 2016-03-21T08:05:26.833

10

LDAP and On-Premises authentication are not the same thing, that's why, IMHO, On-Premises mode it's gone as "out-of-the-box" option - and also because Microsoft is pushing hardly for everyone to move to Azure cloud :)

On-Premises mode (as you can see here) is a way to use AD as a Federation provider (check this on SF), like Twitter or Facebook, if you prefer; you can use ADFS locally (if your AD support it) or in the cloud (with Azure).

If you're looking for LDAP authentication, the easiest way to work is to use the "Individual User Account" mode (which is like the old school forms auth) and using AD as source of truth for user auth with something like (check this SO article):

    using System.Security;
    using System.DirectoryServices.AccountManagement;
    public struct Credentials
    {
        public string Username;
        public string Password;
    }

    public class Domain_Authentication
    {
        public Credentials Credentials;
        public string Domain;
        public Domain_Authentication(string Username, string Password, string SDomain)
        {
            Credentials.Username = Username;
            Credentials.Password = Password;
            Domain = SDomain;
        }
        public bool IsValid()
        {
            using (PrincipalContext pc = new PrincipalContext(ContextType.Domain, Domain))
            {
                // validate the credentials
                return pc.ValidateCredentials(Credentials.Username, Credentials.Password);
            }
        }
    }

Anyway, if you're working with heterogeneous systems, of if you prefer to work with something more "secure", I suggest you to use OAuth2, which as out-of-the-box support in MVC 6.

Update

If you want to use ASP.NET Identity with LDAP, you can create your personal Custom Storage Provider, as perfectly explainded here. This is not difficult, but it could be quite long to implement.

edited Mar 21 '16 at 08:05

answered Mar 17 '16 at 09:09

Luca Ghersi

3,261
18
32

What is the best approach to use LDAP authentication in MVC6 projects? On the other hand, do you suggest a better approach that is also be used with ASP.NET Identity 2 besides LDAP? Any help pls? – Jack Mar 20 '16 at 22:56
ASP.NET Identity is made for two things: user/pw auth and token auth with external providers (for example fb, twitter, etc.); if you want to use LDAP you don't need identity, and vice versa. If you want to use Identiti with LDAP you can try to create a custom storage provider. I will update my answer. – Luca Ghersi Mar 21 '16 at 08:02
Thanks, but as far as I know ASP.NET Identity also let us to use custom auth and role management besides the twitter, etc. I mean that, I want to use the role management feature of ASP.NET Identity and let the external user to be registered as the LDAP user. So, under these requirements, could you please update your answer? Thanks. – Jack Mar 21 '16 at 08:18
I did. You can directly use Azure LDAP, if you want, but there is no plugin to do it against the local LDAP, unless you use ADFS (is like considering you local ldap as an external provider). Check the link I posted in the update. – Luca Ghersi Mar 21 '16 at 08:24
I do not want to use Azure so that dislike to be rely on such a kind of systems. – Jack Mar 21 '16 at 08:34
Thanks @LucaGhersi. I ended up using a heavily modified version of [link](http://stackoverflow.com/questions/28888006/how-to-use-windows-active-directory-authentication-and-identity-based-claims). Code: [github](https://github.com/jesblit/ASPNET5-FormAuthenticationLDAP) with a another service account that authenticates the new PrincipalContext(ContextType.Domain, Domain, Container, User, Pass) – Ovi Mar 23 '16 at 14:29

score 1 · Answer 2 · answered Mar 22 '16 at 22:32

There is no on-premises option as .NET Core will not support WS-Fed at time of shipping. Even in older versions of .NET on-permises did not use LDAP, it used WS-Fed to talk to an ADFS server.

Very old versions of ASP.NET did have an AD membership provider but it was problematic in terms of security and did not come forward into ASP.NET 4.0

You could implement your own membership provider, but .NET Core has no LDAP/System.DirectoryService classes so you'd have to do it all from scratch, including making a library to talk LDAP via sockets.

TLDR: You cannot.

score 0 · Answer 3 · answered Jan 17 '16 at 02:41

0

I don't know about any templates or anything, but I setup my own Identity Provider with oAuth2 and Owin following this guide.

http://bitoftech.net/2015/02/16/implement-oauth-json-web-tokens-authentication-in-asp-net-web-api-and-identity-2/

Then to authenticate against active directory, I made my own userstore and usermanager and I do it manually using the UserPrincipal and PrinipalContext classes from the Directory.Masnagement assemblies.

answered Jan 17 '16 at 02:41

Ryan Mann

5,178
32
42

Also I am using WindowsIdentityFoundation for Single Sign on. So I have the login site on my Identity Provider page and I use it as a RelyingParty for WIF. All of my other sites use Federated Passive Redirect to login there then redirect back. – Ryan Mann Jan 17 '16 at 02:42

ASP.NET 5 / MVC 6 On-Premises Active Directory

3 Answers3

Update