0

I have created an MVC 5 Application with Windows Authentication,

<authentication mode="Windows" />
<authorization>
  <deny users="?" />
</authorization>

I have below code to get user's Display name along with I also want to do validation,

protected void Session_Start(object sender, EventArgs e)
    {

        if (Context.User != null)
        {
            MapUserADDetails(Context.User);
        }
    }

    private void MapUserADDetails(IPrincipal user)
    {

        using (HostingEnvironment.Impersonate())
        using (var domain = new PrincipalContext(ContextType.Domain, "test.com"))
        using (var usr = UserPrincipal.FindByIdentity(domain, user.Identity.Name))
        {
            if (usr == null)
            {
                return;
            }

            Session.Add("UserDisplayName", usr.DisplayName);
        }
    }

Now I am hosted this app to IIS with only windows authentication enabled. When I am browsing it, it's prompt for userName and Password, enter image description here

Question,

Even I am entering wrong username/password or even doesn't fill anything, it's able to fetch Display Name.

How to restrict this? User/Pass must be validate against the AD. Please suggest. Thanks!

adiga
  • 34,372
  • 9
  • 61
  • 83
user584018
  • 10,186
  • 15
  • 74
  • 160

2 Answers2

0

You're not actually validating any username/password combination. UserPrincipal.FindByIdentity only checks if the user is found in AD.

To validate user credentials, you would need to check:

using (var domain = new PrincipalContext(ContextType.Domain, "test.com"))
{
    bool authenticated = domain.ValidateCredentials(user.Identity.Name, password);
    if (!authenticated)
    {
        // Do stuff
    }
}

You can check MSDN for more info.

Ronald
  • 26
  • 3
  • Thanks, but please let me know how to pass password, as we don't have login screen and I am using Windows Authentication. – user584018 Jul 11 '16 at 13:18
  • Sounds like you won't be able to get it to work then. I don't see a way how you can validate a user account without a password. Simply validating if a user exists, sounds like a security risk to me, but that's a choice you make. If you want to use Windows Authentication with IIS, you need to make sure you're security settings in Internet Options are set up correctly. – Ronald Jul 11 '16 at 13:46
  • Ah, now I understand: you want to bypass login and re-use the currently logged in user from Windows. In that case, you don't have to validate against AD anymore, since Windows has already done that for you. Make sure your site is listed in the list of Intranet (or Local intranet) sites in Internet Options control panel. Then you can check `User.Identity.IsAuthenticated` without validating with a password. – Ronald Jul 11 '16 at 14:06
0

It sounds as IIS configuration issue and not the code.

To troubleshoot:

  • check if IE behaves differently
  • make sure that IIS has only Windows authentication enabled and not e.g. anonymous (see Receiving login prompt using integrated windows authentication)
  • make sure that the page has no other resources (e.g. images) used from other location that requires authentication (maybe that prompt is not for the page but for resources embedded into it)
  • check browser settings (e.g. in IE that site might need to be added into Intranet Zone, or "Automatically logon with current username and password" is not enabled)
Community
  • 1
  • 1
user2316116
  • 6,726
  • 1
  • 21
  • 35