0

I'm actually working on an website where users login via windows authentication.

My problem is, that actually all users have to login whenever they open our webpage. I wonder if it is possible to keep that windows authentification alive? Maybe with cookies?

I implemented the authentification by adding this to my Startup.cs:

services.Configure<IISOptions>(options =>
{
    options.AutomaticAuthentication = true;
});

services.AddAuthentication(IISDefaults.AuthenticationScheme);

And activating Windows-Authentication in my project-settings.

Afterwards im able to use the Authorize-atrribute:

[Authorize]
public IActionResult Index()
{
    return View();
}

If the user isn't logged in he is now asked to log in.

Is there any way to keep the windows-authentication alive, even if the user is closing his browser?

Thanks for your help and your ideas in advance!

Felix Gerber
  • 1,615
  • 3
  • 30
  • 40
  • 1
    it looks, your question is general, not asp.net-core related. try to check the following: https://forums.iis.net/t/1234764.aspx?Disable+asking+user+credentials+in+windows+authentication isn't that your case? (the "Enable automatic logon only in local intranet->OK" setting in the browser) – d_f Jul 27 '18 at 13:02
  • 1
    and one more idea: sometimes NTLM works while Kerberos does not: https://stackoverflow.com/questions/5402381/receiving-login-prompt-using-integrated-windows-authentication – d_f Jul 27 '18 at 13:09
  • @d_f thanks for your ideas. But those didn't helped me out. I ended up to trust that site globaly over the whole network – Felix Gerber Jul 30 '18 at 13:30
  • 1
    If your approach works, then your client machine is not in the same domain as your server is. Otherwise the default "automatic logon only in local intranet" should be enough. And so... yes, you can authenticate once and then persist the result in a cookie... but there will be not the true Windows auth -- there will be Cookie auth, relying to Windows one. – d_f Aug 01 '18 at 09:00

1 Answers1

0

Well I found a way to get want I wanted, but its not the way I wanted:

I ended up by declaring my site as a trused one. The trick hereby is, that the login data is always passed to the webserver.

In chrome you can achive it htis way : Menu -> Settings -> Advanced Settings -> Change proxy settings -> Security -> Trusted Sites -> Add the URL of your page

Other ways(Firefoy, IE) to open that settings can be found here : https://effortz.com/add-website-browsers-trusted-sites-windows-os/

Doing this will onl work for the PC you are actually on. Often those settings are managed by systemadministrators. In this case, the admins can set your site trusted for all users in your network. And boom every user is automatically logged in and the login data is always available.

Felix Gerber
  • 1,615
  • 3
  • 30
  • 40