I have inherited an internal website (NET6/MVC) that is set to allow both Anonymous Authentication and Windows Authentication. Mostly, it works. The controllers with attributes like [Authorize(Policy = Policy.SupportRead)] seem to do their job. However...
I have sections where the user name is required from AD. In the controller if I use HttpContext.User I seem to get ambiguous results after a user is logged in. Sometimes I get a ClaimsPrincipal, that is essentially empty, and sometimes I get the proper WindowsPrincipal. I can just refresh the page and it will get different results.
I'm honestly not sure where to start with this, here's some of the relevant code.
Startup.cs
public void ConfigureAuth(IServiceCollection services)
{
services.Configure<CookiePolicyOptions>(options =>
{
options.CheckConsentNeeded = context => false;
options.MinimumSameSitePolicy = SameSiteMode.None;
});
services.AddAuthentication(o =>
{
o.DefaultAuthenticateScheme = CookieAuthenticationDefaults.AuthenticationScheme;
o.DefaultSignInScheme = CookieAuthenticationDefaults.AuthenticationScheme;
o.DefaultChallengeScheme = HttpSysDefaults.AuthenticationScheme;
}).AddIdentityCookies();
PolicyConfig.ConfigurePolicies(services);
}
Later on in startup
app.UseAuthentication();
app.UseAuthorization();
app.UseEndpoints(endpoints =>
{
endpoints.MapControllers();
endpoints.MapControllerRoute(
name: "default",
pattern: "{controller=Home}/{action=Index}/{id?}");
});
Login controller method is very simple, honestly surprised this works, not sure what magic is happening. When the link to this method is clicked I get a chrome popup asking for windows credentials.
[Authorize]
public IActionResult Login()
{
return RedirectToAction("Index", "Home");
}
But then I go here and user swaps between the two, WindowsPrincipal and ClaimsPrincipal, randomly each request.
[HttpGet]
[ResponseCache(Duration = 0, Location = ResponseCacheLocation.None, NoStore = true)]
public IActionResult Dashboard()
{
var user = User;
....
}
Not a lot of experience with web auth. I don't think I have any related 3rd party nuget packages. Looks like just Microsoft.AspNetCode.Identity.
Pretty sure everything I've tried so far is just blind shots in the dark. Tried to call Logout() in the login method since it seems like I'm logged in twice. Tried messing with the startup config. Tried removing that ResponseCache attribute since I don't really know what it's doing. Looked in Chrome Dev tools for a security cookie, which I'm not seeing as far as I can tell.
The closest thing I've found that relates to this is User.Identity fluctuates between ClaimsIdentity and WindowsIdentity But I'm not quite sure it's the same. User.Identities.Count is always 1 in my case.
If I keep repeatedly logging in on the site eventually it seems to stick, but obviously not a great user experience.
Let me know if I need to provide more code.
EDIT: From the linked issue, var user = HttpContext.Features.Get<WindowsPrincipal>(); this always returns null for me.
