1

I have a website redesign that I'm doing at work. Part of the redesign was a switch to a framework (MVC3) something that I'm HOPING to add is the ability for the secure area of the website to auto authenticate users based on our active directory server. However, we also have customers that need access to certain areas as well. I'm wanting to have a fallback to a standard login page that only gets called if it can't authenticate with AD. Has anyone done this/issues you found/etc...

We currently are simply doing standard login procedures, but I'd like to simplify it for the internal employees.

EDIT: I've considered making a separate mvc3 project that simply is for internal use, but was wondering if this was possible for maintainability.

amit_g
  • 30,880
  • 8
  • 61
  • 118
Jared
  • 5,840
  • 5
  • 49
  • 83

1 Answers1

3

I think what you're looking for is mixed mode authentication.

Similar questions have been asked, like this. and the accepted answer is that it can't be done... However, I know it can be done, because I did a project with mixed mode authentication too.

What I did was:

In the global web.config (so not the one in views\web.config) put:

<authentication mode="Forms">
  <forms loginUrl="~/Account/LogOn" timeout="2880" />
</authentication>

So by default it will do to your account controller.

Then this is my controller:

[HttpGet]
public ActionResult LogOn()
{
    var loggedinUser = User.Identity.Name;

    // If the logged in user is not empty, the session is not new. 
    // so the user wants to manually log in.
    if (!string.IsNullOrEmpty(loggedinUser))
    {
        new SessionHelper(this).CleanupLeftoverCookies();
        return View();
    }

    // Else try to get the windows login name.
    loggedinUser = Request.ServerVariables["LOGON_USER"];

    // I stored my active directory domain in the settings file, you can probably do this programmatically too
    var domainName = Settings.Default.LDAPDomain;

    loggedinUser = loggedinUser.Replace(string.Format(CultureInfo.InvariantCulture, "{0}\\", domainName), string.Empty);

    // If there is no windows authentication either, let them login manually.
    if (string.IsNullOrWhiteSpace(loggedinUser))
    {
        return View();
    }

    // Else store the windows Authentication in a cookie
    if (ActiveDirectoryAuthentication(loggedinUser, false))
    {
        return RedirectToAction("Index", "Home");
    }
    else
    {
        ModelState.AddModelError(string.Empty, string.Format(CultureInfo.InvariantCulture, "Login using your windows account {0} failed. Please log in manually", loggedinUser));
        return View();
    }
    // And go back home.
}
Community
  • 1
  • 1
Ron Sijm
  • 8,490
  • 2
  • 31
  • 48
  • 1
    That project is at my workplace tho, so I cannot really give precise details besides what I remember. I can show you code samples, but not earlier than Monday. However, that link should help you getting started. – Ron Sijm Nov 18 '11 at 13:03
  • Awesome I look forward to it! – Jared Nov 20 '11 at 01:52
  • Thanks for the starting point and for confirming that it can be done. However, you left out the definition for the `SessionHelper` class and its `CleanupLeftoverCookies` method. So unless it's referring to the activity that goes on after a good pot luck, it would be nice to have that bit of code to go with the rest. Thanks! ;) – CptRobby Nov 14 '13 at 21:27
  • I'm sorry CptRobby, but this is a post from two years ago. I don't have the code of those methods anymore. Besides, I hope someone has made a better workaround by now that this – Ron Sijm Nov 15 '13 at 23:25