Manual Windows Authentication

Question

I'm currently trying to figure out how to perform manual windows authentication in our ASP.NET Application. The problem is that we have an OData service running, and use FormsAuthentication to provide the generic login mechanism and allow the PUT & DELETE verbs for OData, including form redirects.

However, for some customers we have integrated Windows Authentication to allow smooth integration for their users with the active directory. The problem now is that we want to be able to switch authentication methods without breaking the Odata service, because we depend on it.

What we're trying to do is mimic the Windows Authentication mechanics using an IhttpModule. So far we're able to toggle the feature on & off, and we get the challenge when a request is made. What I don't know is how to use the received information from the browser to perform authentication against the active directory:

This is the code we use to extract the NTLM information from the current request:

/// <summary>
/// <para>Determines whether the current <see cref="HttpRequest"/> is a NTML challenge.</para>
/// </summary>
/// <param name="request">The <see cref="HttpRequest"/> to evaluate.</param>
/// <param name="header">The output header to authenticate.</param>
/// <returns>True if the current <see cref="HttpRequest"/> is considered a NTML challenge.</returns>
 protected bool IsNtlmChallenge(HttpRequest request, out string header)
 {
      const string headerName = @"Authorization";
      if (request.Headers.AllKeys.Contains(headerName))
      {
           header = request.Headers[headerName];
           return true;
      }

      header = string.Empty;
      return false;
 }

This allows us to extract the header from the request. What I need to know now is how I perform the authentication with this on the active directory.

This is the logic we use to extract the info:

// Check if we need to handle authentication through Windows authentication or not.
if (WindowsAuthentication)
{
    string encryptedHeader;

    // If this is a challenge from the client, perform the Windows Authentication using the 
    // information stored inside the header.
    if(IsNtlmChallenge(HttpContext.Current.Request, out encryptedHeader))
    {
         /* how to authenticate here with the encrypted header? */
    }

    HttpContext.Current.Response.AddHeader("WWW-Authenticate", "NTLM");
    HttpContext.Current.Response.StatusCode = 401;
    return;
}

Hope someone can provide the anwser that I need.

Answer 1

Alright,

based upon the comments received on my question, i've come up with the following solution to bypass the problem that I have. I know it's not a clean solution, but at least it works for us.

• Create a new Web Application that runs inside your application
• This sub-application relies on Windows Authentication
  • Disable Anonymous Authentication & Forms Authentication
• Create a Login.aspx page that handles the Windows Authentication
• We generate a cookie after the login and redirect to the original app
• Original app recognizes the cookie and takes the user.

This requires that we generate the same keys for encryption & decryption for both applications. This can be set using the Machine Key Module in the IIS manager for your application. If the keys are not equal for both applications, the encode/decode process for the cookie will fail. We set them to auto-generate using SHA1, but the same keys for both applications.

Now we check the settings on the original login page, redirect to the sub-application's login page if Windows Authentication is required and perform the login there. Then we redirect back to the original login page and use the cookie to continue.

This results in a few redirects when making the initial login, but afterwards the application runs as smooth as ever.