11

I am currently working on a project that has a requirement that is causing me some issues and I want to know the best way of handling it.

Essentially we would like internal users to be able to access the MVC application and be authenticated through AD, this we want to be pretty much like SSO, they sign on to their computer navigate to the site and they are in.

The second type of users are outside partners that do not exist in our AD and we want to manage through our SQL Server. For these users we want to display a login page and do forms authentication.

My thoughts at first were simple, let IIS try and authenticate with windows authentication and if it fails (401) redirect to a login page. I don't currently have an environment to test this in but from my understanding in IIS7 it is not that simple and requires a little bit of a "hack" to accomplish. I need to avoid anything like that I need a solution that works as the system was designed to work and not by tricking it.

I have looked into ADFS and WIF but ADFS only supports AD not SQL and from what I've seen there is no STS that supports SQL Server. I have contemplated hosting both an internal application that used windows authentication and external application that used forms authentication but I want to avoid this if possible.

Ideally the flow that we want is user navigates to the MVC application IIS tries to do windows authentication, if it fails (401) redirect them to the login page. From there the login page will authenticate the user credentials against the SQL Database. What is the best way of accomplishing this all within 1 MVC application?

Thank you!

Improve this question
4
  • i would first authenticate the user by checking the info from Active Directory ,if found, login directly. else show the login page. Authenticate the user credentials from database. there might be other ways to do but i find this easy. Commented Oct 18, 2013 at 16:38
  • 1
    What would be your method of checking AD, would it be from the MVC side or IIS? we were hoping to leverage IIS to do the windows authentication. Commented Oct 18, 2013 at 19:59
  • you can do it either way. If windows authentication is enabled in your MVC application, then you can use User.Identity.Name to get the AD username and see if the user is authenticated. Commented Oct 18, 2013 at 21:36
  • Is it an option to simply add them to your AD? You're going to have to manage the logins one way or another. Why not AD? They don't need any internal network rights. Commented Nov 18, 2016 at 7:40

3 Answers 3

Reset to default
1

I would just implement my own authentication on top of FormsAuthentication or OWIN if you are using ASP.NET MVC 5. It is really simple and you will have full control over where you go to authenticate users. Trust me it isn't as scary as it sounds. I've written a few posts about it that you might find interesting.

MVC 5

http://www.khalidabuhakmeh.com/asp-net-mvc-5-authentication-breakdown-part-deux

MVC 4

http://tech.pro/tutorial/1216/implementing-custom-authentication-for-aspnet

I currently use the MVC 4 method to authenticate against an Active Directory domain with great success. The only thing I would recommend is you Cache your calls to Active Directory as it can be unreliable at times.

Improve this answer
Sign up to request clarification or add additional context in comments.

3 Comments

You could do with rewriting your posts... well the MVC 5 one, havnt read the other yet... its doesn't explain how this helps with Windows auth.. could you explain how this adds any value.
Windows auth has an API that you can utilize for authentication. Once you do that, you can follow my posts from there.
The thing is I want to know how to do both. Your answer (which I think is great btw) only partly addresses the question. If you could document the windows part and update your answer I think you'd have loads of votes.
1

There is the STS that supports sql server, it is the IdentityServer.

https://github.com/thinktecture/Thinktecture.IdentityServer.v2

It even supports custom membership providers which give you quite a lot of different possibilities. I am not sure however if it supports automatic fallback to forms when integrated authentication fails. If not, there are two options: a custom sts or two explicit stses and an explicit choice for users. We have implemented the latter scenario once with ADFS - there were two adfses, one with Forms, the other one with integrated auth, first one federated with the other. This gives an explicit choice on the home realm discovery page - ".would you like to log in with username/password or try the integrated authentication"

Improve this answer

Comments

1

You could create a project that uses "On-Premises Authentication" which uses ADFS to authenticate users. The on-premises authority URI will be:

https://yourADFSservername/federationmetadata/2007-06/federationmetadata.xml

After your project is loaded, you can to goto your ADFS settings and create a new "Relying Party Trust" and pass on HTTPS URL that your MVC app will be using. Setup to used LDAP attributes as claims and that will sort out AD authentication easily as it will navigate users to organisational sign-in page just like Office 365. Then if authentication fails for certain users, take the user to send the user to normal sign-in/signup page that exists independently of AD and connected to SQL server. You could skip windows authentication altogether by using on-premises authentication.

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.