1

I have an existing Asp.Net 4.0 web application that uses forms authentication. I want to add Windows authentication for domain users. I have read several articles and tried a few different approaches, but have met with various problems.

Here are the best 2 examples I have found that are relevant to IIS 7 and higher.

http://mvolo.com/iis-70-twolevel-authentication-with-forms-authentication-and-windows-authentication/

and

http://devmemass.blogspot.com/2012/02/mixing-forms-and-windows-authentication.html

The short story is that neither of these approaches have worked for me. Does anyone have a better (and especially more thorough) example?

I really only need NTLM / Kerberos authentication handled. I don't want passwords passed in clear text for domain users. I would like IIS to handle the Windows authentication part, then allow me to redirect them to the default page.

Improve this question
6
  • Are you willing to use classic mode pipeline? Commented Feb 14, 2014 at 16:42
  • No, I can't use classic mode Commented Feb 14, 2014 at 16:42
  • Well, then it's difficult. Integrated mode does not allow this easily. There are various hacks people have developed, but if you've tried them (and it looks like you have) and they don't work for you, then i'm not sure what you can do. What specifically didn't work for you? Commented Feb 14, 2014 at 16:45
  • In the 2nd link, I am getting error after error. The first errors were centered around the directories not being configured as Virtual Directories or Applications. I fixed that, only to be met with other errors regarding duplicate keys. I removed what the compiler was reporting as duplicate keys, added the folders as IIS Applications and now the latest problem is the HTTPModule is not being found, despite being listed correctly in the web.config (I also checked IIS and it considers the module to be added correctly.) Commented Feb 14, 2014 at 17:01
  • Ok, so your problem is not with authentication. You're simply not configuring IIS correctly to even run your application. Commented Feb 14, 2014 at 17:05

1 Answer 1

Reset to default
1

I have done this successfully with my applications. If you want to use have the sign on with Windows Authentication, it's pretty easy. If you want to be able to use your Active Directory groups, it's a little more difficult. To just use Forms Authentication with AD you will need the following in your webconfig...

<connectionString>
    <add name="ADService" connectionString="LDAP://domain/OU=ougroup,DC=domain,DC=net" />
</connectionString>

Then you will need Membership provider.

<membership defaultProvider="AspNetActiveDirectoryMembershipProvider">
  <providers>
    <clear />
    <!--Membership provider for Active Directory-->
    <add name="AspNetActiveDirectoryMembershipProvider" type="System.Web.Security.ActiveDirectoryMembershipProvider,  System.Web, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" connectionStringName="ADService" attributeMapUsername="sAMAccountName" />
  </providers>
</membership>

This should do it for you.

If you want to be able to use your AD groups, you will need to create your own RoleProvider.

I used this link here.

However, I did have to change the GetRolesForUser to..

public override string[] GetRolesForUser(string username)
    {
        List<string> allRoles = new List<string>();
        var ctx = new PrincipalContext(ContextType.Domain, "jwaf-dc2.jeffwyler.net");
        UserPrincipal user = UserPrincipal.FindByIdentity(ctx, username);
        if (user != null)
        {
            var groups = user.GetGroups();
            allRoles.AddRange(groups.Select(x => x.Name));
        }

        return allRoles.ToArray();
     }

I hope this helps get you started.

Improve this answer
Sign up to request clarification or add additional context in comments.

3 Comments

He doesn't want to use Forms authentication with AD data source. He wants to use Windows Authentication (including passthrough authentication I would assume) and forms for people who aren't on the domain.
Oh, missed that completely then.
I really only need NTLM / Kerberos authentication handled. I don't want passwords passed in clear text for domain users. I would like IIS to handle the Windows authentication part, then allow me to redirect them to the default page.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.