Reputation: 303
Can I use ASPNetIdentity and ActiveDirectory?
I have been looking over examples of using Asp.Net Identity and various providers to supply authentication using facebook, twitter, etc.
I have an MVC 6 solution, currently being developed using VS2015 RC. It will be deployed to an organisational IIS. AD is primarily used to authenticate users, the majority of whom are authenticated via the domain, either within the local network or remotely.
However there is the possibility that some users will want access to the system over the internet, without having a domain account. or these users, the user will register, an admin will approve the account and assign roles and permissions locally within the application database.
The project team are requesting that users on the local network or otherwise authenticated on the domain do not need to logon.
AD is in use, but not ADFS to the best of my knowledge.
Is this even possible? I believe what I need is an OWIN provider for AD, but the Microsoft one seems to work with either ADFS or AAD.
Thanks.
Upvotes: 2
Views: 1031
Answers (1)
Reputation: 156
You can definitely use Asp.Net Identity for the users that are registering over the internet.
You can also use Asp.Net Identity to sign-in the AD users using the below nuget package, but the windows users information (just the username, email) will need to be stored in your application database.
https://github.com/MohammadYounes/OWIN-MixedAuth
After you implement this nuget package, just do this to authenticate the windows user.
Add this method in ApplicationSignInManager class in IdentityConfig file and call this method if the windows user is logging in.
public async Task<SignInStatus> WindowsLoginAsync(string userName, string password, bool isPersistent)
{
var signInStatus = SignInStatus.Failure;
using (var context = new PrincipalContext(ContextType.Domain, <your_domain_name>))
{
var valid = context.ValidateCredentials(userName, password);
if (valid)
{
UserPrincipal userPrincipal = UserPrincipal.FindByIdentity(context, userName);
if (userPrincipal != null)
{
var loginInfo = new ExternalLoginInfo
{
Login = new UserLoginInfo("Windows", userPrincipal.Sid.ToString())
};
signInStatus = await ExternalSignInAsync(loginInfo, isPersistent);
return signInStatus;
}
}
}
return signInStatus;
}
This will basically use cookie authentication for windows and web users alike. After the user is authenticated you will need to add the windows user in the database and also add a record in IdentityUserLogin table with LoginProvider as "Windows" and ProviderKey as the userPrincipal.Sid and then call SignInManager.SignInAsync to login the user.
Using this approach I believe the windows user can also login over the internet, which your organization might not like.
Hope this helps!
Upvotes: 3
Related Questions
- Use two Owin identities in the same asp.net web application
- Using both AspNet.Identity and OpenConnectId(For Azure AD Signin)
- Use ActiveDirectory authorization with ASP.NET Identity
- Identity with Active directory Form ASP.NET MVC 5
- Azure AD and ASP.NET Identity + OWIN, which approach to use?
- Integrating Active Directory in my asp.net website
- Microsoft.AspNet.Identity without OWIN
- Using Active Directory for authentication and ASP.NET Identity for Roles
- Active Directory in ASP.NET Web Forms Application
- How to use ASP.NET authentication with active directory?