How to mix Azure AD authentication and Windows authentication in MVC 4 app?

Question

I have a design requirement for an ASP.NET MVC 4 (.NET 4.6.1) app hosted on the company server (Not Azure) to do the following:

Check is user is authenticated via Windows Authentication

a)Yes - designate user as "authenticated"

b)No - use OpenIdConnect (OWIN) to authentication using Azure Active Directory.

Once authenticated use the standard [Authorize] attributes on controller methods etc. I have implemented Windows and Azure AD authentication alone is individual MVC apps but never together.

I have found several sources describing how to mix Windows and Forms authentication, but none for this combination.

Does anyone have insights on how this might be achieved?

Answer 1

I had a similar requirement a year ago and my approach was :

The users are redirected to input their AD credentials (https://azure.microsoft.com/en-us/documentation/articles/app-service-mobile-how-to-configure-active-directory-authentication/)

Once they are sucessfully logged in on the AD you will get a token.

Then I call the Azure AD API on their behalf using the token I just got. I woulds just call the /me endpoint that will return me the user personal details.

With the above response I just need to check if the email address matches the email address that was initially requested.

If it matches it means the user was successfully validated against the AD.

Then you can proceed and issue that user a token or cookie to access your application.