ASP.NET auth using Windows Authentication for intranet

Question

I know this has been asked a lot, but I have not been able to find a working solution.

I'm trying to create an intranet website where I want to use Windows Authentication. But for some reason I can't get authentication to work.

I've searched far and wide on MSDN, Stack Overflow, blogs etc. and tried the proposed solutions - to no avail.

Here's what I'm using:

• IIS 10.0.14393.0 (real IIS, not express)
• Windows 10 (1607)
• .NET Framework 4.6.1
• ASP.NET MVC 5.2.3

In Visual Studio I created a new empty ASP.NET Web Application and put a checkmark in MVC. Then I added a very simple (Hello World) controller, model and view.

Finally I added the following (which many people claim to be the right solution) to web.config in the system.web section:

<authentication mode="Windows"/>
<authorization>
  <allow users="DOMAIN\USER"/>
  <deny users="*"/>
</authorization>

In IIS I created a new website, pointed it to the web application folder, and set up a host name which I added to "hosts" file.

Then I enabled the "Windows Authentication" feature under Authentication section.

In Internet Explorer (or Firefox or Chrome for that matter) I navigate to the website, using the route to the controller, and I'm then prompted for credentials. I enter credentials for the domain user, but I'm denied access.

Some people claim that "Anonymous Authentication" in IIS should also be enabled, but for me this doesn't help at all. Same problem.

Also, some people claim that it helps to go to "Providers" for "Windows Authentication" and reorder them to: NTLM, Negotiate. Doesn't change a thing for me.

Then I try to change authorization in web.config to just:

<allow users="*"/>

Doesn't help either.

It's like the auth-thing doesn't talk to AD at all.

Anyone know how to set this up correctly given the described scenario?

UPDATE (dec 8, 2016): I found a pluralsight video (referenced from the asp.net/mvc website) by Scott Allen, where he explains the different authentication options for MVC5, and when it comes to doing an intranet site with Windows Authentication, it turns out it should be done pretty much like I've described in this question. Only thing is, when I try it out (I used the VS template for MVC and chose Windows Authentication), it only works in IISExpress - not in real IIS (even on same machine and both IISExpress and IIS setup to use Windows Authentication and not allow anonymous). So very frustrating.

Answer 1

You should not use <authorization> tag in ASP.Net MVC. It is meant for ASP.Net Web Form which is based on paths, whereas ASP.Net MVC works with Controllers, Actions and Routes.

In ASP.Net MVC, there are few ways to authenticate user via AD. I personally like to use use OWIN Middleware .

It has few pieces, so I created a sample project in GitHub AspNetMvcActiveDirectoryOwin . You can fork it, and test it right away.

The following three are the main classes -

1. AccountController

2. ActiveDirectoryService

3. OwinAuthenticationService