How to authenticate a user in a .Net Core WebAPI using Windows Active Directory from a frontend client that is hosted on a separate server?

Question

I have generated a WebAPI service using the following command:

dotnet new webapi --auth Windows

Then added this in my startup file:

services.AddAuthentication(NegotiateDefaults.AuthenticationScheme).AddNegotiate();

Now if I try to access an API endpoint that requires Authorization I get an alert box like prompt to enter my username and password (only once). And I do get a JSON response back when I enter my credentials correctly.

My next plan is to create a single-page app using React that will be hosted on a different server(probably in a container). I want to have a /login endpoint in my API that will receive the username and password from the frontend client and will try to authenticate the user using these credentials against Windows Active Directory.

I could not find any clue how should I do this. I don't even know if this is possible.

So, my questions are, is this possible to do? If not, what is the best alternative approach considering I will have other clients (including android app) that will use this API?

Some Additional Info: * .Net Core Version: 3.1.0 * Not using IIS. Only using Kestrel, But possible to use IIS if that helps in any way.

Answer 1

Your client apps and web api are in different domian , i would suggest using one identity provider, for example , identity server4/Azure AD , making identity provider integrated windows authentication .It would make your scenario eaiser to implement windows authentication and SSO among different kinds of apps. Otherwise you need to send AD's credential fron client to your web api , and contact AD to validate crdential in your web api , which may lead to security problem .

Windows Authentication in Identity server 4 :

http://docs.identityserver.io/en/latest/topics/windows.html