Asp.net mvc 3 Windows Authentication with Login form

Question

I have already created a form authentication application. I had User table and created a custom membership provider. My user table has relations with other tables such as roles and permissions.

1. I change that to work using Windows Authentication. It looks easy but I have no clue how to still be able to read permissions from my tables? some tables are related to User table and requires user id, what to do here? should I break the foreign key?

2. If a user is accessing the page from LAN, s/he should get logged automatically, but if they accessed the application over internet, I should allow them to login? How to do this? What passwords should they use to login (active directory or my User table)?

I hope i get simple and easy answers.

Regards

Answer 1

If you use Windows authentication, the user is going to be prompted for credentials just to access your site. You won't be able to prevent that. They won't even get to your code until they are authenticated.

We've done similar things using SSO (single sign-on), though I've never tied it to Windows authentication. The idea would be that you have two apps that share user credentials and, if you are logged into one, you are logged into the other. The first app would be your normal application which supports forms-based authentication. The second would be an app that only does Windows authentication and then, upon successful login, redirects to your normal application. Since you're already authenticated, the normal application simply creates it's standard authentication cookie and takes you to the main page of the application.

Typically these work by passing a token in the URL which you can then redeem via a back channel to the SSO server (or, in your case the Windows authentication server) to confirm that the token is authentic. The response to the back channel call contains the user name and other pertinent details if the token is successfully redeemed.

A sketch of the process might look like:

1. Get request to protected action on site.
2. If not authenticated, redirect to login site without token
   • Your login site contains both a forms-based login form and a link to the Windows authentication url
3. User clicks the Windows authentication url
4. Windows authentication site authenticates, creates a one-time use token in DB for user, and redirects back to your login action with token
5. Your login action redeems the token via back channel WebRequest to the Windows authentication server.
6. Windows authentication server validates the token, marking it as used, then returns the username to your login action.
7. Your login action creates standard forms authentication cookie and continues as normal.

Answer 2

1. In your controllers you can use User.Identity.Name to get the users AD username. You can then add a field to your users table called ADUSername (or update the values in the existing username field) so that you can link the logged in user to the existing user record in your database.

2. You don't have to do anything, if the user is accessing it from an external network or any machine that is not on the domain the browser will pop up a username/password prompt.