Geek Answers Handbook

Windows Manual Authentication

I'm currently trying to figure out how to perform manual Windows authentication in our ASP.NET application. The problem is that we are running the OData service, and use FormsAuthentication to provide a common login mechanism and enable PUT and DELETE commands for OData, including form redirection.

However, for some clients, we integrated Windows authentication to provide seamless integration for our active directory users. The problem is that we want to be able to switch authentication methods without disrupting the Odata service, because we are dependent on it.

What we are trying to do is mimic the mechanics of Windows authentication using the IhttpModule. For now, we can turn the function on and off, and we get a call when the request is made. I do not know how to use the received information from the browser to perform authentication in the active directory:

This is the code we use to extract NTLM information from the current request:

/// <summary> /// <para>Determines whether the current <see cref="HttpRequest"/> is a NTML challenge.</para> /// </summary> /// <param name="request">The <see cref="HttpRequest"/> to evaluate.</param> /// <param name="header">The output header to authenticate.</param> /// <returns>True if the current <see cref="HttpRequest"/> is considered a NTML challenge.</returns> protected bool IsNtlmChallenge(HttpRequest request, out string header) { const string headerName = @"Authorization"; if (request.Headers.AllKeys.Contains(headerName)) { header = request.Headers[headerName]; return true; } header = string.Empty; return false; }

This allows us to extract the header from the request. Now I need to know how I authenticate with this in the active directory.

This is the logic we use to extract information:

 // Check if we need to handle authentication through Windows authentication or not. if (WindowsAuthentication) { string encryptedHeader; // If this is a challenge from the client, perform the Windows Authentication using the // information stored inside the header. if(IsNtlmChallenge(HttpContext.Current.Request, out encryptedHeader)) { /* how to authenticate here with the encrypted header? */ } HttpContext.Current.Response.AddHeader("WWW-Authenticate", "NTLM"); HttpContext.Current.Response.StatusCode = 401; return; }

Hope someone can provide the underder that I need.

+7
source share
1 answer

Good,

Based on the comments received on my question, I came up with the following solution to get around the problem that I have. I know this is not a clean solution, but at least it works for us.

  • Create a new web application that runs inside your application.
  • This sub-application uses Windows authentication
    • Disable anonymous and form authentication
  • Create a Login.aspx page that handles Windows authentication
  • We create a cookie after logging in and redirect the original application.
  • The original application recognizes the cookie and takes the user.

This requires that we generate the same keys for encryption and decryption for both applications. This can be set using the machine key module in IIS Manager for your application. If the keys are not equal for both applications, the encoding / decoding process for the cookie will fail . We set them for automatic generation using SHA1, but the same keys for both applications.

Now we check the settings on the initial login page, redirect to the sub-application login page if Windows authentication is required and log in. Then we redirect back to the original login page and use the cookie to continue.

This leads to several redirects at the first login, but after that the application runs as quickly as possible.

0
source

More articles:


All Articles