twilliams February 2016

Is Windows Authentication enough to sign my user in?

I have an ASP.NET Core application using Identity. It is an intranet application and I am requiring all users be authenticated using Windows Authentication, which uses Kerberos.

I want to have the system be seamless for the user, so that when they access the page and they are not signed in but are authenticated, they are automatically signed in using their User.Identity.Name which corresponds to their Identiy Username which I first check to see if exists with UserManager.FindByIdAsync

If it does exist, I sign them in using the SignInManager. If it doesn't exist, I create a new user in the Identity store and then sign that user in.

Is this assuming too much? is this potentially going to come back and bite me, or is this perfectly acceptable? Most examples I see exist with user credentials being transmitted to sign the user in to Active Directory.

Answers


blowdart February 2016

With integrated authentication IIS becomes the point at which users login, and you don't need, and shouldn't use Identity 3.0 - you don't need it, AD is the user database here, you don't need to add Identity.

When you create a new application you should click the change authentication button in the new project dialog and choose Windows authentication. That will configure everything correctly and won't add any of the Identity pieces.

Note that in RC1 authorization based on role/AD group membership is broken, so Authorize[Roles = "MYDOMAIN\mygroup"] won't work. This will be fixed in RC2.

Post Status

Asked in February 2016
Viewed 2,027 times
Voted 8
Answered 1 times

Search




Leave an answer