2

We are building a proof of concept application with ASP.NET Core 1.1 currently. The target is to provide SSO on intranet level and offer a login page for access via internet.

So far I am able to get the Kerberos ticket by setting "windowsAuthentication": true in the IIS settings (launchSettings.json) respectively web.config.

I build my own Authentication Middleware / Authentication Handler to go on.

If the user is not yet authenticated I am redirecting them to a login page.

BUT here comes my problem. The first request is always null, then the server challenges for Kerberos and gets the ticket. (May I miss the understanding of how Kerberos and challenging really works)

In my function HandleUnauthorizedAsync I can't know if the IIS is responding a ticket or not and therefore redirect them before the answer comes from the IIS.

Does anyone have tried something similar or has a clue to solve the problem?

Kind Regards

Edit: Please be aware that this is currently only for proof of concept and testing stuff out.

HandleAuthenticateAsync:

        if(Context.User?.Identity?.AuthenticationType == "Kerberos") {

            var identity = new ClaimsIdentity(new GenericIdentity(Context.User.Identity.Name, AeroAuthenticationOptions.DefaultSchemaName), new Claim[] {
                // get claims from claim store
            });

            var principal = new ClaimsPrincipal(identity);
            var ticket = new AuthenticationTicket(principal, new Microsoft.AspNetCore.Http.Authentication.AuthenticationProperties { }, AeroAuthenticationOptions.DefaultSchemaName);

            return AuthenticateResult.Success(ticket);

        }

        return AuthenticateResult.Skip();

HandleUnauthorizedAsync:

        if(context == null) {

            throw new ArgumentNullException(nameof(context));

        }

        var properties = new AuthenticationProperties(context.Properties);
        var redirectUri = properties.RedirectUri;
        if(string.IsNullOrEmpty(redirectUri)) {

            redirectUri = OriginalPathBase + Request.Path + Request.QueryString;

        }

        var loginUri = Options.LoginPath + QueryString.Create(Options.ReturnUrlParameter, redirectUri);
        var redirectContext = new AeroCookieRedirectContext(Context, Options, BuildRedirectUri(loginUri), properties);
        await Options.Events.RedirectToLogin(redirectContext);

        return true;
Mario
  • 978
  • 2
  • 11
  • 31
  • I had to implement a similar scenario a few weeks ago, please post your code so that we can see the implementation details and be able to help you better – univ May 11 '17 at 18:28
  • Hi, I am glad not to be the only one :) Its not the point of "not working" code but of understanding. How can I intercept the Kerberos auth while not knowing that its challenged... Maybe you are allowed to share your knowledge? – Mario May 11 '17 at 20:07
  • Have you looked at identity server 4 ? – Muqeet Khan May 11 '17 at 20:56
  • I didn't specifically use kerberos but I worked for a client that required a custom two layer authentication and had to use integrated windows auth and a custom middleware to get the user roles from their internal db (definitely not ideal but they were adamant that's how they wanted to be. So I wanted to take a look at your code and check if there is anything strange that jumped out. – univ May 12 '17 at 02:43
  • I stumbled on this solution for a logout with windowsauth in .net mvc, maybe it helps: https://stackoverflow.com/questions/17871816/login-as-another-user-mvc-4-windows-authentication – Yush0 Oct 23 '17 at 14:49

0 Answers0