0

Application use windows authentication and request is : If user is not in AD but is in DB switch from windows authentication to web login screen. After that I have logic for web login screen and that's works like a charm.

My question is, is it possible to manipulate with windows authentication? What is best way to solve problem like this?

This is current logic for AD login:

    public async Task<IActionResult> AdLogin(string returnUrl)
    {
        
        if (User.Identity.Name == null)
        {
            return Unauthorized(); //Return to login (if anonymous login is enabled, User can be null)
        }

        ActiveDirectoryUserDto userAdDetails = _activeDirectory.GetAdUserLDAP();

        Account userDB = _accountService.GetAccountByUsername(userAdDetails.UserName);

        if (userDB != null && _accountService.CanLogin(userDB))
        {
            returnUrl = string.IsNullOrEmpty(returnUrl) || returnUrl == "/" || returnUrl == "/Home/Index" ? userDB.DefaultUrl : returnUrl;
            
            /*ADD CLAIMS*/
            ClaimsIdentity identity = _accountService.GenerateClaimsIdentityForUser(userDB, true);

            /*IDENTITY LOGIN*/
            var principal = new ClaimsPrincipal(identity);
            await HttpContext.SignInAsync(CookieAuthenticationDefaults.AuthenticationScheme, principal);

            // Set language info in cookie
            LanguageCountry userLanguageCountry = _accountService.GetLanguageCountryForUser(userDB.LanguageCountryId);
            Response.Cookies.Append("CultureValues", userLanguageCountry.LanguageSuffix);
            Response.Cookies.Append(
                 CookieRequestCultureProvider.DefaultCookieName,
                 CookieRequestCultureProvider.MakeCookieValue(new RequestCulture(userLanguageCountry.LanguageCountryCode)),
                 new CookieOptions { Expires = DateTimeOffset.UtcNow.AddYears(1) }
             );

            // Create session
            short sessionId = _accountService.CreateSession(userDB.AccountId, userDB.UserName, Request.Headers, HttpContext.Connection.RemoteIpAddress.ToString());
            HttpContext.Session.SetInt32("SessionID", sessionId);

            // Update account login data
            _accountService.UpdateAccountLoginData(userDB);

            return Redirect(returnUrl);
        }
        else
        {
            return Unauthorized();
        }
    }

I tried to catch username and add logic, but recently i read about how windows authentication is hard to controll.

bristivojevic
  • 1
  • 3
  • I've done this before, and I wrote an answer on an older question describing how I did it: [Windows Authentication and local DB user authentication](https://stackoverflow.com/questions/62216775/windows-authentication-and-local-db-user-authentication) – Gabriel Luci Mar 30 '23 at 18:31
  • @GabrielLuci I came up with another idea and they accepted it where we have basically 2 step authentication, external people must go through win auth, we have 1 AD account for them, if they pass that i send them to web login form but i like the way you implemented it and i will try definitely because maybe I will have same request in future, thanks in advance !!! – bristivojevic Apr 03 '23 at 07:29

0 Answers0