All geek questions in one place

NTLM Authentication on a Specific Route in ASP.NET Kernel

An attempt to implement an object in a test environment.

.UseWebListener(options=> { options.ListenerSettings.Authentication.Schemes = AuthenticationSchemes.NTLM | AuthenticationSchemes.Negotiate; options.ListenerSettings.Authentication.AllowAnonymous = true; })

and

  app.UseWhen(context => context.Request.Path.StartsWithSegments("/ntlm"), builder => builder.UseCookieAuthentication(new CookieAuthenticationOptions() { AutomaticAuthenticate = true, AutomaticChallenge = true, LoginPath = "/Main/Login", LogoutPath = "/Main/Logout", AuthenticationScheme = "NTLM", AccessDeniedPath = "/Main/Deny" } )); app.UseWhen(context => !context.Request.Path.StartsWithSegments("/ntlm"), builder => builder.UseCookieAuthentication(new CookieAuthenticationOptions() { AutomaticAuthenticate = false, AutomaticChallenge = false, LoginPath = "/Main/Login", LogoutPath = "/Main/Logout", AuthenticationScheme = "Cookies" } ));

But it doesn't seem to make any difference whether the request starts with "/ ntlm" or not.

I tried running two WebListeners, but I think they have more overhead.

What I want to achieve: The user goes to the start page with the login form, and there is a "Windows auth" button on it. He can enter credentials or click a button and enter with the identifier of his OS.

+1
source share
1 answer

I am doing something very similar with IIS and not with WebListener, but maybe I can tell you a few things that can help.

You configured WebListener, as I did for my IIS, to allow anonymous access, and also to be able to negotiate authentication, this part should be fine.

But in the path of the โ€œ/ ntlmโ€ URL, you installed the CookieAuthentication middleware that will try to find the cookie in the incoming request for user authentication, and I don't think you want it. In contrast, in the "/ ntlm" path, you want to reuse the identifier that will come from the NTLM or Kerberos package discovered by WebListener. In my case, when configured correctly, this is the IIS middleware that is responsible for setting the identifier. I would suggest:

  • remove this UseCookieAuthentication when in the path of "ntlm"
  • create a controller and action with the attribute [Authorize] to start authentication
  • display HttpContext.User.Identity.Name;
  • We hope that the Windows user will be authenticated correctly here.
+1
source

Source: https://habr.com/ru/post/1271584/

More articles:


All Articles