Trying to implement subject in a test environment.
.UseWebListener(options=>
{
options.ListenerSettings.Authentication.Schemes = AuthenticationSchemes.NTLM |
AuthenticationSchemes.Negotiate;
options.ListenerSettings.Authentication.AllowAnonymous = true;
})
And
app.UseWhen(context => context.Request.Path.StartsWithSegments("/ntlm"),
builder => builder.UseCookieAuthentication(new CookieAuthenticationOptions()
{
AutomaticAuthenticate = true,
AutomaticChallenge = true,
LoginPath = "/Main/Login",
LogoutPath = "/Main/Logout",
AuthenticationScheme = "NTLM", AccessDeniedPath = "/Main/Deny"
}
));
app.UseWhen(context => !context.Request.Path.StartsWithSegments("/ntlm"),
builder => builder.UseCookieAuthentication(new CookieAuthenticationOptions()
{
AutomaticAuthenticate = false,
AutomaticChallenge = false,
LoginPath = "/Main/Login",
LogoutPath = "/Main/Logout",
AuthenticationScheme = "Cookies"
}
));
But it seems there`s no difference, whether request path starts with "/ntlm" or not.
I tried running two WebListeners, but I think there`s much more overhead.
What I want to achieve: User gets on start page with login form and there`s a "Windows auth" button on it. He can enter credentials or press the button and go in with his OS identity.
I'm doing something very similar using IIS, not WebListener, but maybe I can tell you a few things that can help.
You have configured WebListener as I did for my IIS to allow anonymous access but also to be able to negotiate authentification, that part should be fine.
But on the "/ntlm" url path, you have installed a CookieAuthentication middleware that will try to find a cookie in the incoming request to authenticate the user, and I don't think that's what you want. On the contrary, on the "/ntlm" path, you want to reuse the identity that would be coming from NTLM or Kerberos packet detected by WebListener. In my case, when properly setup, it's an IIS Middleware that is in charge of setting the identity. I would suggest:
HttpContext.User.Identity.Name;