Search code examples
asp.net-mvcauthenticationiisasp.net-identitywindows-authentication

How do I get AD user when using ASP.Net Identity

I am trying to get details of current windows (AD) user in my mvc 5 asp.net vb.net intranet site.

When I started this project, I set my authentication to individual accounts assuming that I can still get windows user information. But I have had no luck. I can get this information when I am using visual studio in debugging. But this information is replaced by the identity name of apppool in IIS.

My intranet site is currently set to use the following config.

<authentication mode="Windows" />
    <authorization>
        <allow users="*"/>      
        <!--<deny users="?"/>-->
</authorization>

My application is set to use anonymous and windows authentication. If I turn off anonymous, I start getting query string too long. It starts going in infinite loop when trying to create a return url. This is really annoying.

Anyways. For me, the concept was: If the user is windows AD user, they can get to my log in page and if correct credentials they can use the site else get kicked out. So a bit like a two factor authentication.

I have settled for allowing anonymous in favour of getting ad information and then based on that I can either deny or allow access. I intend to put this information in my login controller where signinstatus.success = true.

I have scoured the internet in trying to find a decent enough solution to try and get this hybrid to work but I am struggling for clarity. In some cases people just want to plug their own tools.

Solution

  • AllowAnonymous is necessary when you have a precursor to authorization, i.e. a login page the user must submit. If you don't allow anonymous users to access this page, then there's no way for them to actually login to become authorized to view the page (hence your infinite redirect).

    ASP.NET Identity and Windows Auth are distinct and incompatible authorization schemes. You cannot use both simultaneously in the same application. You can however, use ASP.NET Identity and add a custom authentication/authorization layer that utilizes an LDAP connection to check credentials against AD. In other words, if you want to use AD, you have to add a manual integration of that.