question

SvenLeuschner-7114 avatar image
0 Votes"
SvenLeuschner-7114 asked ·

Questions about Windows Authentication in Edge / SSO



Hey,

hopefully this time its the right room to ask:

I'm tasked with changing an existing web-application consisting of C# code being hosted by IIS with a frontend of jQuery / Kendo / Razr - so basically html + Javascript

The customer is "tired" of having to enter his website-username + password combo and asks for what sounds for me like SSO or similar - if possible automatically with his windows domain credentials which he already used to log into windows.

Can you hint me the least obtrusive way - I'm not certain they have Azure AD - so it might work with the integrated windows authentication. (WIA)

But then I need to somehow get "my hands" on the used credentials - so I can check in our database if the logged in user actually has access to the site. After extensive googling I couldn't find out where / how to grab the user's credentials and send those to the server side for checking.

So how do I set it all up? Does the user still has to enter credentials on every visit? How do I get the credentials of the user?

Thanks in advance!

For christ sake - why does your Tags box insist on Azure-AD-SSO .. I dont have Azure at that customer

windows-server-iis-general
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

BruceZhang-MSFT avatar image
0 Votes"
BruceZhang-MSFT answered ·

Hi @SvenLeuschner-7114 ,

You can enable windows authentication and disable anonymous authentication on IIS. This will ask users enter their domain credentials to login.

If users don't want to enter username and password, it is important to make sure that client and server at same domain. Then set IE to auto send credential.

Add the website name to local intranet in IE explorer->internet option->security->click local intranet -> sites ->advanced.
68464-2021-02-16-112505.jpg


Enable automatic logon only in local intranet in IE explorer->internet option->security->custom level->check Enable automatic logon only in local intranet->OK.
68483-2021-02-16-112647.jpg



If the answer is helpful, please click "Accept Answer" and upvote it.

Note: Please follow the steps in our  documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


Best regards,
Bruce Zhang




·
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

SvenLeuschner-7114 avatar image
0 Votes"
SvenLeuschner-7114 answered ·

Thanks for your reply BruceZhang - alas it only addresses half my problem ...

When I understand your steps correctly I still have to somehow match WindowsUser to WebsiteUser somehow - or is that taken care of automatically following your procedure.

Can you please clarify what my / our website will receive as username and "how", which POST(?) variables will arrive - how do I match the users between windows login and our database users' names ?

·
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

BruceZhang-MSFT avatar image
0 Votes"
BruceZhang-MSFT answered ·

Hi @SvenLeuschner-7114 ,

I think you can store windows username and website username in database to match users. Otherwise you can custom authentication and don't use windows authentication, so that you don't need to store windows username.

 string userName = System.Security.Principal.WindowsIdentity.GetCurrent().Name;

This will help you get windows username.

 string userName = HttpContext.Current.User.Identity

This will help you get current website username.



If the answer is helpful, please click "Accept Answer" and upvote it.

Note: Please follow the steps in our  documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

Best regards,
Bruce Zhang



· 1 ·
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

HttpContext.Current might be null, and WindowsIdentity.GetCurrent() returns application pool identity (not the logon user). So this answer is really misleading.

0 Votes 0 ·
SvenLeuschner-7114 avatar image
0 Votes"
SvenLeuschner-7114 answered ·

thanks @lextm, but I knew already from posts on stackexchange, if I question usercredentials serverside that I will get mostlikely non-saying data of the application pool

but we decided to follow a different approach

·
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.