MVC authorize not authenticate using AD - asp.net-mvc-4

I have scoured this and many other sites to find an answer but have come up short every single time. If this is a duplicate, I am very happy to accept direction to the original question with an answer:
I have built an MVC 4 site and I am using the Authorize tag where needed and this is working as expected.
My issue is that I require a mechanism by which to prompt the user (already logged in or some other valid user in the domain) to enter their windows credentials on one page in order to confirm/authorize that user. This is not what the authorize filter is doing. The authorize filter is actually authenticating the user. Thus changing the User.Identity information accordingly.
Is it possible to just authorize a user (not authenticate) without actually changing the User object?
Just returning the 401 response forces the windows prompt but that, in turn, does an authentication, not an authorize.
While a solution could be achieved with a custom action that accepts username/password input, my requirement specifically calls for the native browser windows prompt to be displayed.
The site is using IIS Express and is set up for windows authentication and every aspect of this does what I need. Except for the issue of "true" authorization mentioned above. The browser has to be IE9. Currently running on Windows 10.

No. You're currently using Windows Authentication, and this is how it works. There is no need to login because the user is already logged into Windows, that's the point.
To do what you want, you would need to use an individual auth library like Identity. Which will give you the login capability. However, that doesn't work with AD out of the box, but you can add that in yourself. In otherwords, instead of using the Identity functionality to look a user up by username and password to authenticate, you'd connect to AD over LDAP, and verify the credentials there. You'd also need to use the LDAP connection to add the user's groups in AD to the their roles in Identity. Then, you can utilize the Authorize attribute as normal.
Long and short, if you want to actually allow the user to login as any AD user, then you're pretty much on your own. There's no builtin functionality for that. It's relatively straight-forward, if not entirely easy, to set something up yourself for that that, but again, that's on you.

Related

System.Security.Principal.WindowsIdentity.GetCurrent().Name vs User.Identity.Name and which one should I use?

Just trying to understand the difference here. I moved my ASP.Net Core Vue.js app over to a Win server, from my Win 7 desktop, and it broke
User.Identity.Name
so now the value is null.
So I changed it to
System.Security.Principal.WindowsIdentity.GetCurrent().Name
and it's working again on both my desktop and Win server.
What's the difference and should I just move forward with using the later?
No. They're entirely different things. HttpContext.User is a ClaimsPrincipal created via authentication of a specific user. System.Security.Principal.WindowsIdentity is the principal used by the App Pool. As such, it will be a constant for the application, whereas HttpContext.User is going to be the actual user making the request to your app, assuming they've authenticated.
I think where people get confused is when developing locally and using Windows Authentication. In that one specific scenario, the two will be same, because IIS Express is running under your local user account, which is of course, how you're also authenticated by Windows. In virtually every other situation they will be different, and frankly obvious that System.Security.Principal.WindowsIdentity is not what you're looking for.
Now, as to why User.Identity.Name is null, you likely are expecting to be authenticated by Windows, but have not enabled Windows Authentication for the app, meaning you are not actually logged in. Right-click your project(s), choose Properties, and then go to the Debug tab. At the bottom of the screen, make sure Enable Windows Authentication is checked. If you have any part of your site that does not require authorization, make sure Enable Anonymous Authentication is also checked, or you can uncheck it, you want to force all access to the site to be authorized.

How to pass an authenticated identity across web sites?

I have a web site with an initial login page, on this page I'm using a claims based identity which is authenticated when a user successfully logs in.
This all works fine, from this main site I have a number of 'sub sites' (that also require logins), and I'm looking to use the same authenticated identity to log into these (e.g. so a user does not have to enter login details every time).
Is there a way to pass the initial authenticated claims-based identity to these sites securely? If so could someone point me in the direction of any useful material on this?
EDIT
Just to clarify in response to the answers below, I am currently using Single Sign On and have this working as follows.
User logins in to https://mywebsite.com/loginsite with Single Sign On. Claims-based identity is authenticated.
What I'm wanting to do is use this same authenticated Claims to log in to the following url in the same domain:
https://mywebsite.com/website1
But whenever I try to access the Identity the authentication is false. Is there a way to achieve this?
What you mentioned is generally referred to as SSO (Single Sign On). See the Auth0 page How to Implement Single Sign On for one way to achieve this.
Single Sign On works by having a central server, which all the applications trust. When you login for the first time a cookie gets created on this central server. Then, whenever you try to access a second application, you get redirected to the central server, if you already have a cookie there, you will get redirected directly to the app with a token, without login prompts, which means you’re already logged in.
(emphasis is mine)
Disclosure: I work at Auth0.

Is it possible to use Onedrive in a batch mode without a web interface?

Everything I'm reading shows that in order for an application to use onedrive, it has to do the oauth2 thing to get credentials. But what if you're a batch process and don't have a web interface for your users.
Google's API has a special type of account called a service account where once you set it up, you can control access to everything from that one account, no need to interact with users. Does such a thing exist for onedrive?
App-only authentication doesn't require the user be prompted for credentials but it also isn't supported in 100% of scenarios. For example, the APIs need a user principle for creating special folders and resolving a user's personal site. Also, it is only supported for OneDrive for Business, not Consumer. Consumer always requires the user be prompted for initial authentication.
Another option would be to spin up a web service of some sort that handles initial user authentication, ie. a sign up page. With that, you can retrieve a refresh token for offline authentication and store it for the user. Every authentication from then on can be done using the refresh tokens, which doesn't require a user prompt.
I finally found this. It's the same basic idea as google's service account, but I think it's harder to use. But at least the concept is supported.
http://blogs.msdn.com/b/exchangedev/archive/2015/01/21/building-demon-or-service-apps-with-office-365-mail-calendar-and-contacts-apis-oauth2-client-credential-flow.aspx

Ignore Persistent Cookies in Session

I am looking for a way to set up a session in ASP.NET that will ignore any persistent cookies on a user's computer, and force any cookies created within that session to be session cookies.
Effectively, I wish to be able to replicate the behaviour shown in 'In Private Browsing', where the session is considered an isolated browsing session. The reason for this is to allow my application to be able to leverage OAuth authentication from social providers; however have the app force the provider to request the user's credentials when logging in, regardless if they are currently logged in to that provider.
I acknowledge that OAuth is intended to have this behaviour, of automatically identifying that a user is logged into the provider. However, it is considered necessary for this application that "remember me" functionality is ignored.
I would also prefer to not have to remind users that they should either not use "remember me" on their accounts, or insist that they use private browsing.
The app is built in using Asp.Net MVC 4 and is using Identity. I had hoped that their might be something within CookieAuthenticationOptions; however, I have been unsuccessful in finding something that might offer me this behaviour.
OpenID Connect has a special parameter "prompt" to control this: Try adding "prompt=login".
See chapter 3.1.2.1:
http://openid.net/specs/openid-connect-core-1_0.html

How can I force spring-saml-extension to re-authenticate everytime?

I recently ran successfully the spring-saml-sample working with ADFS 2.0.
However I noticed that ADFS only ask me once my user/pass, and then I can enter as many times I want but always with the same user (even when I did a global logout).
Is seems there is a cookie or something stored locally that is sent to ADFS.
What if I want to authenticate with a different user on the same machine? How can I configure saml-extension in order to force authentication again?
SAML contains a mechanism for forcing IDP to re-authenticate user called forced authentication. You can enable it by setting flag forceAuthn in WebSSOProfileOptions to true. You can find more details on setting this in the Spring SAML manual, chapter 9.2.1.
In addition to Vladimir's answer, if you are able to continue login even after global logout has been done, you should check that as well. After global logout all SP and IDP sessions should be deleted and so ideally you should not be able to use the site.