Windows Authentication for ASP.NET MVC 4 - how it works, how to test it

Thomas.Benz picture Thomas.Benz · Jun 20, 2013 · Viewed 77.7k times · Source

I have never used Windows Authentication for ASP.NET MVC web applications before, but Forms Authentication. Recently, I have had an ASP.NET MVC 4 web application that requires a Windows Authentication implementation for users who are granted to log in my company web server. So, I have some questions regarding Windows Authentication. I am using Visual Studio 2012.

  • How does Windows Authentication work?

  • How do I implement Windows Authentication correctly in the web.config file?

  • How do I test if the Windows Authentication really works for my ASP.NET MVC 4 web site? In other words, how do I test it on my local development PC with local IIS (version 8), and on my company real web server with IIS version 7?

Answer

Donal Lafferty picture Donal Lafferty · Mar 28, 2014

For IIS 8.5 and MVC 4:

How does Windows Authentication work?

In this mode, User.Identity (as in HttpContext.Current.User.Identity) is populated by the underlying web server. This might be IIS Express in the link from @R Kumar demonstrated, or full blown IIS as in the video by @Thomas Benz.

Specifically, User.Identity is a WindowsIdentity object. E.g. the following cast will work:

WindowsIdentity clientId = (WindowsIdentity)HttpContext.Current.User.Identity;

How do I implement Windows Authentication correctly in the web.config file?

  <system.web>
    <authentication mode="Windows" />
  ...

How do I test if the Windows Authentication really works for my ASP.NET MVC 4 web site? In other words, how do I test it on my local development PC with local IIS (version 8), and on my company real web server with IIS version 7?

First, change the ASP.NET authorization to exclude the current user. E.g.

  <system.web>
    <authentication mode="Windows" />
    <authorization>
      <allow users="yourdomain\someotheruser" />
      <deny users="*" />
    </authorization>

Second, enable Windows Authentication for your site using IIS Manager. It's under the 'Authentication' feature. And disable anonymous authentication.

Note that older explanation will suggest you make changes under element of your site's web.config. However, recent IIS implementations prevent this for security reasons.

Three, point your browser at the webpage. The browser should ask you to provide credentials, because the current user is not allowed access to the website. Provide the ones that are authorized for the site, and your MVC code should run.

Four, check the user identity. E.g.

WindowsIdentity clientId = (WindowsIdentity)HttpContext.Current.User.Identity;