Windows AND anonymous authentication #6236
I have some problems getting Windows AND anonymous authentication to work. The login process is supposed to be like this:
- The user go to the angular site login. It should start an automatic AD/LDAP login process (as described at https://support.aspnetzero.com/QA/Questions/5370).
- If successful AD login, the user gets in.
- If unsuccessful, the user should return to the login page and be able to login using username and password as normal.
I have gotten some of this to work but when both Anonymous and Windows autentication is active in IIS, the User.Identity.IsAuthenticated is always false making LDAP login always unsuccessful.
I have changed the API web.config attribute forwardWindowsAuthToken="true".
I'm quite new to both IIS with .Net Core and especially Angluar, so any tips would be greatly appreciated!
Best regards // Andreas
I tried and added [Authorized] before the Authenticate method:
[Authorize] public async Task
I now get a populated User.Identity, but it now however fails with "Authorization.Users.UserManager - Invalid password for user X." so I guess something else has gone wrong now.
Am I doing it the right way or should I completely change approach?
Unfortunately no. I think the AlwaysTrueExternalAuthSource method will not work on a site with both Windows Auth and Anonymous access. I think it will only work on a site with only Windows Auth. In the db the source is AlwaysTrueExternalAuthSource instead of LDAP which might cause the password error as well.
What I want to do seems to be a special case (thought it would be a common scenario for an entreprise solution to allow local user access and forms login for external users but I seem to be wrong).
I do not have a good lead going forward or any reserve backup plan though. Any tips would therefore be very appreciated!
I think all of those links concerns Windows authentication only unfortunately. I have yet to find a guide for BOTH Windows and Anonymous authentication, especially with Angular och WebApi.
My conclusion is that this might actually not be possible to do. Any ideas to "a workaraound"? Two sites, one each for every login? Some sort of external login solution who does the dual-authentication (i.e. first Windows, then forms login)?