Forums (Obsolete)

Member

SLorenz - 2/4/2014 7:20:36 AM

Override/Relogin Windows Authentication

Hi,

I've setup Mixed Mode Windows Authentication for my site and everything is working fine, so as soon as I open my site, I got authenticated. However, my users want to additionally (!) have a login form where they can login another user (using mixed authentication against either AD or Kentico DB). Once they're done they want to hit logoff and the original AD user needs to be logged in automatically again.

In Short:
1.) (open Browser) => Default Mixed Mode Auth (AD or Kentico DB)
2.) Login form using different credentials => tested against default Mixed Mode Auth
3.) Logout => reauthenticate initial user

For testing I modified a LogonMiniForm to make it visible all the time, but it looks like additional logins aren't handled properly, allthough the logs show a successful login.

Anyone has an idea?

Member

SLorenz - 2/4/2014 7:55:21 AM

RE:Override/Relogin Windows Authentication

Update: The problem seems to be that Windows Auth is done by IIS and no matter what user I login afterwards on the site, the current IIS/Browser session user won't change. Sounds quite logical, so it would be sufficient to authenticate against Kentico DB only when logging in an additional user. So I "only" need to register a new user as the current user somehow.

Kentico Support

kentico_filipl - 2/4/2014 9:47:08 AM

RE:Override/Relogin Windows Authentication

Hi,

Such a scenario is not supported in Kentico version 7 yet - there is only a way to impersonate a certain user but this does not allow you to log back in with the original user.

However, impersonation will be improved in version 8 - enabling you to cancel impersonation and log you back as the original user. Hopefully it should meet requirements you have on available authentication methods.

Until then, unfortunately there are no simple settings which would enable you to set it up this way and you would have to implement it on your own.

Best regards,
Filip Ligac

Member

SLorenz - 2/12/2014 3:22:11 AM

RE:Override/Relogin Windows Authentication

Hi,

finally and after reading a lot about IIS authentication on the web I got it working using this approach:

On the site, I enabled Anonymous+Forms Authentication and redirected to a custom winlogon.aspx. I enabled Windows Auth for just this file (ignoring the IIS warning). In the code behind I fetch the windows user from LOGON_USER and redirect immediately to a custom Forms Authentication page I cloned from Kentico's default Form Auth, providing the username as a query parameter.

In my custom Forms Auth I check the name against the DB and authenticate the User or show a regular login page.

Also I had to catch and store the returnUrl in global.asax before it got lost in the redirection process and apply it in my custom logon.aspx again.

Because the site runs with Forms Authentication I'm able to use the default mechanism to override that login and authenticate another Kentico-User. On Logout my windows user is logged in automatically again.

So, assuming a matching Kentico user in place, I always have a user logged in to the CMS. Exactly what I was after, mission accomplished ;)

Cheers

Stefan