Windows Authentication using Form Authentication

Total votes: 1
Views: 36,325
Comments: 6
Category: ASP.NET
Print: Print Article

Please login to rate or to leave a comment.

Published: 06 Jul 2009
By: Akhtar Shiekh

Learn how to authenticate a Windows account using Forms Authentication.

Contents [hide]
1 Introduction 2 Requirements 3 Solution 4 Configure Authorization and Authentication settings in web.config. 5 Generate an authentication token, if the provided credentials are authenticated 6 Summary

Introduction

Last month I worked on a small assignment to authenticate a Windows account (Domain or Local) using Form authentication. The purpose of this task was to facilitate our application users to login with any valid Windows account (Instead of automatically authentication of windows logged in user).As it was an interesting task, I decided to share my experience with you

Requirements

The application should authenticate Windows users using Form authentication, so that the currently logged in user shouldn’t be bound to login in the application only with his Windows account. He should be able to login with any valid Windows account.

Solution

We need to do the following steps to get the desired functionality:

Configure Authorization and Authentication settings in web.config.
Create a login page and execute logic to authenticate provided credential of Windows user.
If provided credentials are authenticated in step 2, generate an authentication token so that user should be able to navigate into the authorized pages of your application.

Let’s talk about each step,

Configure Authorization and Authentication settings in web.config.

We need to use Form authentication. The user will enter his Windows credentials in the form and we will validate them by using custom logic in step 2.

To restrict anonymous access, you need the following authorization settings in web.config

Create a login page and execute logic to authenticate the provided credentials of Windows user

We need to create a login page (e.g. Login.aspx) to get username and password information from the user and then validate them.

We have different options to validate Windows credentials. The way I choose is the LogonUser() method of a Win32 API called Advapi32.dll.

The LogonUser function attempts to log a user on to the local computer. This method takes a username, password and other information as input and returns a Boolean value to indicate if the user is logged in or not. If it returns true, this means the provided username and password are correct.

To use this method in our class, we need to include the following namespace:

Then, the add method declaration with the DLLImport attribute (as this is a method of an unmanaged Win32 DLL).

According to the MSDN Documentation:

lpszUsername [in]: A pointer to a null-terminated string that specifies the name of the user. This is the name of the user account to log on to. If you use the user principal name (UPN) format, User@DNSDomainName, the lpszDomain parameter must be NULL.

lpszDomain [in, optional]: A pointer to a null-terminated string that specifies the name of the domain or server whose account database contains the lpszUsername account. If this parameter is NULL, the user name must be specified in UPN format. If this parameter is ".", the function validates the account by using only the local account database.

lpszPassword [in]: A pointer to a null-terminated string that specifies the plaintext password for the user account specified by lpszUsername. When you have finished using the password, clear the password from memory by calling the SecureZeroMemory function. For more information about protecting passwords, see Handling Passwords.

dwLogonType [in]: The type of logon operation to perform.

dwLogonProvider [in]: Specifies the logon provider.

phToken [out]: A pointer to a handle variable that receives a handle to a token that represents the specified user.

Generate an authentication token, if the provided credentials are authenticated

If the provided credentials are authenticated by the LogonUser() method then we need to generate an authentication token so that the user should be able to navigate into the authorized pages of the application. FormsAuthentication.RedirectFromLoginPage() or FormsAuthentication.SetAuthCookie() can be used for this purpose.

Here is the login button’s Click handler code for authentication and generation of the authentication token. Comments will help you to understand the code.

protected void btnLogin_Click(object sender, EventArgs e)
{
   // Extract domain name from provided DomainUsername e.g Domainname\Username
   string domainName = GetDomainName(txtUserName.Text); 
   // Extract user name from provided DomainUsername e.g Domainname\Username 
   string userName = GetUsername(txtUserName.Text);  
        IntPtr token = IntPtr.Zero;
 //userName, domainName and Password parameters are very obvious.
 /* dwLogonType (3rd parameter): I used LOGON32_LOGON_INTERACTIVE, This logon type is
 intended for users who will be interactively using the computer, such as a user being
 logged on by a terminal server, remote shell, or similar process. This logon type has
 the additional expense of caching logon information for disconnected operations. For
 more details about this parameter please see http://msdn.microsoft.com/en-
 us/library/aa378184(VS.85).aspx */
 /* dwLogonProvider (4th parameter) : I used LOGON32_PROVIDER_DEFAUL, This provider
 uses the standard logon provider for the system. The default security provider is
 negotiate, unless you pass NULL for the domain name and the user name is not in UPN
 format. In this case, the default provider is NTLM. For more details about this
 parameter please see http://msdn.microsoft.com/en-us/library/aa378184(VS.85).aspx */
 /* phToken (5th parameter): A pointer to a handle variable that receives a handle to
 a token that represents the specified user. We can use this handler for impersonation
 purpose. */
    bool result = LogonUser(userName, domainName, txtPassword.Text, 2, 0, ref token);
    if (result)
    {
       //If Sucessfully authenticated
 /* When an unatuthenticated user try to visit any page of your application that is
 only allowed to view by authenticated users then ASP.NET automatically redirect that
 user to login form and add ReturnUrl query string parameter that contain the url of a
 page that user want to visit, So that we can redirect the user to that page after
 authenticated. FormsAuthentication.RedirectFromLoginPage() method not only redirect
 the user to that page but also genrate an authentication token for that user. */
       if (string.IsNullOrEmpty(Request.QueryString["ReturnUrl"]))
       {
          FormsAuthentication.RedirectFromLoginPage(txtUserName.Text, false);
       }
 /* If ReturnUrl query string parameter is not present , then we need to generate
 authentication token and redirect the user to any page ( acording to your application
 need). FormsAuthentication.SetAuthCookie() method will generate Authentication
 token*/ 
       else
       {
          FormsAuthentication.SetAuthCookie(txtUserName.Text, false);
          Response.Redirect("default.aspx");
       }
   }
   else
   {
      //If not authenticated then display an error message
      Response.Write("Invalid username or password.");
   }
}

Let’s put it all together:

Listing 1: Login.aspx

<%@ Page Language="C#" AutoEventWireup="true" CodeFile="Login.aspx.cs"
     Inherits="Login" %>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
 "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head runat="server">
    <title>Windows Authentication Using Form Authentication</title>
    <style type="text/css">
        .style1
        {
            width: 100%;
        }
    </style>
</head>
<body>
    <form id="form1" runat="server">
    <div>
        <table class="style1">
            <tr>
                <td>
                    <asp:Label ID="lblUserName" runat="server" 
                         Text="User Name:"></asp:Label>
                </td>
                <td>
                    <asp:TextBox ID="txtUserName" runat="server"></asp:TextBox>
                </td>
            </tr>
            <tr>
                <td>
                    <asp:Label ID="lblPassword" runat="server"
                         Text="Password:"></asp:Label>
                </td>
                <td>
                    <asp:TextBox ID="txtPassword" runat="server"></asp:TextBox>
                </td>
            </tr>
            <tr>
                <td>
                     </td>
                <td>
                    <asp:Button ID="btnLogin" runat="server" onclick="btnLogin_Click" 
                        Text="Login" />
                </td>
            </tr>
        </table>
    </div>
    <p>
         </p>
    </form>
</body>
</html>

Listing 2: Login.aspx.cs

using System;
using System.Collections;
using System.Configuration;
using System.Data;
using System.Linq;
using System.Web;
using System.Web.Security;
using System.Web.UI;
using System.Web.UI.HtmlControls;
using System.Web.UI.WebControls;
using System.Web.UI.WebControls.WebParts;
using System.Runtime.InteropServices;
public partial class Login : System.Web.UI.Page
{
    [DllImport("ADVAPI32.dll", EntryPoint = "LogonUserW", SetLastError = true, 
       CharSet = CharSet.Auto)]
    public static extern bool LogonUser(string lpszUsername, string lpszDomain, 
       string lpszPassword, int dwLogonType, int dwLogonProvider, ref IntPtr phToken);
    /// <summary>
    /// Parses the string to pull the domain name out.
    /// </summary>
    /// <param name="usernameDomain">The string to parse that must contain the domain
    /// in either the domain\username or UPN format username@domain</param>
    /// <returns>The domain name or "" if not domain is found.</returns>
    public static string GetDomainName(string usernameDomain)
    {
        if (string.IsNullOrEmpty(usernameDomain))
        {
            throw (new ArgumentException("Argument can't be null.",
               "usernameDomain"));
        }
        if (usernameDomain.Contains("\\"))
        {
            int index = usernameDomain.IndexOf("\\");
            return usernameDomain.Substring(0, index);
        }
        else if (usernameDomain.Contains("@"))
        {
            int index = usernameDomain.IndexOf("@");
            return usernameDomain.Substring(index + 1);
        }
        else
        {
            return "";
        }
    }
    /// <summary>
    /// Parses the string to pull the user name out.
    /// </summary>
    /// <param name="usernameDomain">The string to parse that must contain the
    /// username in either the domain\username or UPN format username@domain</param>
    /// <returns>The username or the string if no domain is found.</returns>
    public static string GetUsername(string usernameDomain)
    {
        if (string.IsNullOrEmpty(usernameDomain))
        {
            throw (new ArgumentException("Argument can't be null.",
               "usernameDomain"));
        }
        if (usernameDomain.Contains("\\"))
        {
            int index = usernameDomain.IndexOf("\\");
            return usernameDomain.Substring(index + 1);
        }
        else if (usernameDomain.Contains("@"))
        {
            int index = usernameDomain.IndexOf("@");
            return usernameDomain.Substring(0, index);
        }
        else
        {
            return usernameDomain;
        }
    }  
protected void btnLogin_Click(object sender, EventArgs e)
{
   // Extract domain name from provided DomainUsername e.g Domainname\Username
      string domainName = GetDomainName(txtUserName.Text); 
   // Extract user name from provided DomainUsername e.g Domainname\Username 
      string userName = GetUsername(txtUserName.Text);  
      IntPtr token = IntPtr.Zero;
 //userName, domainName and Password parameters are very obvious.
 /* dwLogonType (3rd parameter): I used LOGON32_LOGON_INTERACTIVE, This logon type is
 intended for users who will be interactively using the computer, such as a user being
 logged on by a terminal server, remote shell, or similar process. This logon type has
 the additional expense of caching logon information for disconnected operations. For
 more details about this parameter please see http://msdn.microsoft.com/en-
 us/library/aa378184(VS.85).aspx */
 /* dwLogonProvider (4th parameter) : I used LOGON32_PROVIDER_DEFAUL, This provider
 uses the standard logon provider for the system. The default security provider is
 negotiate, unless you pass NULL for the domain name and the user name is not in UPN
 format. In this case, the default provider is NTLM. For more details about this
 parameter please see http://msdn.microsoft.com/en-us/library/aa378184(VS.85).aspx */
 /* phToken (5th parameter): A pointer to a handle variable that receives a handle to
 a token that represents the specified user. We can use this handler for impersonation
 purpose. */
    bool result = LogonUser(userName, domainName, txtPassword.Text, 2, 0, ref token);
    if (result)
    {
       //If Sucessfully authenticated
 /* When an unatuthenticated user try to visit any page of your application that is
 only allowed to view by authenticated users then ASP.NET automatically redirect that
 user to login form and add ReturnUrl query string parameter that contain the url of a
 page that user want to visit, So that we can redirect the user to that page after
 authenticated. FormsAuthentication.RedirectFromLoginPage() method not only redirect
 the user to that page but also genrate an authentication token for that user. */
       if (string.IsNullOrEmpty(Request.QueryString["ReturnUrl"]))
       {
          FormsAuthentication.RedirectFromLoginPage(txtUserName.Text, false);
       }
 /* If ReturnUrl query string parameter is not present , then we need to generate
 authentication token and redirect the user to any page ( acording to your application
 need). FormsAuthentication.SetAuthCookie() method will generate Authentication
 token*/ 
       else
       {
          FormsAuthentication.SetAuthCookie(txtUserName.Text, false);
          Response.Redirect("default.aspx");
       }
   }
   else
   {
      //If not authenticated then display an error message
      Response.Write("Invalid username or password.");
   }
}

Summary

You’ve learned how to authenticate a Windows user using forms authentication. You used the Win32 API method LogonUser() to authenticate a Windows user and generate a form authentication ticket for that user so that he can navigate your website.

<< Previous Article

Continue reading and see our next or previous articles

Next Article >>

About Akhtar Shiekh

I am Microsoft Certified Technology Specialist for Web Application Development. I have 4 year experience of Web and Distributed application development.I have considerable experience developing client / server software for major corporate clients using the Windows operating systems and .NET platform...

This author has published 2 articles on DotNetSlackers. View other articles or the complete profile here.

You might also be interested in the following related blog posts

MSDN Guidance on ASP.NET MVC vs WebForms and its Impact on my EF + ASP.NET Work read more
Idle Timeouts in RIA Services Authentication read more
Telerik Reporting enters the Silverlight space, adds design-time and performance improvements read more
SharePoint 2010 Workflow read more
Dont Repeat Yourself read more
My History of Visual Studio (Part 2) read more
IIS Search Engine Optimization (SEO) Toolkit Announcing Beta 2 read more
Virtual Lab: Windows Forms Security read more
Integrating OpenID in an ASP.NET MVC Application using DotNetOpenAuth read more
Stimulsoft Reports. New versions of reporting tools for .NET, Web, and WPF read more

Top

Discussion

Subject	Author	Date
Good Article	Param Iyer	7/23/2009 5:57 AM
Excellent article :-) Have not tried it out but definately useful... Reply \| Permanent link
RE: Good Article	Akhtar Shiekh	7/23/2009 6:22 AM
Thanks for appreciations :). Reply \| Permanent link
Thank you very much	Mallesh Rao	8/18/2009 5:35 AM
It's very nice. Thank you very much for you post Reply \| Permanent link
Good one	Venkat Bhogavilli	8/18/2009 9:12 AM
Was a black box until now .......will use this in future .....thanks for the information Reply \| Permanent link
Thank you	King Alex	8/31/2009 6:52 AM
in the web to call api,first learning Reply \| Permanent link
Excellent article!	Roger Moore	12/1/2009 7:02 PM
Very helpful. Reply \| Permanent link

Please login to rate or to leave a comment.

Free Agile Project Management Tool from Telerik
TeamPulse Community Edition helps your team effectively capture requirements, manage project plans, assign and track work, and most importantly, be continually connected with each other.

Login

Lost Password?