Windows Authentication

This is the place to report bugs and get support. When posting in this forum, please always provide as much detail as possible.

Please do not report problems with a custom build or custom code in this forum. If you are producing your own build from the source code and have problems or questions, ask in the developer forum, do not report it as a bug.

This is the place to report bugs and get support

When posting in this forum, please try to provide as many relevant details as possible. Particularly the following:

  • What operating system were you running when the bug appeared?
  • What database platform is your site using?
  • What version of mojoPortal are you running?
  • What version of .NET do you use?
  • What steps are necessary to reproduce the issue? Compare expected results vs actual results.
Please do not report problems with a custom build or custom code in this forum. If you are producing your own build from the source code and have problems or questions, ask in the developer forum.
This thread is closed to new posts. You must sign in to post in the forums.
5/30/2013 3:15:37 PM
vc3
Gravatar
Total Posts 18
View Posts

Windows Authentication

I have a mojo site in development and the customer decided they wanted to add windows authentication to restrict access to the site. I have not changed anything in the web.config or security settings to allow Mojo to use Windows Authentication. The web.config is still set to use forms authentication.

But, here is the thing...when you log into the windows authentication, it's logging the visitor into Mojo and adding the user as a Mojo user.

I don't want this to happen. It also means I can't login to Mojo with my mojo credentials because it already has me logged in with my windows credentials.

Why is Mojo doing this?

Thanks

Tim

5/30/2013 3:31:07 PM
Joe Audette
Gravatar
Total Posts 18439
View Posts

Re: Windows Authentication

There is no bug, it is working exactly as it was designed to. With Windows Authentication we must create the user if he does not already exist since there is no login form involved, the user is never prompted to login and we cannot reject him as authenticated (ie we cannot log him out of the site from code with windows auth if he doesn't exist in the db), if he is logged into windows then he is logged into a site that uses windows auth (on his machine or on a windows domain) period end of story, and we need a matching user in the database for the site to work with no errors. See the article Using Windows Authentication.

Using widows auth is an either/or proposition, you cannot use it and Forms Auth. With Windows auth the user is authenticated by IIS before the request even reaches mojoPortal code.

You could use LDAP authentication against a windows Active Directory domain and then also use regular database authentication in addition since they both use forms authentication, but again any user returned as authenticated by ldap requires that we create a user in the db if one does not already exist.

Hope that helps,

Joe

5/30/2013 3:51:48 PM
vc3
Gravatar
Total Posts 18
View Posts

Re: Windows Authentication

I guess where I'm confused is why is Mojo logging the visitor in at all. I'm not trying to use Window Auth to log users into the site, they just have to do that to view the site. In Mojo settings the site can be viewed without authentication.

The Bug forum probably wasn't the place for this, sorry about that. It should be in the "I know very little about this stuff and I'm confused" forum. But, that doesn't exist. ;p

Tim

5/30/2013 4:07:42 PM
Joe Audette
Gravatar
Total Posts 18439
View Posts

Re: Windows Authentication

What you don't understand is that mojoPortal is not able to log users in or out with Windows Auth, if using Windows auth and a user is logged into Windows the user is by definition logged in already to any web site on the machine or Windows domain where the web app is configured for using Windows auth. It is not up to mojoPortal whether the user is logged into windows. The request is handed from IIS to mojoPortal with a windows user already authenticated by the operating system, we cannot log the user in or out. That is just how IIS Windows Authentication works. It is not something mojoPortal is doing nor something we could change we just have to react to the fact that we have an authenticated user attached to the web request and we need a matching one in the database.

No worries about which forum the confusion is understandable if you don't know what IIS Windows Auth is or how it works. With Forms Authentication it is up to mojoPortal whether to set a forms authentication cookie (which is what makes a user change from unauthenticated to authenticated in Forms Auth) but with windows auth there is no forms auth cookie and we cannot log the user out no way no how.

Best,

Joe

5/30/2013 4:28:03 PM
Joe Audette
Gravatar
Total Posts 18439
View Posts

Re: Windows Authentication

For a slightly more technical clarification, with Windows auth, if we check from code if(Request.IsAuthenticated) it will always return true, we will never show the user a login prompt at all. So mojo doesn't log the user in, but the user is in fact already logged in and nothing we can do to log him out.

Whereas with Forms Authentication if(Request.IsAuthenticated) will only be true after we set a forms authentication cookie and we can log a user out by clearing that cookie.

Probably what you really want is to use LDAP which allows users to login using their windows credentials but it still uses Forms Auth and we still set the cookie and therefore can log the user in or out of the site.

Hope that helps,

Joe

5/30/2013 4:46:44 PM
vc3
Gravatar
Total Posts 18
View Posts

Re: Windows Authentication

Gotcha. I think I get the gist. It's just a temporary situation during development, and we won't have Windows Auth turned on when we go live.

But, I really appreciate you taking the time to explain.

Thanks!

Tim

You must sign in to post in the forums. This thread is closed to new posts.