Last post Jun 29, 2015 10:58 AM by DeHaynes
Jun 29, 2015 10:58 AM|DeHaynes|LINK
Let me start by saying that I have been out of the ASP.Net environment for a couple of years, so if I screw up any terminology I apologize. My work has decided that we need to be able to create Asp.Net applications so now I am comping back to this.
I am trying to come up with a security framework for my applications. Right now I am focused on Authentication. I would like to allow for Mixed-Mode authentication with Individual User Accounts and/or Windows Authentication. I would like this to be modular
so if Windows Authentication is not needed, then I can leave it out. From what I have read, this will require two websites. The main website should be setup for Individual User Accounts. A second website will do Windows Authentication. I am good with this.
I already have two test sites setup and working on my test box with URLs of test1.test.com and test2.test.com. Both are working.
My idea is that the Windows site (test2) would authenticate the Windows account against Active Directly only. If there is a valid Windows user it would write the user to a cookie and then redirect to the "Individual User Accounts" site (test1). Test1 would
have two OWIN Middlewares registered. The first middleware would check for the Windows User cookie. If it exists, it would process it. If the Windows cookie does not exist, it would let the second middleware process.
When the first middleware ran, it would check if the user account exists in the system.
I know that I would have to sync Machine Keys between both websites and set the cookie domains set to be "*.test.com" to get the cookies to work across both websites. I believe the second middleware could be the vanilla Owin Cookie authentication.
Thanks for any help.