Last post Mar 26, 2019 02:09 PM by bruce (sqlwork.com)
Mar 18, 2019 02:19 AM|limcheehang|LINK
I want to build a MVC app to be used only in the office environment. Most of the user has the active directory user account. Some doesn't have
Possible for me to implement something with the following option
1) By default use windows logged in ID to access the website
2) for those without user ID, allow them to login by using scan badge
Mar 18, 2019 09:37 AM|Yuki Tao|LINK
If you would like to enable windows authentication,you need to set configration,like:
<system.webServer> […] <security> <authentication> <anonymousAuthentication enabled="false"/> <windowsAuthentication enabled="true"/> </authentication> </security> </system.webServer>
You could refer to:
for those without user ID, allow them to login by using scan badge
What kind of third-party library do you want to choose?
If you want to mix authentication,generally,we use
Owin,and replace forms with QR code.
The code contains address to the central server + unique identifier of the token that has been assigned by server to the session on the desktop computer. After scanning the code, the phone is opening a page that checks if it has been used with this service
before by looking for a cookie containing encrypted information about the user’s credentials (hash of username/user id). The hash is being checked against server’s database and if it’s valid - token in database is being updated with information that the access
is granted to user X. Phone shows information that the user has logged to site XYZ.
Browser on desktop is constantly checking status of the token and once it says that the user has “logged in” - it’s redirecting to secure part of website. Job done!
you could refer to this article:
Hope my reply will be helpful to you.
Mar 26, 2019 09:29 AM|Nan Yu|LINK
Hi limcheehang ,
To combine the two authentication methods , IMO , you can't use the default windows authentication template , you could validate the credential against AD manually :
So that if AD authentication failed , you can trigger another authentication provider to provide the scan badge function .
Mar 26, 2019 02:09 PM|bruce (sqlwork.com)|LINK
first you need to understand the two common login schemes.
1) browser based. the website returns a 401 response will a list of authentication protocols it supports. basic, certificate, digits, ntlm. on the first 401, the browser ask the user to enter the credential info. it then resends the request with the proper
credential, if pass the server, the server returns the response else a 401. this happens on all requests that do not allow anonymous.
2) cookie authentication. the browser has no knowledge of authentication. to the browser the site is anonymous. the site checks a cookie for a login token. if not found, it redirects to the login process (which can be complex in SSO), which creates the cookie.
if cookies are enabled, the browser sends the cookie with each request.
generally to flip between this modes, you first redirect to a login page, that ask the type of login the user wants. you then set a cookie to the choice.
not sure how you plan to use a badge scan. the qr code suggested, requires the browser render the qr code, not be on a badge.