Request.IsAuthenticated is always true in asp.net mvc sso
Hi,
i am using 2fa in asp.net mvc in startup.cs config through owin
but Request.IsAuthenticated is always coming true only so request is not
going for authentication we are using windows authentication
Microsoft Entra ID
-
AgaveJoe • 1,505 Reputation points
2023-07-21T11:11:48.2766667+00:00 It is not possible to use 2FA with Windows Authentication in web application. The authentication happens when the user logs into their computer. The ability to access the web application is authorization. Authorized users are able to access the web application and run the code Request.IsAuthenticated which will always be true. Unauthorized user are denied access the web application and the code, Request.IsAuthenticated, is never reached.
https://learn.microsoft.com/en-us/iis/configuration/system.webserver/security/authentication/
-
-
AgaveJoe • 1,505 Reputation points
2023-07-21T12:44:19.1233333+00:00 Your response does not change how authorization works in Windows Authentication or how two factor authorization works (2FA). There must be a misunderstanding that needs clarification. Are you sure Windows Authentication is enabled in IIS?
Can you elaborate on what "working fine in one application" means? How does security work in this "one application"?
-
N • 1 Reputation point
2023-07-21T12:48:52.1166667+00:00 we are using below code for sso login in azure owin.
public void Configuration(IAppBuilder app) { app.SetDefaultSignInAsAuthenticationType(CookieAuthenticationDefaults.AuthenticationType); app.UseCookieAuthentication(new CookieAuthenticationOptions()); OwinTokenAcquirerFactory factory = TokenAcquirerFactory.GetDefaultInstance<OwinTokenAcquirerFactory>(); app.AddMicrosoftIdentityWebApp(factory); factory.Services .Configure<ConfidentialClientApplicationOptions>(options => { options.RedirectUri = "https://localhost:44368/"; }) .AddMicrosoftGraph() .AddInMemoryTokenCaches(); factory.Build(); } and controller public void SignIn() { if (!Request.IsAuthenticated) { HttpContext.GetOwinContext().Authentication.Challenge( new AuthenticationProperties{ RedirectUri = "/" }, OpenIdConnectAuthenticationDefaults.AuthenticationType); } }
-
N • 1 Reputation point
2023-07-21T12:55:13.19+00:00 !!!!!!!!!!!!!
-
AgaveJoe • 1,505 Reputation points
2023-07-21T13:04:57.13+00:00 The subject of your original question is Windows Authentication. The code you shared uses Cookie Authentication. It is not possible to use Windows Authentication and Cookie authentication in the same application. It seems like you misunderstand the technology you're trying to implement or you are using the wrong terms.
If you enabled Windows Authentication for this application, in IIS, then every authorized user can access the web site. Request.IsAuthenticated will always be true.
In Windows Authentication, authorization happens in IIS before the application receives the request. Authentication happened when the user logged in to their computer.
Can you explain what you're trying to do? It seems like you want to implement OAuth/OIDC with a remote authentication server.
-
N • 1 Reputation point
2023-07-21T13:07:58.4833333+00:00 Can you please check this article I implemented using this only
-
AgaveJoe • 1,505 Reputation points
2023-07-21T13:39:59.2933333+00:00 For the second time, did you enable Windows Authentication in IIS? If so, then disable Windows Authentication because the web application is configured to use Cookie Authentication.
Keep in mind, you did not answer a single clarifying question that I asked. I have no idea what you are thinking or why you are asking about Windows Authentication. Perhaps you are using the wrong terms?
The article illustrates how to register a web application with Azure AD. The login occurs on the remote authentication server. Once the user is authenticated with Azure AD, the remote authentication server sets an authentication cookie (this is the SSO bit) and redirects the browser back to your web application along with a token. The OWIN middleware running in your application reads the token and caches the token details like the username in the authentication cookie.
If the browser opens a different application also secured by Azure AD, then the browser is still redirected to the remote authentication server. However, if the remote server sees its authentication cookie, the authentication server redirects the browser back to your application without prompting the user to login.
This information is covered in the link you provided.
Can you explain clearly what you are trying to do?
-
N • 1 Reputation point
2023-07-21T13:48:35.0433333+00:00 @AgaveJoe I have implemented the same thing in 2 application with windows authentication in web.config one is working fine and another is not working even the one which is working i comment controller checking still that is working same thing i did in other application but it is not working this is mvc not core
-
AgaveJoe • 1,505 Reputation points
2023-07-21T14:20:09.93+00:00 Windows Authentication only works in Intranet (local) applications. If this is an Intranet application then why is Azure AD needed? Windows Authentication is handles SSO by definition. If this is an Internet (public) application then you must have enable Anonymous Authentication, which overrides Windows Authentication, otherwise no one could access the application unless they used VPN.
For the fourth time, can you explain the security design? Are you trying implement multiple authentication providers? Internal users use Windows Authentication and external users use Azure AD?
-
-
AgaveJoe • 1,505 Reputation points
2023-07-21T14:55:15.78+00:00 anonyums is also enable our application based on azuread login but we want to 2fa as well so we used owin code i am also surprise same code working in one application but not working in other application even in same iis hosted
It is clear for your responses that you are throwing code and configuration at a problem while not truly understanding the technology.
Azure AD comes with multi-factor authentication baked-in. Multi-factor authentication is triggered when the user logs in which is the Azure AD.
How it works: Azure AD Multi-Factor Authentication
Lastly, you are not using Windows Authentication if Anonymous Authentication is enabled.
-
-
-
AgaveJoe • 1,505 Reputation points
2023-07-21T16:19:07.8033333+00:00 actually this owin authtication popup is not coming in second web directly it is opening home page but we write code in owin startup.cs for this but looks like that is not happening
The OWIN authentication API does not open a popup. It redirects to a remote authentication authentication server as explained above.
If you see a popup that looks like the following then the browser is requesting credentials. Most likely due to enabling Windows Authentication. For the third time, do not enable Windows Authentication and Anonymous Authentication at the same time. Disable Windows Authentication since you are implementing Azure AD to authenticate.
-
N • 1 Reputation point
2023-07-21T16:58:53.5666667+00:00 I am talking about this url redirect I think below code is doing
can you please confirm this code only redirect to this url we are adding tenant id and client whatever require in my case this url is not invoking for one application and for other i amredirecting in this url my issue is this why one web site is not redirecting in this url
public void Configuration(IAppBuilder app) { app.SetDefaultSignInAsAuthenticationType(CookieAuthenticationDefaults.AuthenticationType); app.UseCookieAuthentication(new CookieAuthenticationOptions()); OwinTokenAcquirerFactory factory = TokenAcquirerFactory.GetDefaultInstance<OwinTokenAcquirerFactory>(); app.AddMicrosoftIdentityWebApp(factory); factory.Services .Configure<ConfidentialClientApplicationOptions>(options => { options.RedirectUri = "https://localhost:44368/"; }) .AddMicrosoftGraph() .AddInMemoryTokenCaches(); factory.Build(); }
ca
-
AgaveJoe • 1,505 Reputation points
2023-07-21T17:28:17.96+00:00 You started this thread stating Request.IsAuthenticated is always true. If that is still the case then the user has already authenticated. Try deleting all cookies and try again. Or try logout of the application.
Keep in mind and as I stated above, if the browser has a valid cookie from the authentication server then the server will authenticate the user with out showing the login page.
Of course this all assumes you've correctly configured the second application and registered the application for use with Azure AD.
-
N • 1 Reputation point
2023-07-21T17:39:22.55+00:00 @AgaveJoe but suppose if i am using first not working app details like tenant and client inside second app that also this login.microsoftonline is coming I already deleted temp cookies iis restart system restart evertything done but this microsoft redirect is not happening in first application is there and global.ascx or any other config require
-
AgaveJoe • 1,505 Reputation points
2023-07-21T18:07:32.13+00:00 Is Request.IsAuthenticated true in the second application?
-
N • 1 Reputation point
2023-07-22T01:10:30.94+00:00 @AgaveJoe without using Request.IsAuthenticated in controller it is going login.microsoftonline.com because startup.cs configuare method we put below below code is only redirecting to login.microsoftonline.com is this true
app.SetDefaultSignInAsAuthenticationType(CookieAuthenticationDefaults.AuthenticationType); app.UseCookieAuthentication(new CookieAuthenticationOptions()); OwinTokenAcquirerFactory factory = TokenAcquirerFactory.GetDefaultInstance<OwinTokenAcquirerFactory>(); app.AddMicrosoftIdentityWebApp(factory); factory.Services .Configure<ConfidentialClientApplicationOptions>(options => { options.RedirectUri = "https://localhost:44368/"; }) .AddMicrosoftGraph() .AddInMemoryTokenCaches(); factory.Build();
Sign in to comment