Is it possible to catch 401 before IIS prompt for Id/Password? about windowsauthentication HOT 5 CLOSED

ADFS uses a technique to look at the user agent string to determine if the browser can support windows authentication or not. If not - they show a login HTML page.

I guess you could use a similar approach (but this is also not perfect).

If you want to build something like that - feel free to contribute.

from windowsauthentication.

Thanks for the tip, quite a few good reads show up from that. I also woke up midnight think I might be able to customize the Windows Authentication source to return 418 instead 401. Somewhere in there, you must know Windows authentication doesn't work before IIS?

from windowsauthentication.

It does not appear possible to cut in between. There are two 401s around this call and you have to let the first one pass. By the second one, browser already prompted Id/Password.

WSFederationMessage.TryCreateFromUri(Request.RequestUri, out message)

User agent string doesn't really guarantee success, for example, you need to set intranet zone with FQDN. So sounds like this is only feasible in some very tightly controlled environment, like a remote virtual desktop session.

Most web users probably don't mind entering password once, so this is really just for Windows application open a browser session and auto login as user. In worse case scenario, I'm considering let the windows client using a local user to login and fake windows user via acrvalues. Not sure if there's any significant security risk.

from windowsauthentication.

I don't understand what that means

In worse case scenario, I'm considering let the windows client using a local user to login and fake windows user via acrvalues. Not sure if there's any significant security risk.

from windowsauthentication.

Sorry for the delay. In my settings, I don't really have a local user store. My AuthenticateLocalAsync calls PrincipalContext.ValidateCredentials to verify user's domain credential.

If an application login with a special Id/Password, and pass domain user Id in acr_values, can I simply return domain user in AuthenticateResult? That would allow the application open a browser and login as domain user, right?

At one point, I created UserStoreFactory that spin off different stores for end user and application, but then sidetracked trying to catch the 401 and redirect to login page.

from windowsauthentication.