Automatic authentication with Windows (Active Directory / LDAP) account?

[Stirda]

I am looking for automatically login into application based on user windows profile, then query Active Directory which groups current user belongs to. I am aware of 3.1 improvements in external login. @leonkosak @akinix @maliming Any suggestion?

Originally posted by @leonkosak in #3638 (comment)

BTW, is a comment in a closed GitHub issue notifying the mentionned user?

[maliming]

hi @Stirda

I think you can implement yourself through External Authentication, I don't have experience with Windows Active Directory

#4977 (comment)

[Stirda]

I think you can implement yourself through External Authentication

@maliming I do too. But do you think automatic registering and automatic login are possible? In the past I succeeded in implementing Azure AD login by following this contributor blog post. Registering was automatic. So :

• Basic login: Need to be already registered > Enter username and password > Hit login button > Logged in.
• Azure AD (or social) login: Hit social login button > Redirection > Use social provider UI to login > Redirection > Automatic registration in ABP if not already registered > Logged in.
• Active Directory login (what I want): (A) (maybe hit a login button) > (B) Automatic authentication from currently logged-in Windows account (IIS Windows Authentication ?) and got user credentials > (C) Automatic registration in ABP if not already registered > (D) Logged in.

I understood that you don't have experience with (B), but (C) seems to be already done in ABP for Azure AD (or social) login. How can I reuse this?

@leonkosak @akinix What do you think of (B)? How to do this?

[JadynWong]

https://docs.microsoft.com/en-us/aspnet/core/security/authentication/windowsauth?view=aspnetcore-3.1

I think it has nothing to do with abp

[leonkosak]

@Stirda, currently my priority is complete installation of tiered-abp.io (abp Commercial) inside Docker environment.
If somehow IIS is required (via Windows Authentication option) for (semi)automatic login, this is not good solution for us.
For developing LDAP authentication there is no more requests for implementation for now.

[kurtwilbies]

Any news?

[Stirda]

@kurtwilbies A colleague will start working on this this week. IIS Windows authentication, ABP 3.1 external login system w/o need to checking password (because already authenticated by IIS). Stay tuned.

[VidyaPuri]

@Stirda was your colleague successful?

[Stirda]

@VidyaPuri Planned work changed and I was re-assigned to this task. Maybe in a few weeks, when my current work will be completed.

[VidyaPuri]

@VidyaPuri Planned work changed and I was re-assigned to this task. Maybe in a few weeks, when my current work will be completed.

Any news?

[Stirda]

@VidyaPuri See #6295

[Stirda]

I finally got this working 🥳

You were right @maliming : this worked with the help of External Authentication but I had to do a lot of research, tries, and follow new steps many times. Because Windows Authentication works flawlessly with ASP.NET MVC/Core Razor, but a lot less with Blazor/ABP.

I have learned a lot through this work but still my implementation is far from perfect.

Here is what I got now in my ABP-Blazor application (but this is also applicable to ABP-MVC projects):

• Automatic logon & registration using Windows client username. No credentials to enter. Redirection getting Windows account username automatically.
• Kept the basic (login/pwd) /Account/Login for logging with traditional admin credentials, for example.
• Automatic role assignation based on Active Directory groups (links configured into a custom section in my appsettings.json).
• Automatic fill of classic claims (first name, last name, mail) by querying again Active Directory.
• IIS and IIS Express compatibility.

I have a weird behavior sometimes at logon (need to retry), but, once logged in, ABP, Blazor, ASP.NET Core and IIS are friends 😃

[leonkosak]

@Stirda, may I contact you via email? If I may, please contact me on leon.kosak@gmail.com.